You’ve got over the ‘Denial’ and ‘Worry’; you’ve looked at your security processes and invested in technology as well as a Chief Information Security Officer (CISO).
What next? Sit back and relax? Unfortunately not.
Now you’re at the ‘False confidence’ stage of your cyber security journey — and that means you could be in a perilous position.
According to our report, ‘False confidence’ is the stage in your cyber security journey where you think you’re secure and therefore relax your defences. In today’s dangerous threat landscape, that’s not a good idea.
Sure, you might have employed a CISO, but are they actually qualified and experienced enough to guide your organisation, rather than just guard it? Yes, you have well-developed playbooks in case of an incident, but are they flexible enough to deal with threats that nobody’s even heard of? And, if you get hit by a ransomware attack, do you know if you’ll pay up? If not, who makes that decision?
These are all tough questions for your organisation to answer — but they’re necessary if you’re to move forward in your cyber security journey.
The question then is: what can you do to get over this false confidence?
The most important recommendation I can make is to check your assumptions.
Any area of your security that you’re confident with — look at it again.
Make sure your processes are flexible enough to change quickly when needed, i.e. if you acquire a new business. And remember that you’re only as strong as your weakest link, so make sure your policies are followed by your suppliers too (as they can act as backdoors for cyber criminals).
Last, but not least, make sure that your board and CEO lead by example — championing your security processes (and adhering to them).
It might sound like a lot of work, and it is. But get it right, and you’ll be on your way to the end of your cyber security journey. Before you get there though, you have to get through the next stage, which could be the most disruptive yet, and definitely will cause the most upset at your organisation. It’s called ‘Hard lessons’, and you can find out more about it in my next blog article.