Cybersecurity Perception vs Reality: Is Your Organisation Actually Secure?
With an evolving cyberthreat landscape and increasing regulatory demands, organisations cannot afford to operate under misconceptions that lure them into a false sense of security.By: Hadi Hosn
The threat of cybercrime has never been greater. Eighty per cent of organisations in Europe experienced a cyberattack in the last year, and in 2016 more than 4,000 ransomware attacks occurred daily, according to research by the European Commission. On top of that, there’s an increasing lack of consumer trust in the internet. Businesses, government and the media, and organisations are being forced to re-evaluate the measures they take to protect their business and personal data while building strong relationships with customers.
Trillions of dollars will be poured into cybersecurity over the next four years, covering everything from complete infrastructure overhauls to talent acquisition and basic software defence tools. It is likely that every organisation across every industry is thinking about cybersecurity thanks to the current rate of digital change. However, one issue that continues to arise is the gap between organisations’ perceived security strength and their actual security strength. This perception problem emerges because enterprises typically don’t establish quantitative metrics to measure security preparedness. Instead, they often use more qualitative, anecdotal experiences to determine security maturity. As a result, differences across departments within the organisation become clear and the issue of perception versus reality when benchmarking cybersecurity preparedness becomes hard to ignore.
Cybersecurity perception versus reality: How can organisations tell the difference?
A common error enterprises make is to view data security preparedness and maturity as something that can be measured by listing the layers of defence an IT department has in place. Viewing cybersecurity through this lens means enterprises cannot distinguish between self-perception and reality. Only by analysing a number of key elements collectively such as: People, Organisational Culture, Technology, Tools & Controls, Security Operations, and Cloud Adoption, can a true measure of security maturity be obtained – collating a laundry list of security tools simply does not suffice.
A recent Frost & Sullivan™ and Secureworks® study analysed the security maturity of hundreds of organisations in the UK based on the above elements. Categorising enterprises into Underprepared, In Transition and Security Leaders groups, the research revealed that 52% of large UK firms fall into the “Underprepared” group. Of those Underprepared UK businesses, 46% cite a higher level of trust as a key competitive differentiator in their marketing materials, while 44% claim to offer a higher level of security. Security and trust must not be viewed as separate entities. For underprepared organisations, these claims of higher trust are largely based on qualitative and anecdotal beliefs that have little to no bearing on true cybersecurity preparedness.
One of the key elements of a strong security posture is an organisation’s ability to anticipate threats before they happen, and in today’s high-risk environment, failing to put in place this kind of proactive approach is a chance organisations cannot afford to take. The unfortunate reality, however, is the exact opposite. Less than one in five IT leaders in the UK identify this proactive approach to anticipating threats as a major objective for their network security tools. Even amongst those deemed as Security Leaders by Frost & Sullivan, only 24% indicated that threat anticipation is the primary function of their network security. This leads us to believe that three-quarters of organisations deemed to be Security Leaders do not consider anticipating potential threats to be a security priority. So regardless of an organisation’s level of security maturity, if a proactive approach to cybersecurity is not being adopted, critical business data is in real jeopardy.
Paving a Secure Path Forward
Nearly every enterprise, government body, and citizen has likely been impacted by cyber-attacks in 2017 in some way. Those attacks have directly impacted share prices, the ability to fulfil contractual obligations, customer trust, and have, in some cases, led to costly regulatory fines.
Now is the time for business leaders to take a long, hard look at their organisation’s infrastructure. By reviewing everything from operations and staffing to the tools used every day by security practitioners, they can ensure that security measures are weaved into the fabric of the business at every level.
The first step in making that shift is to assess and identify critical assets, functions, and business processes in order to form a roadmap for security optimisation. From this, organisations are able to gain greater visibility and prioritise controls and security programmes to focus on high risk areas, whether they are regulatory or cybersecurity (malware, APT, breach) related.
Regardless of whether an organisation is considered to be a Security Leader or Underprepared, there are a few key ways organisations can help safeguard intellectual property, be better equipped for potential threats, and most importantly, protect customer’s personal data. These include the following:
- Implement formal information security guidelines across all departments
- Assess suppliers and subcontractors to ensure they fulfil security assurances
- Incorporate threat intelligence into cybersecurity strategy
- Conduct behaviour analysis to understand risk profiles in the organisation
- Automate cybersecurity processes and integrate threat intelligence into them
- Conduct periodic reviews and assessments (semi-annual) to fine-tune security operations
With the ever-increasing sophistication of the threat landscape, consumer’s real-time demands, and the new, highly-regulated business environment, these best practices are designed to help organisations thrive in the digital era. As modern businesses use technology every day to enhance productivity, cybersecurity strategies must mature in tandem to protect the business from unforeseen disasters now and in the future. Embracing that notion will separate the successful organisations living in true reality, from those struggling in the dark.