Organizations Are Unrealistic, Overconfident about Their Cybersecurity Skills

Cyberattacks are on the rise, with the most significant malicious activity so far detected in the finance, professional and information sectors, followed by manufacturing, according to Rapid7. Despite the increasing number of data breaches in critical sectors, there are discrepancies in how C-level executives perceive cybersecurity and the threat landscape, depending on their industry and home country.

While some fear an attack is imminent, others display overwhelmingly unrealistic confidence in their risk mitigation strategy, FICO research states. For example, 63 percent of executives predict an increase in security incidents and data breaches in coming months, but the most fearful are those in the financial services and retail and e-commerce. As many as 80 percent fear attack volumes will skyrocket, while only 39 percent of telcos share that belief. On average, some 64 percent of respondents predict a significant increase in cybersecurity budgets in the coming year.

As per FICO’s 2018 report, only 33 percent of respondents noticed an increase in the number of attacks this year, compared to 61 percent in the previous annual report, while 9 percent say they decreased. “This could be a reflection that the volume of attacks in the USA is starting to stabilize after a period of significant growth,” reads the report. “There were differences in the rate of attack by industry, which could indicate that cyber criminals are targeting attacks against certain types of organizations—perhaps those they perceive have the weakest defenses.”

Security budget increases are expected, especially in the power and utilities sector (71 percent). Even though they are two of the most targeted sectors, healthcare will most likely not raise its cybersecurity budget, while financial services warned of a possible decrease (5 percent). On a positive note, enterprises are more concerned about securing their infrastructure than in previous years. As many as 76 percent of businesses in the US have taken out cyber-risk insurance, but only 30 percent of organizations in the healthcare sector have shown interest in this type of insurance.

Insider threats are still a top concern for C-level executives (81 percent), the study found. Even though 85 percent trust their employees are cybersecurity savvy, enterprises apparently consider it a top priority and would still invest in further training and education workshops to ensure optimal infrastructure protection. More than half believe senior IT positions represent the highest insider risk in a security incident.

Many respondents displayed a measure of overconfidence when asked about their competitors’ cybersecurity strategies. “This overoptimism may be caused by a lack of objective and ongoing measurement of cybersecurity posture,” says the report. 68 percent consider their company “a top performer” – an opinion shared by 88 percent of Indian-based companies and 84 percent of businesses in Canada and the Nordics. In the long run, excessive optimism could jeopardize the chances of improving and deploying a complex cybersecurity strategy. Overconfident or not, one thing is certain: a number of companies had no clear risk assessment strategy, while 20 percent of financial services and retail and e-commerce have not even developed a risk assessment program.