Cyberattacks and hacking are widely recognized as threats to small businesses and large corporations alike, but many are still slow to adopt security protocols and practices. According to a survey from KPMG titled “Consumer Loss Barometer,” 81% of executives admit their companies have been compromised by cybersecurity over a 24-month period.

Despite acknowledgement that hacking is a pervasive concern, 49% of executives polled say they haven’t invested in information security in the past year. Whether it’s due to lack of understanding, or uncertainty about how to implement a cybersecurity program, the end result is that companies are left vulnerable to attack.

If you already have a cybersecurity program or are trying to scale one and are struggling to justify the expense to your team, being able to identify and measure cybersecurity KPIs is integral to your business’s success and security. Knowing your KPIs and having hard data to refer to can also help sway executives and team members who need to see evidence of the program’s value. Here are 8 KPIs to start with and how to track with.

1. Increase (or Decrease) in Reported Incidents

Indusface-Blog-Subheader-Increase-(or-Decrease)-in-Reported-Incidents-image_170913-02

If you’ve already calculated your annualized loss expectancy, you’ll know keeping track of your reported hacking incidents is key to cybersecurity. It may be the most important KPI to pull from if your team needs monetary justification to employ a cybersecurity program. But tracking possible hacks and incidents just scratches the surface of the type of data to collect for your cybersecurity KPIs.

Often, a third-party tool, such as Glances, is needed to monitor your server for suspicious activity hitting your business. An application security company like Indusface can also help detect and monitor all of your applications and see how incidents have increased or decreased. And in some instances, government authorities like the FBI may contact companies directly to inform them that their systems have been compromised.

However, you don’t want to wait for the FBI to show up at your door. You need to know what’s going on with hacks and intrusions in your business and restore its security to stay compliant with state and local regulations.

2. Number of Large Security Incidents

Indusface-Blog-Subheader-Number-of-Large-Security-Incidents-image_170913-03

Once you’ve collected data on the increase or decrease in security incidents, it’s time to focus on the incidents that will likely make the biggest financial impact on your business. You might find a few of your incidents resulted in the loss of a couple of hundred dollars, and were more of an aggravation than a financial issue. But hacks are rapidly moving into the realm of catastrophic losses. In the case of the WannaCry attack, experts predicted $4 billion in damages. That global hack also shut down entire businesses and hospitals as they tried to recover and handle the public fallout.

Number of large incidents will likely be one of your most important KPIs for cybersecurity. As we move forward with identifying your cybersecurity KPIs, we’ll also look at how ongoing fallout can actually increase the price tag associated with a large hack.

3. Number of Small Security Incidents

Indusface-Blog-Subheader-Number-of-Small-Security-Incidents-image_170913-04

Your smaller incidents may not have had an impact on your company and were easily deflected, but you should still monitor and track them. It’s true that one small incident probably won’t have much of an impact on your business aside from frustration and being a sobering wake-up call. But hundreds of small incidents a year could require ongoing cybersecurity efforts and monitoring to keep your business on track. Those expenses start to add up and start resembling the price tag associated with a bigger hack.

Smaller incidents may be harder to detect than a takeover of your entire system, but an alert and diligent team should be able to spot them. An example of a smaller security incident could be an email phishing scam or unusual activity on your server from a hacker trying to throttle and take down your website. Even if your staff is savvy enough to disarm these threats, delete suspicious emails before any damage is done, and address server issues; that small hack could actually be a malicious test that will scale into a full-blown attack.

4. Cost Per Incident

Indusface-Blog-Subheader-Cost-per-incident-image_170913-05

The cost per hacking incident goes beyond how much your business spent to resolve an attack. It’s wise to look at both the cost per overall incident and the number of individual records involved. According to CSO, the average cost per compromised record was $221. If you only have one or two compromised records, your business may be in good shape, but the overall cost per incident could be much higher than you anticipated.

Sit down with your security team and look at all of the fallout surrounding the attack and what resources were required to resolve it. You should also consider the costs for the cyber investigation, additional staff, overtime and PR campaign to address the public. It’s possible that your communication and PR response could cost more than restoring your data and removing malware from your systems.

5. Amount of Time to Resolve an Incident

Indusface-Blog-Subheader-Amount-of-Time-to-Resolve-an-Incident-image_170913-06

Time is money when it comes to business, and should be part of your cybersecurity KPIs. Make a log of how much time it took to resolve a cyberattack incident, from the moment it was first noticed until the final wrap-up meeting or report. There are easy ways to keep track of the time spent. Try a tool like Toggl so your team can collectively keep track of all the minutes and hours logged.

Remember that the time spent resolving a hack probably dragged down your company’s productivity. Consider how much time the security incidents and surrounding issues took away from other tasks in your company. You may not have needed extra staff to handle the hack, but could have found yourself and your team falling behind on other tasks.

6. Uptime (or Downtime) During an Incident

Indusface-Blog-Subheader-Uptime-(or-Downtime)-During-an-Incident-image_170913-07

The cost of downtime during a security incident – from lost sales and revenue, to a loss of customer confidence – can negatively impact your business. If sales were lost, consider cross referencing the volume of sales from your historical data to see how much your revenue was impacted. Or you could measure how many leads or how much traffic you would normally get on a similar day, and compare it to the results during an incident with downtime.

To sort out the potential damage from downtime associated with a hack, you can study your server logs and work with your hosting provider to identify data and traffic issues. The insights should help you determine any disruptions in uptime and how much time lapsed before your systems were up and running.

7. Meeting Regulatory Requirements

Indusface-Blog-Subheader-Meeting-Regulatory-Requirements-image_170913-08

Your company is probably required to meet national – and possibly local – regulatory requirements when it comes to cybersecurity incidents. Failing to educate your company on these regulations and stay up to date on the rules and requirements does not relieve your company of liability. Failing to follow the appropriate regulations can lead to fines, public fallout, and a loss of reputation.

Your own state may have different regulations, but in the state of New York’s case, the New York Department of Financial Services requires financial services companies to hire a CISO to implement the proper risk assessments and processes for employees. Their regulations also require companies to officially report data breaches within a specific period of time.

8. Appropriate Management of Customer Impact

Indusface-Blog-Subheader-Appropriate-Management-of-Customer-Impact-image_170913-09

Managing the customer impact of a data breach can be difficult and cumbersome, but it needs to be measured as an integral part of your cybersecurity KPIs. You can start by reviewing how your compromised customers’ records or accounts were restored and protected after an attack. Once you’ve determined how the attack occurred, you can also measure how long it took to resolve the issue, and any financial fallout that resulted, including refunds or a class action lawsuit.

Collect more data on what happens to your customers during an attack and how it impacts their own business. Your data points could lead to new KPIs, such as whether or not the customer lost business due to your security incident. For example, thousands of retailers and restaurants could suffer a loss of revenue and reputation as a direct result of their financial institution being hacked. Take all of the data and narrow down your customers’ issues as a result of your own security incident, and organize into sub-KPIs.

Now that you have a comprehensive overview of all the different ways an incident impacts your business, you can share these KPIs with your security team to figure out how much to spend and whether or not to hire new staff to address your security needs. Sit down together and analyze the overall damage and ongoing fallout from a cyberattack versus the value of your cybersecurity.

Have you tracked your company’s KPIs? What areas did you focus on? Let us know by leaving a comment below:

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.