Kroll's "2023 State of Cyber Defense" report includes some noteworthy findings about today's cybersecurity landscape. First, despite experiencing an average of five significant security incidents last year, only 37% of senior security executives have "complete" faith in their organization's ability to shield against all forms of cyber threats. Second, security teams rely on multiple cybersecurity tools to curtail the frequency of breaches and attacks. However, Kroll's research showed that more security installations translated to a higher number of cybersecurity incidents. Third, and most striking, organizations tend to place more trust in their employees than in their security teams when it comes to detecting, countering, and repelling cyberattacks.
Why Misguided Trust Can Be Dangerous
Without doubt, trust is absolutely critical in cybersecurity. It is impossible to attain a robust cybersecurity posture if organizations do not trust or have confidence in their security strategy, tools, and teams. But excessive or misguided trust can pose serious security risks. For instance, according to Kroll's study, assuming multiple security solutions will prevent cyberattacks and breaches is a big mistake.
A different Kroll report, the "2023 Q1 Threat Landscape," reveals that phishing is the No. 1 initial access method, and adversaries regularly leverage phishing to infiltrate and infect organizations. Regardless of how good your defenses are, if cybercriminals successfully phish employees (trick them to download malware, share credentials, open an attachment, or visit a malicious website), they simply walk through the front door, circumventing best-in-class security controls and mechanisms.
Furthermore, blindly trusting that all employees have the same level of security maturity is also a big mistake. Whether employees will act responsibly towards a security threat depends on several factors. These include knowledge and awareness about the threat, alertness when the threat approaches, and commitment to protecting the organization. Just because you're aware of the stop sign, it doesn't guarantee you'll stop.
How Organizations Can Mitigate the Risk of Misguided Trust
Below are some recommendations to help mitigate the risks associated with trust.
1. Don't Assume Employees Understand Security; Train Them
To effectively combat cyber threats, it is crucial not to assume that employees understand security. Implement regular training programs and phishing exercises to educate employees and cultivate a security "sixth sense" that enables them to identify suspicious messages. Explain how social engineering tactics manipulate users into divulging credentials or sensitive data. Educate staff on security best practices, including do's and don'ts, the importance of strong passwords, and the practice of pausing before clicking any links. Additionally, provide tools such as password managers and phishing-resistant multifactor authentication to help employees operate more securely. By investing in employee training and offering the necessary tools, you can strengthen your organization's security posture.
2. Build a Security Strategy Around Metrics and Goals
To build an effective cybersecurity strategy, set clear metrics and goals that align with your organization's security objectives. Begin with an assessment of where your valuable assets are located, the current security measures in place, and the existing security culture and behaviors. Identify the gaps between your current state and desired state, and develop policies, controls, and training programs to bridge these gaps. Establish milestones and define timelines to measure progress and ensure alignment with security goals.
3. Avoid Taking Cybersecurity for Granted
To effectively manage the evolving threat landscape, organizations must prioritize cybersecurity and establish clear, transparent, repeatable, and measurable processes, procedures, and policies. This helps prevent complacency and overconfidence in online behavior. Encourage collaboration and improved transparency among stakeholders, suppliers, and service providers to ensure timely and effective incident response. Avoid taking cybersecurity for granted by staying vigilant, proactive, and engaged with the ongoing security landscape.
4. Invest in a Holistic Strategy
When investing in security solutions, it's important to have a holistic security strategy that considers the triad of people, process, and technology. Simply relying on security tools is not enough, as threats are constantly evolving and can target vulnerable systems, devices, and code or even exploit gaps in security defenses. Regularly assess security risks, adjust security controls based on these risks, promote employee responsibility and accountability for security, and establish well-rehearsed processes to handle cyber incidents. By taking a comprehensive approach, you can better protect your organization against diverse and evolving threats.
Build a Bridge of Trust
Trust serves as the crucial bridge between security and people. It is important to recognize that trust has always been at the core of security. Can you trust your systems, people, and processes to be secure? If not, it's essential to take action and address any vulnerabilities.
Establishing trust involves ensuring the security of your systems, strengthening the skills and awareness of your people, and implementing robust processes. If trust is lacking, it's time to take the necessary steps to enhance your security measures.