2016 was a year of serious cybersecurity breaches all around the world, as can be seen in one glance at Information is Beautiful’s interactive graphic. No one was safe. Philippines’ Commission on Elections was hacked. An estimated $3 million USD (or £2.5) was stolen from 9,000 customers at a UK bank. The entire Turkish citizenship database was hacked and leaked online. Hackers accessed 9 million records of Three, a UK mobile company.

Closer to home, hackers breached the Clinton campaign, publishing more than 19,000 emails on WikiLeaks. Quest Diagnostics, a company providing clinical laboratory services, had 34,000 health records stolen. A denial-of-service (DOS) attack took advantage of vulnerabilities of the Internet of Things (IoT) to shut down websites worldwide, including Airbnb, Etsy, and the National Hockey League. This DOS attack was serious enough to lead the US Department of Homeland Security (DHS) to release guidelines on IoT security.

This was the context in which Tenable Network Security conducted its annual survey of 700 security practitioners in nine countries, to ask them to rate their company’s ability to assess cybersecurity threats and mitigate risks.

Given everything that happened in 2016, it’s not surprising that global cybersecurity confidence is falling. The 2017 report card gives global cybersecurity confidence a C-, down from the previous year’s C.

What are experts most afraid of, and how does U.S. confidence stack up against global confidence? Here’s everything you need to know about global cybersecurity in 2017.

Explaining the Grade

Tenable Network Security creates two indices: the Risk Assessment Index, and the Security Assurance Index. Together, these indices are combined to create a single letter grade for cybersecurity confidence.

The Global Risk Assessment Index represents organizations’ ability to assess cybersecurity risks. The average overall score was 61%, a whopping drop of 12% from the previous year. This means respondents were much less confident their organizations could assess cybersecurity risks. This measure received a D-.

The Global Security Assurance Index represents organizations’ ability to mitigate threats because of investment in security infrastructure supported at the executive and board level. The average overall score was 79%, the same as the previous year. This measure received a C+.

This means the drop in this year’s grade was entirely fueled by less confidence in organizations’ ability to assess cybersecurity risks.

Breaking the results down by industry, the retail industry received a C, the highest mark of any industry, while government, education, and healthcare were tied for last place with a D. Telecom and Financial Services, which had the highest grades last year, had the largest drops in confidence.

No industry received higher than a B- in any category, highlighting that every industry needs to strengthen its cybersecurity practices and its ability to assess cyber risks.

What the Experts are Afraid Of

What drove the drop in confidence? What has changed in the past year? What are the IT experts afraid of?

The survey has answers to these questions. Beyond asking about general perceptions of cybersecurity, it also asked about organizations’ ability to assess risk across 11 IT components. This provided a fulsome picture of the types of threats keeping IT professionals up at night.

IT professionals said they had little confidence in their organization’s ability to assess risk regarding:

  • Cyber threats. For the second time in a row, survey respondents identified cyber threats as the number one challenge for IT security professionals today. With the increase in cybercriminal activity, this isn’t surprising news.
  • Poor cybersecurity awareness among employees. This seems more surprising, but given how few employees pass simple cybersecurity tests, it shouldn’t be.
  • Mobile devices. Respondents’ confidence in their organization’s ability to assess risk for mobile devices dropped from 65% in last year’s survey to 57%.
  • DevOps processes and containerization technologies. These technologies are revolutionizing software development, but organizations lag in their ability to make them secure.
  • Cloud software. Using the cloud may be more and more common, but that doesn’t mean it’s become more and more secure.

Organizations face a constant challenge to make sure their security keeps up with the rapidly evolving pace of technology. The areas above are particularly weak spots that organizations should focus on improving.

How the U.S. Confidence Compares Globally

The report cards by country show how widely confidence varies. India fared the best, receiving a B, while Japan was at the bottom of the rankings, receiving an F.

Germany and the UK also received failing grades for risk assessment, though their comparatively stronger marks in security assurance let them squeak by with passing grades.

Of the nine countries surveyed, the U.S comes in second, with a risk assessment grade of C-, a security assurance grade of B, and an overall grade of C+.

While this puts the U.S ahead of the pack, it’s not exactly something to celebrate. There is much room for American organizations to improve their ability to assess cybersecurity risks and to mitigate those threats with robust security infrastructure.

We can’t put it better than the DHS did in its guidelines on the IoT: “… the reality is that security is not keeping up with the pace of innovation.”

In fact, this has become a concern within the government. A cybersecurity commission Obama established in February 2016 released a report urging the new administration to strengthen cybersecurity within its first 100 days.

Given the results of this cybersecurity study, there is no question that the United States and many other countries need to do more to improve their cybersecurity practices. Hopefully, with enough effort and resources, we can create a more secure IT environment globally, and boost cybersecurity confidence for organizations around the world.