US firms overconfident in their cybersecurity preparedness

25 July 2018 3 min. read
More news on

A new survey finds that American firms overrate how prepared they are for a cyberattack. Research and consulting firm Ovum found that 68% of US firms believe they have better-than-average cyber-readiness for their industry.

As humans, we often overrate our own abilities, with more than 50% of a group thinking they’re above-average at some task, like driving or cooking or what have you. This particular cognitive bias is called illusory superiority, and has been reinforced in the findings of numerous social psychology studies in the US. Basically, people generally think they’re more competent or better at things than they are.

It appears that the same applies to businesses and their perceptions of their own cybersecurity preparedness. According to a survey from research and consulting firm Ovum conducted for analyst firm FICO, 68% of US firms think that they are above-average or a top performer in terms of their cyber-readiness. Clearly, illusory superiority or a lack of ability to assess their objective competency is at play, but US firms weren’t even the worst offenders in terms of cyber-hubris. 88% of Indian firms surveyed said they were above-average, while in Canada and the Nordics the rate was 84%.

This confidence exists despite the fact that successful cyberattack frequency is likely to increase in the future, and is often identified as a top concern by CEOs. The shift of vast quantities of data into the digital sphere incentivizes attackers to ransom or steal sensitive info. The stakes are higher than ever, with attacks capable of grinding business operations to a halt, destroying public confidence in a firm, and causing huge financial damage. How cyber-ready do US organizations think they are compared to their competitorsPower and utilities firms were the most confident US industry, with 86% rating their cyber-readiness as above-average. Telco firms were the second-most confident, with 72% believing they were above average in their cybersecurity measure; a full 50% said they were ‘top performers’ in the industry, while 22% said their firms were above-average. Financial services firms were the most realistic in their self-appraisal, with 60% saying they were above-average or top performers.

"Firms have a lot to lose when it comes to their privacy and security risk and must have an accurate picture of how protected they really are," commented Doug Clare, vice president for cybersecurity solutions at FICO. "These figures point to the fact that many firms don't know how they compare to their competitors, which could lead to an under-investment in cybersecurity protection.”

According to FICO, the over-optimism could be a symptom of lacking objective and ongoing cybersecurity measurement. The survey results found that only 37% of firms were using more than a point-in-time measurement of cybersecurity preparedness. Furthermore, 20% of firms in financial services, retail, and e-commerce were found to have a complete lack of a robust assessment program.

FICO – an industry leader in credit score provision and credit card fraud protection systems – believes their Enterprise Security Score can more accurately help firms appraise their state of preparedness. The score is a machine-learning based rating service that shows companies how cyber insurance underwriters and business partners rate their network security – allowing for a benchmark of performance.

“Based on the survey results, many organizations would be surprised by what an objective view from the FICO Enterprise Security Score could tell them about their relative levels of cyber risk," Clare added.