CEOs’ Overconfidence in Security Could be their Undoing.
CEOs’ overconfidence in their organization’s ability to deflect attacks could be exposing global firms to greater cyber risk, according to new research from RedSeal.
The cybersecurity analytics firm interviewed 200 CEOs of global firms, and found over 80% were very confident in their cybersecurity strategy.
This is despite data breach incidents soaring in 2016. In the US alone there have been nearly 1,000 reported incidents this year, leading to the exposure of 35 million records, according to the Identity Theft Resource Center.
In the UK, government figures from May claimed that two-thirds of large firms had been hit with a cyber attack or breach in the past 12 months.
Despite over half (58%) of those CEOs surveyed claiming to discuss cybersecurity daily with the board, their strategies clearly aren’t working.
Part of the problem may be that many are still focusing too heavily on trying to block threats at the perimeter, even though most experts are now agreed that it is impossible to stop a determined attacker armed with the right tools.
Half of those polled said they prioritize keeping hackers out of the network versus just a quarter (24%) who focus on developing capabilities to find and deal with attackers who have already breached the perimeter.
“The new cyber battleground is inside the network, not at the perimeter,” said RedSeal chairman and CEO, Ray Rothrock. “Firewalls, virus detectors, and malware scans keep out 99% of the bad guys, but the 1% who get in can cripple a business and their critical infrastructure.”
The research also revealed a continuing problem with the effectiveness of cybersecurity investments.
Nearly 90% of CEOs polled said they want to receive daily data showing them the overall cybersecurity posture of their organization.
But over three-quarters (79%) claimed current reports are too difficult to understand, while 87% said they need a better way to measure the effectiveness of investments in the area.
Half said they only receive reports in times of crisis.
“CEOs project a great level of confidence when asked about their cybersecurity strategies, however their perceptions aren’t in line with reality,” said James Kaplan, partner at McKinsey & Company.
“For years, the IT security industry has operated with the understanding that every organization will suffer a security incident. Given this inevitability, CEOs should be much more focused on building resilience into their networks so they can maintain business operations when the breach occurs.”