- 95% of security decision-makers lack senior leadership trust in protecting firms
- Only 20% of security professionals with cyber-mature security ops have cyber insurance
Kroll, the leading independent provider of global risk and financial advisory solutions, announced the release of its report State of Cyber Defense 2023: The False-Positive of Trust.
In a statement the firm said the report surveyed 1,000 senior IT security decision-makers across eight markets including Singapore and found that organisations have nascent cyber defense strategies because of a lack of trust, which was perceived to be the biggest challenge in ensuring adequate cyber resilience.
It said security decision makers in Singapore also cited lack of communication in coordinating cyber teams for defense strategies as the top factor for depreciation of trust.
The report also dives into costs incurred for organisations from a lack of trust in the workplace, and unnecessary technology was ranked as one of the top consequences by organisations in Singapore (46%), it added.
Broader findings from the report reveal widespread mistrust across organisations, with information security decision-makers (95%) sharing that they do not feel senior leadership trusts them to protect their organisations from threats.
Additionally, the report identified other factors limiting the growth of cyber defense such as overlooked cyber insurance and explored how misplaced trust has wide-ranging impacts on how effectively businesses deal with cybersecurity challenges.
Kroll said this shows that the need for organisations globally to balance how much and where trust is placed when it comes to their cyber defense strategies: employees were trusted more (66%) than the accuracy of threat intelligence data (56%), which may lead to potential pitfalls in maintaining cyber vigilance.
James McLeary, managing director and global lead of Cyber Risk Advisory at Kroll said to navigate the current threat landscape, trust is imperative.
“There needs to be trust in teams, trust in technology, in intelligence sources, and with suppliers. However, there is a critical balance to be made on how much and where that trust should be placed,” he added.
“Further, there is a misunderstanding in the capabilities of security tools without continued managed response. Of course, this is understandable considering the sheer volume of data that security teams deal with and the number of cyber incidents businesses tackle daily,” McLeary said.
He added that security teams want solutions that will fix today’s problems, without appreciating the fact that there is no ‘one and done’ solution for an ever changing landscape.
The report found that while organisations use an abundance of elements in their defense programmes, only over one in five currently have the benefit of specific cybersecurity insurance cover (23%).
It said only 20% of IT and security professionals who say their security operations are cyber mature have cyber insurance.
By industry, hospitality (10%), not-for-profit (13%) and transportation (17%) are leading in the lack of such insurance, whereas it is more prevalent in sectors such as technology and communications (34%) and education (27%), it added.
However, findings from the report highlight that two-thirds of companies in these sectors still do not have any form of cyber insurance. With the prevalence of cyber incidents in the past year, cyber insurance should not be overlooked or dismissed by organisations., it said.
Lester Lim, associate managing director, Cyber Risk, Kroll, said, to become fully cyber resilient, organisations need to continually assess their cybersecurity risk posture and ensure it is not only all-encompassing and holistic, but appropriate in an ever- changing world.
“This is in addition to keeping current on evolving cyber threats and gaining a comprehensive understanding of what their security tools can defend against – and thus position the relevant tooling in response,” he added.
Lim went on to say that organisations should also consider cyber insurance as a risk transfer mechanism – a crucial complement in the current cyber risk landscape.
“Though insurance costs for cyber related risks have risen materially in recent years, companies may be able to mitigate higher premiums and increased deductible limits arising from tighter underwriting and reduced cover by appropriately preparing for a more rigorous renewal process by focusing on controls,” he said.
Additional findings of the report include:
- Senior IT security decision-makers in APAC are less trusting, with only 30% reporting that they “completely” trust their organisation is protected and can successfully defend against most or all cyberattacks. This is lower than the 37% reported globally.
- The causes of mistrust are varied, where different markets’ respondents thought differently about the reason that causes trust in organisations to depreciate, with blame culture (56%) being reported as the main cause in Japan.
- 100% of respondents agree that there is a cost to a lack of trust, which can be far-reaching and varies across organizations. Japan experienced slow incident response as a top consequence.
- Companies in Japan rank the lowest in terms of having cybersecurity insurance cover, with only 16% indicating that they are covered. However, this does not trail far from the global level, where just over one in five currently have the benefit of specific cybersecurity insurance cover (23%).
To understand more about the key insights and market findings of the State of Cyber Defense 2023: The False-Positive of Trust report, read the full report here.
The report was commissioned by Kroll and conducted by Vanson Bourne. It surveyed 1,000 senior IT security decision-makers in Q1 of 2023 from the following markets across Asia Pacific and globally: Hong Kong, Singapore, Japan, USA, UK, Ireland, Spain, Italy and Brazil.