Global companies and governments are spending more than $100 billion a year on cybersecurity defences, yet most are failing to measure the effectiveness of that investment, according to a survey report published this week.

The survey conducted by privileged account management (PAM) provider, Thycotic, also found that four out of five companies worldwide are not fully satisfied with their cybersecurity metrics, and 34% are making business decisions and purchasing cyber security technology blindly.

Thycotic’s first annual 2017 State of Cybersecurity Metrics report is based on a Security Measurement Index (SMI) benchmark Survey of more than 400 global business and security executives around the world, the company says.

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, Chief Security Scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”

Most of the 400 survey respondents came from North America, with Europe, Russia, India, Central and South America also represented, and a cross section of global organisations ranging from small and mid-sized companies to large global enterprises in all major industries (and government) were featured, the researchers say.

According to the findings, 58% of the 400 respondents in the survey scored an “F” or “D” grade (a failing grade) when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

Other findings highlighted in the report include:

• One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
• Four out five companies don’t know where their sensitive data is located, and how to secure it.
• Four out of five fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
• Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
• Four out of five never measure the success of security training investments.
• While 80 percent of breaches involve stolen or weak credentials, 60 percent of companies still do not adequately protect privileged accounts—their keys to the kingdom.
• Small businesses are targeted in two out of three cyberattacks.
• Sixty percent of small businesses go out of business six months after a breach.

“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking,” added Carson. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”

Founded in 1996 and headquartered in Washington DC, Thycotic markets itself as the fastest growing provider of Privilege Management cyber-security solutions, securing privileged account access for more than 7,500 organizations worldwide, including Fortune 500 enterprises.