How overconfidence can lead to lax cybersecurity

Find out why relying on in-house security personnel could be problematic

by Dwight Davis

Do you have confidence that your in-house security personnel has the knowledge, experience and technology to defend against cyberattacks?

If so, there’s a chance you may be fooling yourself.

Consider this: In a 2016 survey that spanned eight countries, the McAfee unit of Intel Security found that 82 percent of the respondents reported a shortage of cybersecurity skills. Even worse, 71 percent said this skills deficit was causing direct and measurable damage to their organizations.

Early in 2017, the industry organization ISACA found that one in four of the companies it surveyed said it could take six months or longer to fill their high-priority cybersecurity and information security positions. Only 59 percent of the surveyed companies said they received at least five applications for each cybersecurity opening, compared to receiving 60-250 applications for most other corporate jobs.

Exacerbating this skills shortage is the constantly evolving cyberthreat landscape.

New forms of threats, such as ransomware, combined with new vectors of attack, including mobile and Internet of Things (IoT) devices, make for a dicey cybersecurity scene. Layer on top of that the massive growth of sensitive corporate data and the critical role of data in today’s business world, and the potential risks and consequences of breaches skyrocket.

Consider just a few data points contained in an AT&T Cybersecurity Insights report, The CEO’s Guide to Data Security:   

  • Global internet traffic surpassed 1 zettabyte – or 1 trillion gigabytes – in 2016, and business traffic is predicted to grow 18 percent annually through 2020.   
  • A 2015 analysis found that 7.5 percent of Wi-Fi networks were either malicious or used to mount a network attack during that year.   
  • In the first half of 2016, AT&T saw a 400 percent increase in scans of IoT ports and protocols across its network – a clear sign that IoT devices were being recruited for DDoS attacks or other illicit activities.

Even organizations with fully staffed security operations centers can struggle to keep pace with the growing diversity and volumes of cyberattacks. And, as the skills shortage surveys suggest, fully staffed SOCs are becoming more the exception than the rule.

To be sure, gaps in security skill sets can be offset somewhat by cutting-edge threat detection and response technologies, which increasingly automate tasks that security analysts once had to do manually. Indeed, the volume and diversity of cyberthreats requires such technological solutions, even when companies have extensive in-house talent.

Beyond technological bridges that span skills gaps, many organizations are turning to outside consultants and managed services providers (MSP). Providers of cloud-based security solutions and other MSPs make it a high priority to hire top-level security experts, and can then spread the knowledge and experience of these experts across a wide client base. Last year, an IDG Enterprise study found that 73 percent of the companies surveyed had already adopted at least one cloud-based security component.

Given a future in which the supply of cybersecurity talent will almost certainly continue to fall well short of the demand, companies should prepare to depend increasingly on automated security solutions as well as on third-party expertise and cloud-based services. What companies must guard against – beyond the cyberthreats themselves – is a false sense of security, thinking that their in-house employees can counter every threat they’re likely to face.

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.