As organizations scramble to defend their mountains of data against cyber attacks and the constant stream of new malware, companies of all types are investing in and evaluating cybersecurity tools and practices. Gartner predicts that security spending is expected to reach $90 billion this year. But despite this huge spend, a recent study from Gemalto, an enterprise security company, found that organizations have a false sense of confidence in their security practices, creating what Gemalto calls a “breach gap.”
According to the Gemalto report, Mind the Breach Gap, 94% of respondents say they think that their perimeter security is quite effective at keeping unauthorized users out of their network, and 76% have increased their investment in perimeter security over the past five years.
Despite their confidence and investment, nearly a third (28%) of respondents’ organizations have seen their perimeter security breached within the past 12 months, and 65% are not extremely confident that their data would be secure if someone did breach the perimeter.
What’s probably most disturbing is one in seven (14%) surveyed IT decision makers admit that they would not trust their own organization to store and manage their personal data.
Jocelyn Aqua, privacy and cybersecurity principal for PwC, says she was surprised to see similar findings of “security overconfidence” in their own research.
The PwC 2017 Risk in Review survey found that only 9% of respondents said they have high or very high cyber risk maturity despite respondents’ claims of response effectiveness indicating that cyber risk was one of the most improved areas of risk when compared to past survey results.
“Respondents said they had effective cybersecurity,” says Aqua, “yet they remain defensive about cyber risk.”
Gemalto CTO and VP for Data Protection, Jason Hart says part of the reason for this “breach gap” – the idea that organizations think their data is more secure than it is – is because organizations don’t fully understand the motivations behind a breach.
“There’s still a lack of understanding from organizations that it’s the data [threat actors] are after,” says Hart. “We’ve mostly seen confidentiality breaches, when a threat actor gets the data they share it, sell it, etc. What people misunderstand, is that a confidentiality breach is just the start of the problem,” he says.
Marc-Roger Gagné, cybersecurity advocate for Gagné Legal Services in Canada says that part of this misunderstanding in cyber protection, or overconfidence comes from a lack of security knowledge in the C-suite. “The average CEO age is over 60. The level of [security] comprehension is not there and it’s not the same culture, but there is a shift because [executives] are understanding that the litigation cost [for] any data that is compromised.”
Hart says that one way to remove the veil of security overconfidence is to ask your IT team these simple questions, “What am I trying to protect? Where is it? What am I trying to protect it from?” and then go back to the fundamentals of security: Encryption, key management, authentication (multifactor) multi-factor authentication. “By taking that approach, you can apply the appropriate investments,” he says.