Security attitudes are improving but most don’t want to take responsibility

While there is growing momentum in the cybersecurity world this, ironically, might create a false sense of security and reality-check every now and then is always helpful.

A survey from Microsoft and insurance broker Marsh has highlighted some progress in the cybersecurity world, however there are still monumental risks which are worth highlighting. This is the encouraging, but humbling point which is being made by the duo here. Perhaps one of the most worrying is the attitude of security is someone else’s responsibility.

Only 19% of large enterprise organizations believe they pose a risk to the supply chain, which is certainly not the case. It does appear these companies believe the responsibility of securing the ecosystem should be dealt with by someone else.

“Despite the decline in organizational confidence in the ability to manage cyber risk, we’re optimistic that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices,” Joram Borenstein, GM of the Cybersecurity Solutions group at Microsoft, wrote.

“Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.”

Cybersecurity as a topic is now being considered the biggest risk to the organization and executives are playing a more prominent roles in developing and communicating these strategies. However, there are some elements to cybersecurity which is going to have a negative impact on the business, as you can see from the images below.

The extracts from the survey are quite varied, but they do illustrate a few interesting points which we would like to make in regard to cybersecurity.

Firstly, the attitude of the business. With 50% of respondents suggesting the business benefit of new technologies outweigh the risks, customers (either corporate or consumer) have to understand this. Suppliers or providers are commercial businesses which aim to make money for owners or shareholders. The risk of cybersecurity is tolerable as decreasing this risk might be unfeasible commercially.

This is not necessarily a bad thing, we live in a capitalist society after all and there is no such thing as 100% secure, though it is always worth remembering this nuance.

Another interesting element of the attitude towards cybersecurity risk is the evaluation of risk. Only 5% of companies are evaluation the cybersecurity threat at every possible element of the life-cycle, taking into account both the period prior and post purchase. Perhaps there is a belief that once a new technology or system has been installed it is safe, but this is of course not the case. It might also be down to the idea some are passing on the responsibility of security and resilience.

This is perhaps a problem which is a hangover from a bygone era. The responsibility of cybersecurity has to be shared throughout the ecosystem. If anyone shirks this responsibility, the supply chain is potentially corrupted and the threat passed onto other organizations. This is the new connected society, risk is shared amongst partners, customers and suppliers.

Of course, the introduction of new technologies will only heighten the threats which are present, this is always the case when companies and/or individuals venture into the unknown. However, it does lead us onto the final point; regulation.

Only 28% of the respondents believe current laws and regulations are fir for purpose in today’s society. The sheer velocity and variety of new technologies being implemented will not help sluggish bureaucrats catch-up either.

Although there are plenty of negative points to focus on here, the industry is heading in the right direction. Cybersecurity is heading in the right direction, there is more money being invested and attitudes are more focused, but the risks are becoming increasingly acute. Progress, but still persistent worries.