The cybersecurity overconfidence trap

Research finds that more than half of businesses are overconfident in their security

by Jacob Hill, Lead Marketing Manager, Security, AT&T

In today’s business world, two million new malware attacks are launched every day. By 2019, cybercrime is projected to cost businesses worldwide over $2 trillion.

With statistics like those, it’s hard to believe any organization could feel overconfident about their cybersecurity. But according to a recent IDC study sponsored by AT&T, the majority of businesses do.

Passive, Reactive, Proactive and Progressive

For the report, Cybersecurity Readiness: How "At Risk" Is Your Organization?, IDC surveyed over 800 C-level IT and line-of-business executives in large and mid-sized companies around the world. Focus groups supplemented the survey.

In the course of their research, IDC identified four distinct levels of preparedness against cyberattacks.   

  • Passive: In a company with a Passive security stance, there’s little C-level involvement. Policy and procedure reviews are infrequent, as are third party risk assessments. Breaches go largely unnoticed.   
  • Reactive: In Reactive organizations, the C-suite still relies on IT for security expertise. Reviews and risk assessments occur quarterly. These companies respond to breaches rather than anticipating them.   
  • Proactive: C-level execs who pay closer attention to IT security run a more Proactive ship. While confronting current attacks, they also run monthly reviews and risk assessments to avoid future assaults.   
  • Progressive: Organizations with deep C-suite involvement fall in the Progressive category. Accepting that breaches are inevitable, they work to reduce the value of data that might be taken. Reviews and assessments are ongoing, with third parties lightening the load for the IT team.


Just from reading those four categories, you probably have a better idea of where you could improve your cybersecurity readiness. Yet, when asked to rate their level of cybersecurity on a scale from 1 to 5 (5 being “extremely secure”):   

  • 41 percent of the companies surveyed gave themselves a score of 5   
  • 50 percent awarded themselves a 4 (“very secure”)

That leaves a mere 9 percent admitting they might have cybersecurity issues – even though 62 percent of the companies surveyed admitted to having been breached at least once in the past 12 months.


The sobering truth is that most companies are either Passive or Reactive – yet think of themselves as Proactive or even Progressive. IDC’s analysis reveals that only 47 percent fall into those last two categories, leaving more than half (53 percent) Passive, Reactive, and vulnerable.

Breaking down that 47 percent a little further, 31 percent can be considered Proactive, while a mere 16 percent qualify as Progressive.


For all the details and statistics, plus essential guidelines for strengthening your organization's security stance, view the full report, Cybersecurity Readiness: How "At Risk" Is Your Organization?

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.