Businesses remain at an elevated risk of cyber attack due to organizations’ increased concerns over disruption or damages to critical infrastructure, according to the Trend Micro Inc., in its latest Cyber Risk Index (CRI) study.

The results show  The CRI increased compared to the survey conducted in 2H 2018, mainly due to a perceived increased risk in the threats targeting them, and is now at its highest since the index began.

Trend Micro commissioned Ponemon Institute to survey more than 1000 organizations in the U.S. to assess business risk based on the difference between their current security posture and their perceived likelihood of attack.

“Organizations continue to invest in cutting-edge technologies to combat the growing risk of cyber threats to their data and infrastructure, but our latest CRI survey shows there’s still room to better prepare against attacks,” said Jon Clay, director of global threat communications for Trend Micro.

“By using the CRI to take a risk management approach to security, organizations can be more strategic in their investments, and work to encourage the C-level to elevate cybersecurity to the top of their priority list.”

Highlights from the 2019 CRI results include:

  • 65% have experienced one or more breaches of customer data and 62% have lost sensitive intellectual property over the last 12 months
  • 78% predict that, in the next year, they will lose customer records and 77% predict they will lose information assets
  • 73% said they experienced infiltration of their networks and/or enterprise systems over the past year
  • 81% believe an attack is likely in the next 12 months

The Cyber Risk Index is a strong tool for CISOs to use when assessing their security posture in this ever-changing landscape,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Building on the benchmarks established in the 2018 survey, IT security leaders can easily distil the multitude of infrastructure and threat changes in a meaningful way.”

Overall, respondents rated disruption or damage to critical infrastructure as the top consequence of such attacks, while phishing and social engineering were highlighted as the number one threat for organizations.

The report also identifies specific areas in which organizations lack risk mitigation. Adequate controls are still lacking in data and infrastructure security, and in many cases, IT security architecture is neither agile nor scalable enough.

Regarding risk mitigation, IT security functions reported that they support security in the DevOps environment.

The CRI  breaks down the highest risk industries, which include health and pharmaceuticals, transportation, and industrial and manufacturing. Small businesses also had a higher risk than medium businesses and enterprises.