In an ideal world, cybersecurity should be deeply rooted in every organisation and permeate every action and decision from the top management to the staff on the floor.
There should be a thorough understanding of what the threat landscape looks like and how it evolves; how to address the threats; and how to react when an incident occurs. According to the surveyed consumer businesses, the vast majority believe that they are close to this ideal.
What does the survey show?
The respondents were asked to envision an ideal organisation where cybersecurity is deeply rooted; cyber and information security resources are adequate; and clear threat assessments and contingency plans are in place. They would then indicate how close their organisation is to this ideal on a scale from 0 to 10.
Almost 3 out of 4 of the respondents believe that their organisation ranks 7 or higher, while only 16% rank their organisation 5 or below.
As we help Danish consumer businesses assess and evaluate their cybersecurity maturity, we often encounter organisations which lack a well-informed understanding of the current cyber threat landscape and which generally lack both defence and response plans as well as sporadic or non-existing awareness training. This cannot be characterised as being close to the ideal cyber organisation as depicted in the above description.
Considering some of the conclusions made from the survey so far, something could indicate that a significant number of the respondents have a somewhat false sense of confidence in their own cyber defence.
This argument is supported by the findings of our report, as almost 1 out of 4 perceive the threat level to have remained unchanged during the last two years. This is further supported by the finding indicating that more than half of the respondents feel that they are only partly, or not at all, resilient in their supply chain when it comes to suppliers and new technology. Finally, this is also supported by the fact that 35% of the respondents only discuss cyber with the top leadership twice a year or less frequently.
The highlighted quote is a good example of a common pitfall that can lull businesses into a false sense of security and make them counterproductive in terms of establishing a secure cyber environment. Benchmarking your peers against your own defence does not necessarily tell you enough about your own defence efforts – especially not if the industry tendency is that cybersecurity is not a priority. Indicating that you are below 5 out of 10, but doing okay compared to your peers, will assumingly tell you more about the lack of defence among your peers than about the state of your own defence.
Generally, self-evaluations tend to paint too positive a picture compared to what reality looks like. This could also be the case with the surveyed consumer businesses considering the respondents’ rather positive self-evaluations. Our experience shows that respondents from IT often have a more positive view on the security situation than respondents from distinct cyber teams.
The broader picture
It can be challenging to conduct a self-evaluation without painting too positive a picture of what reality looks like. Nevertheless, a correct understanding of your own starting point is crucial to recognising in what areas you need to improve and where you need to prioritise your budget, and to establishing a strategic direction for the future. Therefore, we urge every organisation to get an independent, external assessment of their security level that consider the most important cybersecurity parameters. We highly recommend that businesses have their security tested on a regular basis to confirm or dismiss their own assumptions.