Over-confidence can be costly, and that is especially true in the cybersecurity space. The current landscape of cybersecurity risk, and new rules from the U.S. Securities and Exchange Commission (SEC) on reporting have created an environment where companies need to be sure to test their response capabilities – and not risk letting them stagnate.
Over-confidence was identified as a major risk factor in organizations’ approach to cybersecurity in Kroll’s, The State of Cyber Defense 2023 report. Responses from 1,000 senior security decision-makers globally show that confidence in employees to stop a cyberattack is ranked higher (66%) than trust in the accuracy of data alerts (59%) and the effectiveness of cybersecurity tools and technologies (56%).
Added to this, the 2022 Kroll report, Cyber Risk and CFOs: Over-Confidence is Costly, highlights a sharp disconnect between CFOs’ high levels of confidence in their organizations’ cybersecurity abilities and the significant level of damage inflicted by cyber incidents. The report revealed that, while 87% of CFOs surveyed were overwhelmingly confident in their company’s ability to detect and respond to cyber incidents, most of the surveyed executives (61%) said that their businesses had suffered at least three significant cyber incidents in the past 18 months. This type of organizational cognitive dissonance can have significant consequences for businesses.
Most Trusted Methods by IT and Security Decision-makers
Within Four Days: A Major Challenge for Corporations
An excess of confidence in cybersecurity measures is not only a failure of organizational culture but a threat to business-as-usual. The risks are even greater due to the new SEC rule that marks a significant shift in how cyber breaches must be disclosed. Publicly traded companies will be required to publicize details of a cyberattack within four days of determining it is significant enough to have a material impact on the organization. It is vital that directors and boards do not simply focus on the short reporting period, but on what they need to do to prepare to meet the new requirements.
The assessment of ‘material’ is the key in this context. It implies that organizations can quickly, accurately and reliably assess the materiality of a cyber-incident in the moment. Yet that’s not necessarily easy. In the critical early hours of an incident there may be limited information on which organizations can base a materiality assessment, making the decision on reporting may be problematic. The short time-frame for required reporting means that businesses don’t have a lot of time to figure out what they’re going to do in response to a potential or actual incident. Without the relevant pre-authorized resources to support them, they may very quickly find themselves in trouble.