Interior of modern boardroom with black armchairs showing executive commitment and cyber complacency

Managing the Lull: Overcoming Cyber Complacency When Things Seem Quiet

In 2020, cybersecurity professionals faced myriad new challenges. Yet while pandemic-related security threats are ongoing, there is a growing risk of complacency among senior executives, employees, and other stakeholders, particularly in organizations that have not experienced a recent significant breach – or that have experienced a breach and are not yet aware of it.

Often, most senior executives and non-IT employees encounter evidence of risk only in statistics, articles, vendor ads, and third-party anecdotes. With no immediate, first-hand evidence to point to, cybersecurity executives’ warnings can lose their effectiveness.

After more than a year of turmoil and tension, how can cybersecurity leaders keep their teams alert, convince other stakeholders to stay committed, and overcome the natural human tendency to begin relaxing defenses? The effort requires initiatives across three broad areas.

Maintaining senior-level focus and commitment

Traditionally, cybersecurity professionals have communicated risks to senior executives using examples drawn from outside the organization. Pointing to high-profile breaches that caused millions of dollars in direct costs and reputational damage can help the security team demonstrate pervasive risks, but such examples do not necessarily convey a breach’s potential impact within the organization or help executives accurately judge levels of exposure or preparation.

Annual cybersecurity assessments by the internal audit team or third parties help close this gap by identifying the risks, measuring the strengths of the company’s controls, and assessing its level of compliance with recognized standards. Often, however, senior-level executives struggle to give proper context to technical risk and performance indicators, and they find it difficult to use such metrics to guide their decision-making.

Today, a growing number of organizations use financial exposure analytics and risk quantification tools to improve communication with top-level decision makers. Such tools help translate high-profile incidents and threats into a quantifiable risk, taking into account the current state of an organization’s cybersecurity program.

By providing an objective, quantitative measure of risk and return – in other words, by “putting a number to it” – these tools can help executives understand the probability and potential financial impact of specific threat scenarios so they can make informed determinations about how to manage or transfer specific risks, prioritize various initiatives, and allocate resources. At a higher level, such tools also help the executive team better understand cybersecurity in the context of the overall business strategy.

Counteracting employee complacency

Of the two fundamental components of a cybersecurity program – technology and people – the human element  is usually the weaker link. Without direct visibility into breach activity, rank-and-file employees can be lulled into a false sense of security, making them vulnerable to phishing attacks and other schemes that take advantage of human nature.

Increased training and testing can help maintain awareness and keep employees alert, but even the best communication program has limits. People become numb to repeated messages about cybersecurity threats and begin to tune out.

In addition to developing new ways of communicating cybersecurity threats to employees, successful programs turn to the other element – technology – using tools such as identity access management controls and network segmentation to limit the risk. By restricting employees’ and other visitors’ access to areas of the network that are not relevant to them, limiting the amount of time intruders can stay within the system, and preventing attackers from elevating their initial access into other, more sensitive areas, such tools function as virtual firewalls, containing the damage if an employee inadvertently allows a threat actor to breach the perimeter.

Building internal strengths and capabilities

In 2020, the rapid transition to remote working arrangements, coupled with the other sudden operational changes, put cybersecurity teams to the test. After such a tumultuous year, now is the time to refine any impromptu methodologies that were introduced as part of the initial pandemic response. Many of the temporary pandemic-driven measures could become permanent, so it is important to get the relevant security components fine-tuned and documented.

Security teams should pay special attention to drastic shifts in how organizations interact with customers, suppliers, and third-party providers. The suddenly accelerated move to cloud-based systems and services means data is moving out of organizations more rapidly than it was a year ago. This shift makes it imperative to sharpen data loss prevention tools to reduce data leakage.

Cybersecurity is a dynamic discipline, with new threats and increasingly sophisticated tools and methods appearing almost daily. While they maintain focus on day-to-day detection and prevention operations, security teams also should enhance and update their threat modeling and scenario testing capabilities.

After more than a year of turmoil and tension, how can #cybersecurity leaders keep their teams alert, convince other stakeholders to stay committed, and overcome the natural human tendency to begin relaxing defenses? #respectdataClick to Tweet

Just as still surface waters can hide powerful currents below, an apparent lull in cyberattacks can mask growing vulnerabilities. Staying up to date on the changing threat landscape and evolving regulatory environment while also researching and testing new defensive tools requires consistent vigilance and effort.


Principal at Crowe
Principal at Crowe