How Overconfidence Can Lead to Lax Cybersecurity

How Overconfidence Can Lead to Lax Cybersecurity

By Dwight Davis

Do you have confidence that your in-house security personnel has the knowledge, experience and technology to defend against cyberattacks? If so, there’s a chance that you may be fooling yourself.

Consider: In a 2016 survey that spanned eight countries, the McAfee unit of Intel Security found that 82 percent of the respondents reported a shortage of cybersecurity skills. Even worse, 71 percent said this skills deficit was causing direct and measurable damage to their organizations.

Then, early this year, the industry organization ISACA found that one in four of the companies it surveyed said it could take six months or longer to fill their high-priority cybersecurity and information security positions. Only 59 percent of the surveyed companies said they received at least five applications for each cybersecurity opening, compared to receiving 60-250 applications for most other corporate jobs.

Exacerbating this skills shortage is the constantly evolving cyberthreat landscape. New forms of threats, such as ransomware, combined with new vectors of attack, including mobile and Internet of Things (IoT) devices, make for a dicey cybersecurity scene. Layer on top of that the massive growth of sensitive corporate data and the critical role of data in today’s business world, and the potential risks and consequences of breaches skyrocket.

 Consider just a few data points contained in the AT&T Cybersecurity Insights report:

  • Global internet traffic surpassed 1 zettabyte – or 1 trillion gigabytes – in 2016, and business traffic is predicted to grow 18 percent annually through 2020.
  • A 2015 analysis found that 7.5 percent of Wi-Fi networks were either malicious or used to mount a network attack during that year.
  • In the first half of 2016, AT&T saw a 400 percent increase in scans of IoT ports and protocols across its network – a clear sign that IoT devices were being recruited for DDoS attacks or other illicit activities.

Even organizations with fully staffed security operations centers can struggle to keep pace with the growing diversity and volumes of cyberattacks. And, as the skills shortage surveys suggest, fully staffed SOCs are becoming more the exception than the rule.

To be sure, gaps in security skill sets can be offset somewhat by cutting-edge threat detection and response technologies, which increasingly automate tasks that security analysts once had to do manually. Indeed, the volume and diversity of cyberthreats requires such technological solutions, even when companies have extensive in-house talent.

Beyond technological bridges that span skills gaps, growing numbers of organizations are turning to outside consultants and managed services providers. MSPs and other providers of cloud-based security solutions make it a high priority to hire top-level security experts, and can then spread the knowledge and experience of these experts across a wide client base. Last year, an IDG Enterprise study found that 73 percent of the companies surveyed had already adopted at least one cloud-based security component.

Given a future in which the supply of cybersecurity talent will almost certainly continue to fall well short of the demand, companies should prepare to depend increasingly on automated security solutions as well as on third-party expertise and cloud-based services. What companies must guard against – beyond the cyberthreats themselves – is a false sense of security, thinking that their in-house employees can counter every threat they’re likely to face.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Stay tune for the new Cybersecurity Insights Report Vol 6, Mind the Gap: Cybersecurity’s Big Disconnect available on October 30, 2017. Meanwhile, catch up on past reports, vol. 1-5 to learn what you can do to help strengthen your defenses across your business.


Copyright © 2017 IDG Communications, Inc.