As risk managers arrived in Manchester for the Airmic annual conference a leading cyber security expert has warned businesses they cannot become over complacent around the threat emerging cyber risks pose to companies across the globe.
Edward Starkie, associate managing director of cyber risk at global risk and financial advisory Kroll, made his comments as the company issued the results of its 2023 State of Cyber Defence Report: The False-Positive of Trust.
The findings reveal that 37% of senior security decision-makers “completely” trust that their organisation is protected and can successfully defend against all cyberattacks, despite organisations experiencing an average of five major security incidents in the last year. Further, despite organisations deploying on average eight cybersecurity platforms, the higher the average number of platforms installed, the more cybersecurity incidents organisations have experienced.
“The correlation between the number of security tools and the number of security incidents suggests that trusting security tools alone is misguided, and security teams may not fully understand the threats they face,” the report stated. “Further, despite the number of security tools deployed, only 24% have a managed detection and response (MDR) or managed security service provider Solution (MSSP). This confirms that having multiple security tools on a network does not guarantee protection, and without a partner that routinely manages and updates the security monitoring solutions—what an MDR provider would perform—organizations are more vulnerable to threats. “
Starkie said: “To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, trust in technology, in intelligence sources, and in suppliers. However, there is a critical balance to be made on how much and where that trust should be placed.
“Further, businesses seem unaware of the importance of continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an everchanging landscape.”
For the EMEA and UK, the survey found miscommunication causes mistrust. UK companies state that the biggest cause for trust to depreciate is a lack of communication (52%). The rest of EMEA find the reasons more wide-ranging with lack of communication, limited technical capabilities and over stretched business (all 46%) to be the causes. Almost all (97%) reported that they do not have complete trust across all aspects of their organization, clearly demonstrating a widespread concern for IT leaders with potentially damaging consequences.
Kroll warned there are steep costs to a lack of trust. An overwhelming majority of respondents (98%) agree there is a cost to a lack of trust in the workplace. More complexity is the greatest perceived consequence globally (37%), however unnecessary technology is deemed the biggest consequence in the UK (43%). This also differs to EMEA as a whole where misrepresentation of cyber risk is deemed the biggest consequence (40%), and to North America where slow incident response and more complexity are deemed the largest (both 37%).
Jason Smolanoff, Kroll’s president of Cyber Risk, said: “To move beyond unsafe assumptions about their cybersecurity and become fully cyber resilient, organisations need to keep up to date on evolving cyber threats, gain in-depth understanding of what their security tools can defend against and maximise tooling in response. Organisations can achieve this by working with a trusted external partner to gain an independent and accurate perspective on their security status. Specialist support will provide the critical viewpoint needed to help businesses avoid internal security siloes and enhance their knowledge with constantly updated threat insight.”