EXECUTIVE SUMMARY:
Cyber security complacency is a common catalyst for breaches. Complacency can undercut your business quickly and can cause irreparable business harm. Complacency is especially insidious in moments of seeming internal quiet or when cyber security incidents seem like distant statistics. Disrupting cyber security complacency is a non-trivial pursuit in protecting your enterprise.
As many as 65% of IT security decision makers perceive their organization as complacent in regards to the protection of client data. The hidden dangers of complacency are real. Recall the story of the frog that sits in a pot of water, which is slowly boiling. The frog fails to realize his peril until it’s too late.
What is cyber security complacency?
Cyber security complacency is similar to physical security complacency, which refers to maintaining the status quo despite shifting constraints, parameters and an evolving threat landscape. Complacency can reflect a form of overconfidence, or a form of apathy when it comes to pursuing higher standards or stronger achievements. Alternatively, it can reveal a certain level of desensitization towards cyber threats. Signs of cyber security complacency include:
- Overconfidence in a cyber security strategy
- A “good enough” security mentality
- A ‘stick-with-what-we-know’ culture
- Reluctance to let go of outdated processes, solutions and technologies
- Data breach fatigue, which appears increasingly common due to an ever-growing number of cyber threats
- Lack of recognition around new IT hiring needs
- Apathy towards cyber security responsibilities
In some cases, the complacency has little connection to the IT or security teams. Rather, complacency can occur at the executive-level, where little incentive may exist to invest in new computing and cyber security technologies. Regardless of the starting point or precisely how complacency shows up, it ultimately leads to stagnation. This gives opportunities to threat actors.
Why it matters
In 2011, complacency resulted in the Deepwater Horizon drilling rig fiasco, which ultimately led to the deaths of 11 individuals, and injuries among 126 people. Beyond that, the corresponding oil spill required three months’ of clean up. “Poor risk management” –an alternative way of referring to complacency- was the culprit, stated a federal report.
Failing to properly secure intellectual property, consumer data, employee information or other resources can result in millions of dollars in profit losses. In addition, organizations that experience security breaches suffer reputational damage, which precipitates more profit losses. Further, serious cyber breaches mean that your competition might win out. Who chooses to work with an organization that does not seem to keep business data out of harm’s way?
On top of that, organizations that experience a data breach due to complacency around non-compliance with GDPR (General Data Protection Regulations) may see legal and financial penalties. Organizations may have to pay as much as 4% of annual global turnover or 20 million Euros (whichever is greater) for violations. There is no excuse for or latitude around complacency.
Combatting complacency: Increasing employee investment
As many as 84% of CIOs believe that a cyber attack is inevitable. This belief could lead CIOs to resign themselves to this version of reality. Alternatively, it could result in a resolution to improve cyber security. Either way, data protection has never been more mission-critical. The tactics below can help you overcome complacency within your organization:
- Every data breach -whether yours or another firm’s- presents an opportunity to learn something new. The trick is to instill this thinking into your team as to avoid complacency.
- Provide positive feedback for non-complacency; new ideas, executing on new projects in a timely manner…etc.
- Consider means of rewarding your team for good security decisions.
- Implement weekly touch points to reinforce that everyone is responsible for security.
- Invite your team to think; so much of work revolves around ‘doing’ that we often. overlook the importance of quiet thinking.
- Invest in your employees’ education around security; whether that includes coursework or the occasional news article that sparks fresh ideas and conversations.
Secure system design
Ensure that your organization has a secure system design and an on-point security strategy by developing an agile and dynamic cyber security culture. In DevOps, and DevSecOps environments, secure software design requires adhering to the latest best practices. Encouraging everyone to stay current regarding technology development can guide your organization towards a more proactive and less reactive cyber security approach.
Other ways to fight cyber security complacency
- Ensure that your organization maintains a strategy for defending against the latest threats.
- Expand and update existing cyber security infrastructure.
- Focus on the analytics within your security monitoring software; see what areas of your security can be improved upon.
- Reevaluate cyber security policies and update them in accordance with technology developments.
- See to it that IT professionals assess the cyber security of third-party suppliers.
- Reevaluate whether or not your organization needs cyber insurance, and explore new vendors.
If your organization already owns a complete security architecture and meticulously adheres to every security best practice, complacency can occur due to erroneous thinking that you’ve done everything possible. For better or for worse, when it comes to security, there is nearly always more to be done.
In conclusion
Not only are cyber attackers threats. Complacency also represents a threat. Don’t just settle for “good enough.” Motivate your team/s and transform your cyber security culture. We’re seeing more cyber attacks than ever before, and now is the time to make your security part of your success story.
Although your organization may have managed to avoid breaches thus far, your organization is not immune to them. Developing a cyber security attitude and environment that bucks trends around complacency can help you offer better products/services and ensure the sustainability of your enterprise.
“Complacency is the last hurdle standing between any team and its potential greatness,” says former National Basketball Association Coach and player, Pat Riley.
For more information about avoiding complacency and increasing security in the retail sector click here. For cyber security principles and best practices that can help remote employees and employers click here. Lastly, sign up for the Cyber Talk newsletter here.