Even the ancient Greeks recognised the heady risk of overconfidence. Remember Icarus, who tumbled from the sky as a result of his hubris and complacency? While Icarus wouldn’t have known what to do with a digital device, his undoing can still teach us lessons in today’s internet age. In the ongoing battle against the cyber criminal, overconfidence could be our downfall, so don’t fly too close to the sun.
Earlier this year, research by the National Cyber Security Centre (NCSC) found that millions of people use easy-to-guess passwords for their online accounts; the most widely used password on breached accounts was 123456. This comes as cyber breaches gain power and prevalence, and more of our personal data and services are moving online. Namely, the stakes are getting higher and we aren’t being more careful.
Overconfidence online is a trend that has been corroborated by Nominet research: while over three quarters of adults claim they have enough knowledge to keep themselves safe online, only 29% of people even know what two-factor authentication (2FA) is, and even fewer use it. Worryingly, 24% of people don’t even bother to change their passwords when their online bank or utility provider is breached. Basic cyber hygiene is not being followed, yet we remain bullish.
Unfortunately, the attitude appears to be extending into businesses. In our new survey of CISOs, we found that 71% admit their organisation touts its cyber security robustness to partners and customers, despite more than a third (34%) of security professionals lacking confidence in their final choice of security solutions. Worryingly, less than a fifth of CISOs said the array of tech that makes up their security stack is 100% effective. Their confidence is low, yet business claims are not.
We already know that the role of a CISO is challenging; our recent report showed how they grapple with a lack of resources, budget, staff and – sometimes – support from the board for their security needs. CISOs are often overworked and stressed – could this explain why 20% of CISOs didn’t test the performance of their security stack once it is in place, or didn’t know if it was being tested?
As ever, these findings should be taken with a pinch of salt; we are still making progress compared to the situation five or even ten years ago. Cyber security is now a phrase the layman understands and uses, cyber attacks are becoming a recognised reality, and businesses actively hire a CISO or equivalent instead of leaving the task to a busy IT department. Businesses are also recognising that cyber security is not a peripheral issue but should be threaded into everything they do, right down to staff culture and engagement. It is an improving picture.
Additionally, we should recognise that the situation continues to change. Of the CISOs we spoke to, 76% think their organisation will invest more in cyber protection, with the top three areas for investment over the next three years being cyber monitoring (16%), cyber resilience (14%) and cyber governance (12%). This is certain to make a huge impact on the cyber security posture of companies and help ensure that confident claims of the business will soon be backed up by the resilient security measures a customers, investor or partner would expect.
I for one support confidence in new technologies. It is this very attitude towards the digital world that allows innovations and new technologies to be adopted and embraced in today’s rapidly changing times. That said, we must strive to recognise any mismatch between our beliefs and our actions, especially if other peoples’ data is involved, and proactively work towards keeping ourselves as secure as we say we are.