Lack of trust biggest challenge to adequate cyber resilience
Kroll has announced the release of its report State of Cyber Defense 2023: The False-Positive of Trust.
The report surveyed 1,000 senior IT security decision-makers across eight markets including Singapore and finds that organisations have nascent cyber defense strategies because of a lack of trust, which was perceived to be the biggest challenge in ensuring adequate cyber resilience. Security decision makers in Singapore also cited lack of communication in coordinating cyber teams for defense strategies as the top factor for depreciation of trust.
The report also dives into cost incurred for organizations from a lack of trust in the workplace, and unnecessary technology was ranked as one of the top consequences by organizations in Singapore (46%).
Broader findings from the report reveal widespread mistrust across organizations, with information security decision-makers (95%) sharing that they do not feel senior leadership trusts them to protect their organizations from threats. The report also identifies other factors limiting the growth of cyber defense such as overlooked cyber insurance and explores how misplaced trust has wide-ranging impacts on how effectively businesses deal with cybersecurity challenges.
Kroll’s State of Cyber Defense 2023: The False-Positive of Trust report sets out to understand the current levels of cyber defense and organizational trust in the region and globally, and how businesses can balance between trust and true cyber maturity to stay ahead in a constantly evolving threat landscape.
Kroll’s study surveyed IT security decision-makers on their most trusted cybersecurity measures; it was found that respondents place more trust in their employees to avoid cyberattacks than cybersecurity alerts, tools and threat intelligence data.
The report also showed that there is a need for organizations globally to balance how much and where trust is placed when it comes to their cyber defense strategies: employees were trusted more (66%) than the accuracy of threat intelligence data (56%), which may lead to potential pitfalls in maintaining cyber vigilance.
“To navigate the current threat landscape, trust is imperative," says James McLeary, Managing Director and Global Lead of Cyber Risk Advisory at Kroll.
“There needs to be trust in teams, trust in technology, in intelligence sources, and with suppliers. However, there is a critical balance to be made on how much and where that trust should be placed.
"Further, there is a misunderstanding in the capabilities of security tools without continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily," he says.
"Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an everchanging landscape.”
Additionally, it was found that while organizations use an abundance of elements in their defense programs, only over one in five currently have the benefit of specific cybersecurity insurance cover (23%). Only 20% of IT and security professionals who say their security operations are cyber mature have cyber insurance. By industry, hospitality (10%), not-for-profit (13%) and transportation (17%) are leading in the lack of such insurance, whereas it is more prevalent in sectors such as technology and communications (34%) and education (27%).
However, two-thirds of companies in these sectors still do not have any form of cyber insurance. With the prevalence of cyber incidents in the past year, cyber insurance should not be overlooked nor dismissed by organizations.
Lester Lim, Associate Managing Director, Cyber Risk, Kroll, adds, “To become fully cyber resilient, organizations need to continually assess their cybersecurity risk posture and ensure it is not only all-encompassing and holistic, but appropriate in an ever- changing world. In addition to keeping current on evolving cyber threats and gaining a comprehensive understanding of what their security tools can defend against – and thus position the relevant tooling in response.
"Organizations should also consider cyber insurance as a risk transfer mechanism – a crucial complement in the current cyber risk landscape. Though insurance costs for cyber related risks have risen materially in recent years, companies may be able to mitigate higher premiums and increased deductible limits arising from tighter underwriting and reduced cover by appropriately preparing for a more rigorous renewal process by focusing on controls.”
Additional findings of the report include:
- Senior IT security decision-makers in APAC are less trusting, with only 30% reporting that they “completely” trust their organization is protected and can successfully defend against most or all cyberattacks. This is lower than the 37% reported globally.
- The causes of mistrust are varied, where different markets’ respondents thought differently about the reason that causes trust in organizations to depreciate, with blame culture (56%) being reported as the main cause in Japan.
- 100% of respondents agree that there is a cost to a lack of trust, which can be far-reaching and varies across organizations.
- Japan experienced slow incident response as a top consequence.
- Companies in Japan rank the lowest in terms of having cybersecurity insurance cover, with only 16% indicating that they are covered. However, this does not trail far from the global level, where just over one in five currently have the benefit of specific cybersecurity insurance cover (23%).