For the last couple of years, cybersecurity has been making headlines around the world. From matters of national security, to widespread ransomware attacks that have crippled hospitals and businesses alike, to the Equifax breach that affected millions of private citizens, it’s become evident that cyber threats are nothing to sneeze at.

While the world has begun looking at cyber attacks and other types of cybercrime more seriously, it would appear that measures to prevent them aren’t being taken seriously enough. SolarWinds MSP’s 2017 Cybersecurity Preparedness survey found that an overwhelming number of businesses in both the U.S. and U.K. are actually overestimating how ready their organizations are when it comes to preventing and combatting breaches. The survey contains responses from professionals representing 400 businesses, equally split across the US and UK, and between SMBs and enterprise organizations. SolarWinds found that:

  • 87 percent of businesses are “confident” in their cybersecurity preparedness
  • 59 percent of businesses actually believe they are safer this year than they were last year
  • 61 percent of businesses think they’ll be safer and stronger next year as they see growth in their cybersecurity budgets.

This confidence isn’t a bad thing on its own. If 87 percent of businesses actually were prepared to effectively thwart and respond to cyberattacks, that would be great — unfortunately, SolarWinds’ second set of numbers shows that this confidence is misplaced. The report also found that, in the last 12 months:

  • 31 percent of businesses reported incidents of DDoS (distributed denial of service) attacks or fraud
  • 31 percent of businesses reported a malicious insider attack
  • 28 percent of businesses reported a ransomware attack
  • A whopping 71 percent of businesses experienced at least one breach, which is up from 29 percent in the year prior

If we do the math, only 29 percent of businesses weren’t hit with a breach in the last year. At best, if each of those businesses (29 percent) also answered that they were confident in their cybersecurity preparedness (87 percent), that means that at least 58 percent of businesses hit with one or more breaches in the last year also rated themselves “confident” in their preparedness against them.

Those with analytical minds will recognize that it’s entirely possible that those hit by cyber attacks last year may have upgraded technology or increased staffing in response to the breach, lending credibility to why they might feel more confident in their cybersecurity preparedness now — but the rest of the SolarWinds report shows that this simply isn’t the case.

The 7 Deadly Cybersec Sins

The full text of the report concluded that there are seven reasons why businesses are falling short in cybersecurity preparedness. For businesses to actually be as secure as they are confident, they’ll need to refrain from falling into these traps:

  1. Inconsistency in enforcing security policies. It’s not enough just to have security policies — you have to regularly check and consistently enforce them, lest they exist uselessly. Only 32 percent of respondents could claim their security policies are reliably applied and regularly audited. On top of this, less than half or 43 percent enforce them only occasionally, 17 percent fail to audit their suitability, and 7 percent have no policies in place. Overall, SolarWinds found that 68 percent of respondents don’t reliably apply or audit security policies.
  2. Negligence in the approach to user security awareness training. With employee negligence and human error topping the reasons why companies experience breaches, this should be a top priority. Unfortunately, only 16 percent of respondents claimed they actually considered user security awareness training to be a priority, while almost just as many (13 percent) admitted they do nothing. 71 percent of respondents either include security awareness as a one-off employee onboarding event, or reinforce it once annually. SolarWinds likens this to “paying lip service” because of how ineffective training is if it’s not ongoing.
  3. Shortsightedness in the application of cybersecurity technologies. The top nine cybersecurity technologies include web protection, email scanning, and anti-malware (50 to 61 percent of respondents employed these technologies), as well as security information and event management (SIEM), firewall rules, and patch management, both monthly and weekly, hardened workstations, and network intrusion systems. Only 25 percent of businesses utilized network and/or host intrusions systems. Ultimately, six out of nine top cybersecurity technologies are deployed only by a minority, or less than 31 percent.
  4. Complacency around vulnerability reporting. 51 percent of respondents claimed (optimistically) that their vulnerability reporting was “adequate”, with an additional 29 percent classifying their reporting as “robust”. 19 percent have no reporting whatsoever, and 11 percent said they don’t plan to add it. Yikes.
  5. Inflexibility in adapting processes and approach after a breach. Out of the 71 percent of respondents that experienced a breach in the past 12 months, only 44 percent and 41 percent actually implemented new technology and processes, respectively. This is why it’s hard to believe that businesses are anything but overconfident in their preparedness, seeing as over half that experienced a breach are doing anything different after the fact.
  6. Stagnation in the application of key prevention techniques. Solarwinds lists nine key prevention techniques including full disk encryption on mobile and portable endpoints (the most applied technique, performed by 43 percent of respondents), basic logging of authenticated users’ activity (41 percent), and application whitelisting (the least applied technique, performed by only 27 percent of respondents).
  7. Lethargy around detection and response. Because even the best business cybersecurity systems are fallible, every business should be concerned about optimal detection, response, and resolution times. Unfortunately, only 44 percent of businesses actually improved in these areas, while 32 percent remained the same, and 24 percent saw decreases.

It’s important to note that all of this is compounded by the fact that it’s hard to actually fill open cybersecurity positions. Maryville’s Online Resource center estimates that a growing skills shortage will leave 1.5 million out of 6 million cybersecurity jobs unfilled in 2019. This means that by the time business confidence in cybersec wanes, there won’t be anything that anyone can do about it anyway. Those who employ effective cybersecurity staff early and hold on them into the future will benefit most.

While it’s a lot of information, it’s crucial that businesses understand that they are likely not up to par when it comes to cybersecurity, even if they think they are. Confidence is a strength; overconfidence is weakness. Malicious actors are counting on you to believe that everything is peachy so that they can exact their attacks and take you for everything you have.

The truth is that in cybersecurity, most businesses are their own worst enemies. Invest in your own protection, and don’t be made a fool of. Take a good, hard, honest look at your cybersecurity measures, and reevaluate whether you and your employees are truly protected. Hubris will be your downfall, humility your salvation. While intense self-scrutiny may be uncomfortable, it may also be the one thing that saves your skin the future.