A minority, 37pc of senior security decision-makers “completely” trust that their organization is protected and can successfully defend against all cyber attacks, according to the risk advisory firm Kroll, in its 2023 State of Cyber Defense Report: The False-Positive of Trust. That’s despite organizations having an average of five major security incidents in the last year. Further, despite deployment on average of eight cybersecurity platforms, the higher the average number of platforms installed, the more cyber incidents experienced.
The correlation between the number of security tools and the number of security incidents suggests that trusting security tools alone is misguided, and security teams may not fully understand the threats they face, the consultancy suggests. Further, despite the number of security tools deployed, only 24pc have a managed detection and response (MDR) or managed security service provider Solution (MSSP). The firm says that having multiple security tools on a network does not guarantee protection, and without a partner that routinely manages and updates the security monitoring solutions (what an MDR provider would perform) organizations are more vulnerable to threats.
A survey of 1,000 senior IT security decision-makers in Q1 2023 at firms with $50 million (mn) to $10 billion (bn) in revenue was carried out by market researchers Vanson Bourne, and all respondents had some responsibility or knowledge of cyber. Respondents were from the United States, the UK, Ireland, Spain, Italy, Singapore, Hong Kong, Japan and Brazil. The survey and report look to understand the levels of organizational trust and how that can have wide-ranging impacts on effectively dealing with cybersecurity challenges.
Edward Starkie, Associate Managing Director of Cyber Risk at Kroll, said: “To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, trust in technology, in intelligence sources, and in suppliers. However, there is a critical balance to be made on how much and where that trust should be placed.
“Further, businesses seem unaware of the importance of continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an ever-changing landscape.”
Key UK and EMEA findings:
Miscommunication causes mistrust: UK companies state that the biggest cause for trust to depreciate is a lack of communication (52pc). The rest of EMEA find the reasons more wide-ranging with lack of communication, limited technical capabilities and over stretched business (all 46pc) to be the causes. Almost all (97pc) reported that they do not have complete trust across all aspects of their organization, clearly demonstrating a widespread concern for IT leaders with potentially damaging consequences.
There are steep costs to a lack of trust: An overwhelming majority (98pc) agree there is a cost to a lack of trust in the workplace. More complexity is the greatest perceived consequence globally (37pc), however unnecessary technology is deemed the biggest consequence in the UK (43pc). This also differs to EMEA as a whole where misrepresentation of cyber risk is deemed the biggest consequence (40pc), and to North America where slow incident response and more complexity are deemed the largest (both 37pc).
Trust is also misplaced: Trust in employees to avoid cyberattacks (66pc) is ranked higher than the ability of the security team to identify and prioritize security gaps (63pc), accuracy of data alerts (59pc), effectiveness of cybersecurity tools and technologies (56pc), and the accuracy of threat intelligence data (56pc).
Multiple security tools don’t solve the problem: the higher the average number of platforms used, the more cybersecurity incidents experienced. The number of incidents and the fact that only 24pc have MDR, shows that having the right tools, and not the number of tools, is an important factor in cyber protection.
Only 23pc of businesses have cybersecurity insurance cover: further only 20pc of IT and security professionals that say their security operations are cyber mature have cyber insurance.
Outsourcing Cybersecurity services is gaining popularity: 98pc of those that do not already outsource their cybersecurity services have (or are considering) plans to do so, with 51pc intending to do so in the next 12 months. However, 89pc of IT and security decision-makers say improvement is needed in the transparency between their security teams and security vendors.
Jason Smolanoff, President of Cyber Risk at Kroll, said: “To move beyond unsafe assumptions about their cybersecurity and become fully cyber resilient, organizations need to keep up to date on evolving cyber threats, gain in-depth understanding of what their security tools can defend against and maximize tooling in response. Organizations can achieve this by working with a trusted external partner to gain an independent and accurate perspective on their security status. Specialist support will provide the critical viewpoint needed to help businesses avoid internal security siloes and enhance their knowledge with constantly-updated threat insight.”
