Even though cybersecurity trust is clearly an issue, some trust is also misplaced, with 66 percent of security leaders trusting employees more than their own teams to prevent cyberattacks.
Notably, despite an average of five major security breaches in the last year, a significant overtrust is evident, as 37 percent of these leaders fully trust their organization’s ability to fight cyberattacks. This high trust level, however, seems misguided, as only 4 percent of respondents reported no security incidents, emphasizing the disparity between the perception and the reality of cybersecurity threats.
Experts said that balancing this trust is crucial for elevating an organization’s security posture and preventing employee-led incidents.
Lack of communication emerges as the primary reason for trust loss, reported by 47 per cent of information security decision-makers. Most respondents (97 percent) expressed incomplete trust across all aspects of their organizations, posing potential risks. The cost of trust deficit is widely recognized, with a staggering 98 percent acknowledging its workplace implications.
Researchers also found that more cybersecurity incidents occur in organizations with a greater number of cybersecurity platforms. This suggests that an overreliance on security tools may not be beneficial and could hint at a lack of comprehensive threat understanding among security teams.
Interestingly, while 95 per cent of information security decision-makers feel that senior leadership doubts their security team’s defensive capabilities, there is a noticeable overconfidence within the security teams themselves.
This ‘over-trust’ could arise from a limited understanding of the full scale of what it takes to achieve true cyber maturity, coupled with a need for more resources to manage cybersecurity technologies. Thus, it emphasizes the need for better trust management and resource allocation in cybersecurity strategies.
A surprising revelation is the misplaced trust in employees over security professionals.
“Respondents find it easier to trust people (and their ability to help mitigate a vulnerability) than technology,” the report stated.
“While employees may be the first line of defense against a cyberattack, it cannot be assumed that they will avoid falling victim to a cyber incident. Of course, businesses need to have up-to-date and recurring cybersecurity training for employees so that they remain aware of potential threats. However, people are understandably fallible, and without the necessary technology in place, businesses will inevitably be woefully unprepared.”
More decision-makers (66 per cent) trust employees to thwart a cyberattack than they trust their security team to identify and prioritize security gaps (63 per cent). This misplaced trust even surpasses the faith in the accuracy of data alerts (59 per cent), the efficacy of cybersecurity tools and technologies (56 per cent), and the precision of threat intelligence data (56 per cent). Such a complex trust dynamic within organizations presents unique challenges in the quest for robust cybersecurity.
“To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, trust in technology and its configuration, in intelligence sources, and with suppliers. However, there is a critical balance to be made on how much and where that trust should be placed,” said Pierson Clair, managing director of Cyber Risk at Kroll.
“Further, there is a frequent overestimation in the capabilities of security tools without continued managed response. Of course, this is understandable, considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily. Security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one-and-done’ solution for an everchanging landscape.”
