Ten cybersecurity metrics your CIO wants you to know about

Cyber incident metrics could be a great way to give your entire team an insight into how protected your organisation is. Here are just some of the cybersecurity KPIs your CIO wants to you to know about.

Rob Stevens


As cybersecurity threats continue to evolve, how prepared is your business?

According to Independent studies, around half of all UK companies experienced a cyber-attack in 2017, and the digital world isn’t getting much safer. The more we unlock new opportunities with advanced technology and disruptive systems, the more criminals will attempt to break their way into our networks.

The question is, how do you assess the overall safety of your organisation?

Cyber incident metrics could be a great way to give your entire team an insight into how protected your organisation is. Here are just some of the cybersecurity KPIs your CIO wants to you to know about. At Nice Network we put ourselves through Cyber Essentials (CE) and ISO 27001 to negate against such threats. We are currently putting in place a simpler level or protection at Kilforst so they can achieve Cyber Essentials stamp of approval as well.

1.     Baseline Defence Coverage

Baseline defence coverage is a metric that assesses how companies are protecting themselves against baseline threats like viruses, spyware, and firewall breaches.

To measure cybersecurity metrics like this one, you’ll need to audit your entire enterprise and find out what kind of security systems you have in place for all the devices you use. Are there any outside tools in your workforce that are logging into your system without basic protection? If so, they could be making the rest of your team vulnerable. The Nice Network team has software in place on our network which monitors everything connected to it (Connectwise Automate). What’s more, all of the ISO and CE restrictions and policies we have in place do a lot to limit the risk of this happening to us. We even Patch Latency

This cybersecurity audit metric refers to the amount of time between the release of a software patch, and your ability to deploy that patch. Nice Networks IT services automatically roll out and upgrade new patches for our client’s business systems over the cloud. However, if your business doesn’t have an automated strategy in place, you’ll need to be aware of your company’s ability to react to exploits and get rid of potential windows into your system.

Monitoring patch latency will involve running patch management scans on all of your machines and devices to find out if any updates are missing from each one. At Nice Network, ConnectWise Automate does our patch management automatically classifying and applying patches according to our patch management schedule. It automatically approves and applies critical patches, but only after a week of them being released to mitigate any issues that arise.

2.     Number of Users with High Access Levels

Best practices in cybersecurity don’t just involve having the right software and programs in place. You’ll also need to make sure that you’re giving employees the right level of access for their work, without providing too many people with “super user” status. Identifying the access levels of all of your network users will ensure that you can block any administrators that don’t make sense.

Anyone can make a mistake when it comes to keeping a company safe online. The more people in your team with high-level administration access, the more chances there are for a small mistake to lead to a huge breach. Monitoring your users will also ensure that you can quickly remove access to networks for people who leave your business. In the Nice Network team, only key members of our IT community have domain admin and local admin privileges. Users on our network cannot install anything without our say so. Connectwise automate and also assist to remove any local admin privileges on PC’s we manage for clients.

3.     Password Strength

Password strength might seem like one of the most apparent cybersecurity metrics at first glance, but it’s also the one that many businesses overlook. There are still several businesses out there that have yet to implement a password policy for their employees. However, by putting a password system in place, you can identify where your users might be opening your company up to attack.

To get this metric, you’ll need to ask your cybersecurity team to run password-breaking programs that allow you to determine which of your accounts are the least protected. Password strength cybersecurity audit metrics are often measured in the length of time it takes to break a password.

At Nice, we enforce strong password policies on our Network, and recommend our clients do the same. The best practice recommendations in the industry right now are for passwords to include at least 8 characters. Complexity needs to be enabled too, which means using numbers, symbols, and both upper- and lower-case letters.

We enforce this with Group Policy. On other devices we generally use a randomly generated string of characters. Passwords for system logins are stored in an encrypted password vault.

4.     Percentage of Third Parties with Cybersecurity Effectiveness

Sometimes, even if your cyber incident metrics are excellent, your business may struggle because it’s connected to another organisation with poor safety standards. Effective risk management practices require you to think about the people that you allow into your system regularly from outside of your team. For instance, what kind of security strategies does your VoIP provider have in place? Nice Network have ISO 27001 approved systems in place.

ISO and cyber essentials heavily restrict access to our network, no third-party access is provided, Access for guest devices from within Nice Network is done from a guest VLAN, segregating them from our corporate LAN. Any external correspondence send to us via email is scanned for malware and viruses via Symantec Cloud. Users are not permitted to use USB keys or removable media. We are also protected at a desktop level with Sophos AV

Are your IoT devices set up to ensure that the only data travelling between devices is encrypted? Continuously monitoring the access that third parties have, and the security standards they use will let you see vulnerabilities that are outside of your immediate control. This will allow you to make data-driven decisions about how to develop your devices, and which vendors to work with.

5.     Number of Systems with Known Vulnerabilities

Finally, sometimes no matter what you do, there will be systems in your network that are more vulnerable than others. Knowing which of the assets in your environment the weakest are will help you to limit the amount of risk that you expose yourself to. You can create a hierarchy of the systems that need to be managed, patched, and improved first.

In the Nice team, ConnectWise Automate detects all devices on the network – we can then evaluate them for patching levels, configure automatic update where possible, and manually patch when not. We will recommend replacement of end-of-life products that no longer receive updates.

A quick vulnerability scan can be all it takes to determine which assets need to be improved. You may even decide to invest in new solutions if you discover that your existing strategies are no longer up to scratch.

Want to take your security strategy to the next level and nail your cybersecurity metrics? Contact Nice Network today.