Ever since work-from-home (WFH) skyrocketed in March following COVID-19 pandemic lock-downs, corporate cybersecurity has taken a front seat in the growing conversation among IT leaders in businesses and organizations.
In June, Malwarebytes surveyed over 200 IT experts from companies of various sizes to determine how IT leaders had initially reacted to the pandemic and how they were planning their strategies moving forward. While a majority of respondents rated their organization’s WFH readiness at 7/10, this confidence did not match these exciting survey findings:
- 44% of the respondents did not provide cybersecurity training to the workforce
- 45% did not perform security and online privacy analyses of software tools deemed necessary for the transition to WFH
- 18% said cybersecurity was not a priority for their employees
What does the discrepancy between respondent perceived confidence of organizational readiness and the actual statistics of actionable steps organizations have taken? Two words: security hubris. Essentially, security hubris is defined as the overconfidence in limited security measures deployed.
Let’s break this concept down a bit more as it’s a common theme we see when it comes to the pandemic response from organizations. Several components play into the disconnect between actual awareness of an increasing WFH trend and the organization’s perceived response.
#1- Perception vs. Reality
The conundrum of the security hubris is less a complete denial of the reality at hand and a different perception of that reality. That is to say, respondents responding to this particular survey may very well believe their organization is 70% ready to handle the changing cybersecurity landscape amidst the pandemic–they may even be taking actionable steps towards that reality. Perfect IT security does not exist: therefore, the perception that an organization is doing everything they can be true, while the situation’s validity can also be true. An organization can believe it is prepared while not being sufficiently prepared.
#2- New Threat Landscape
Part of the disconnect between perception and reality in this situation is an ever-changing security landscape. Especially at the beginning of the pandemic, when WFH rates were unprecedented for the first time, many IT security teams were scrambling to make sense of the situation and stay even somewhat ahead of the change curve. IT security teams perceived and weighed the threat of attacks was different from ever before; necessary responses were different from ever before. The point is: everything was different. As IT security has learned to adapt, the disconnect between perception and reality has lessened but certainly still exists.
#3- Added Threats from Employee Mobile Devices
With a significant shift to work-from-home at the start of the pandemic, many organizations allowed employees to utilize personal mobile devices while working from home (nearly 70% of the 300 respondents surveyed in this study reported doing so).
From the perspective of an IT department, while previously monitoring just computers with a relatively safe and guarded organization network, IT teams were now thrown into monitoring employee cybersecurity safety from home networks, and often home computers and personal mobile devices. That’s a substantial additional cybersecurity landscape!
#4- IT Departments & Outsourced IT Companies May Be Stretched Thin
#3 plays into #4 heavily, as we just discussed. With a massively increased cybersecurity landscape, additional computers and devices to monitor, and a plethora of unsecured home networks to worry about, IT departments have been understandably spread thin in the thick of the COVID-19 pandemic. Departments stretched thin means they are frequently reactive rather than operating in a more proactive mode. Lack of time and lack of human resources means that departments are just trying to keep their heads above water–responding to threats as they happen and spending a less than ideal amount of time thinking about the broader landscape and what the organization is doing to pivot in the wake of the pandemic.
So if this is what causes security hubris, how do we prevent it? We’re happy you asked.
First and foremost, individuals and organizations should be frequently self-evaluating and asking: how cyber secure are you (we)? Ask yourself these key questions:
Are you using multi-factor authentication to login to your business’s resources?
Are staff using a shared computer to login to corporate resources?
When’s the last time your business’s IT security stack was evaluated for effectiveness?
The big theme in preventing security hubris is self-awareness and proactive behavior. The more self-aware an individual or an organization is when it comes to their cybersecurity, the better secure they are because they can take realistically needed steps towards better securing themselves.
Questions regarding your organization’s cybersecurity? Contact PK Tech here.