Kroll, the leading independent provider of global risk and financial advisory solutions, has released its 2023 State of Cyber Defense Report: The False-Positive of Trust, which explores the balance between trust and cyber maturity. The findings reveal that 37% of senior security decision-makers “completely” trust that their organization is protected and can successfully defend against all cyberattacks, despite organizations experiencing an average of five major security incidents in the last year. Further, despite organizations deploying on average eight cybersecurity platforms, the higher the average number of platforms installed, the more cybersecurity incidents organizations have experienced.
The correlation between the number of security tools and the number of security incidents suggests that trusting security tools alone is misguided, and security teams may not fully understand the threats they face. Further, despite the number of security tools deployed, only 24% have a managed detection and response (MDR) or managed security service provider Solution (MSSP). This confirms that having multiple security tools on a network does not guarantee protection, and without a partner that routinely manages and updates the security monitoring solutions—what an MDR provider would perform—organizations are more vulnerable to threats.
The 2023 State of Cyber Defense Report: The False-Positive of Trust surveyed 1,000 senior IT security decision-makers in Q1 2023 at firms with $50 million (mn) to $10 billion (bn) in revenue. The survey was carried out by an independent specialist in market research, Vanson Bourne, and all respondents had some responsibility or knowledge of cybersecurity within their organization. Respondents were from the U.S., the UK, Ireland, Spain, Italy, Singapore, Hong Kong, Japan and Brazil. The survey and report look to understand the levels of organizational trust and how that can have wide-ranging impacts on effectively dealing with cybersecurity challenges.
Edward Starkie, Associate Managing Director of Cyber Risk at Kroll, commented: “To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, trust in technology, in intelligence sources, and in suppliers. However, there is a critical balance to be made on how much and where that trust should be placed.
Further, businesses seem unaware of the importance of continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an everchanging landscape.”
Key UK and EMEA findings from Kroll’s 2023 State of Cyber Defense: The False-Positive of Trust include:
• Miscommunication causes mistrust: UK companies state that the biggest cause for trust to depreciate is a lack of communication (52%). The rest of EMEA find the reasons more wide-ranging with lack of communication, limited technical capabilities and over stretched business (all 46%) to be the causes. Almost all (97%) reported that they do not have complete trust across all aspects of their organization, clearly demonstrating a widespread concern for IT leaders with potentially damaging consequences.
• There are steep costs to a lack of trust: An overwhelming majority (98%) agree there is a cost to a lack of trust in the workplace. More complexity is the greatest perceived consequence globally (37%), however unnecessary technology is deemed the biggest consequence in the UK (43%). This also differs to EMEA as a whole where misrepresentation of cyber risk is deemed the biggest consequence (40%), and to North America where slow incident response and more complexity are deemed the largest (both 37%).
• Trust is also misplaced: Trust in employees to avoid cyberattacks (66%) is ranked higher than the ability of the security team to identify and prioritize security gaps (63%), accuracy of data alerts (59%), effectiveness of cybersecurity tools and technologies (56%), and the accuracy of threat intelligence data (56%).
• Multiple security tools don’t solve the problem: the higher the average number of platforms used, the more cybersecurity incidents organizations have experienced. The number of incidents and the fact that only 24% have MDR, shows that having the right tools, and not the number of tools, is an important factor in cyber protection.
• Only 23% of businesses have cybersecurity insurance cover: further only 20% of IT and security professionals that say their security operations are cyber mature have cyber insurance.
•Outsourcing Cybersecurity services is gaining popularity: 98% of those that do not already outsource their cybersecurity services have (or are considering) plans to do so, with 51% intending to do so in the next 12 months. However, 89% of IT and security decision-makers say improvement is needed in the transparency between their security teams and security vendors.
Jason Smolanoff, President of Cyber Risk at Kroll, said: “To move beyond unsafe assumptions about their cybersecurity and become fully cyber resilient, organizations need to keep up to date on evolving cyber threats, gain in-depth understanding of what their security tools can defend against and maximize tooling in response. Organizations can achieve this by working with a trusted external partner to gain an independent and accurate perspective on their security status. Specialist support will provide the critical viewpoint needed to help businesses avoid internal security siloes and enhance their knowledge with constantly-updated threat insight.”
