Perception, reality and cybersecurity: Is your company really prepared?
It’s a basic and ironic fact of human nature: we – all of us – are pretty bad at estimating how good we are. For years, psychologists have studied why people tend to overestimate their own competencies and abilities. In fact, studies have found that the higher we rate ourselves in our minds, the worse we perform in reality.
Unsurprisingly, many companies have the same disparity in perception vs. reality when it comes to IT security. But the situation is more complex and nuanced than “you’re not as good as you think you are.” That’s especially true since the pandemic turned traditional IT management practices inside out. Even within companies, there are marked differences in perceptions of cybersecurity preparedness between business executives and security-focused IT professionals.
The rapid and dramatic shift to home offices and hybrid computing that began in March 2020 has produced a kind of “good news-bad news” outcome so far. In the U.S. and Germany and other major markets, awareness of cybersecurity at small- and medium-sized businesses (SMBs) has increased. However, there are still too many SMBs that do not adequately protect themselves against cyber risks.
A recent study about the state of IT security published by "Deutschland sicher im Netz" (DsiN), a German counterpart to the U.S. Cybersecurity & Infrastructure Agency (CISA), found that while many companies recognize their dependence on IT security and even rate it highly, their need to catch up and introduce appropriate strategies remains undiminished.
The 2022 Global Cybersecurity Outlook produced by the World Economic Forum and Accenture reported similar findings from the U.S. and 19 other countries. For example, 81 percent of executives believe that digital transformation accelerated by the pandemic has been the main driver in improving cyber preparedness. However, while 92 percent of business executives felt that cyber resilience is integrated into overall enterprise risk-management strategies, only 55 percent of security-focused leaders agreed.
At a practical level, that means that security leaders are often left out of the loop in business decisions that raise security issues. As many IT pros saw at the start of the pandemic, the resources devoted to setting up employee home offices were not matched with appropriate tools to secure new equipment and network infrastructures. That made it easier pickings for cybercriminals compared to when network endpoints were secured behind corporate firewalls.
The DsiN report describes results that were similar in the U.S. and elsewhere. It found that 42 percent of companies recently experienced security-related incidents, with 5 percent saying that cyberattacks had permanent effects on their business. Mind you, those figures were from companies that both noticed and publicly reported attacks. In other words, the actual number is probably much higher!
Here's where psychology comes into play. Many companies apparently don’t want or are unable to acknowledge their own risks accurately. Two-thirds are either content with a one-time “OK, I think we’re good here” risk inventory, or skip it entirely. But more organizations are beginning to address the realities of cybersecurity vs. the settling for the false comfort of self-perception.
The DsiN report found "a growing willingness on the part of management or executive boards to take responsibility for dealing with IT security issues." Simply put, people want to do more to ensure security. However, only 16 percent of companies say they are actually taking concrete measures to establish an internal IT security culture. They’ve not only taken the necessary technology and procedural step to increase security, they’ve created a culture of cybersecurity after putting their operations and infrastructures under the microscope and enacting appropriate measures. A six percent subset of those companies conduct regular tests with their employees. The rest "don't take security too seriously,” and a quarter of all companies still do not train employees in basic cybersecurity awareness.
Cyber-smart IT admins know the central importance of promptly patching and updating software. But leave that essential practice aside for a minute and look at other basic IT functions for evidence of how much work remains to be done at some organizations. Half of all companies do not have any protective measures in place for email. About the same number allow mixed private and business use of company equipment without any special security requirements. The DsiN report also found that reviews of protective measures for home offices are on the decline.
Don’t take those findings as scolding. In fact, IT admins at many SMBs are doing everything they can to protect their companies and clients, often with inadequate resources. They just need the right tools that can help them manage relentlessly growing workloads.
Given the increased threats facing businesses of all sizes today, companies with limited budgets can and should enact basic measures. Here are some starting points that can minimize threats and ensure business security and growth:
- Vulnerability scans: Uncover and prioritize attack surfaces early and identify needed actions
- Software updates: regular and timely patching of vulnerabilities
- Backup: back up data regularly and protect it from unauthorized access
- Service providers: strengthen defenses with qualified external help and information-sharing
- Awareness: train employees on a regular basis
- Emergency plan: Create, rehearse and adapt as necessary
- Cyber insurance: purchase sufficient coverage
It's not just about being better prepared to prevent attacks, but also about limiting or avoiding liability for consequential damages. The first three measures above can be covered easily and efficiently by using a comprehensive UEM system with powerful and flexible automation features such as the baramundi Management Suite (bMS).
Human nature being what it is, some companies may continue to not “take security too seriously” and rely on inflated measures of their own preparedness instead of robust security supported by UEM. But as most IT pros know all too well, magical thinking won’t prevent hackers and ransomware rings from taking your network – or your company – down.