Our recent BitSight blog post Cyber Security Risk: Perception versus Reality in Corporate America resonated with many in the infosec community and was even picked up by WIRED’s Innovation Insights and cited in a Forbes article by Howard Baldwin. This week, we decided to revisit this topic to look at corporate optimism bias in the security posture of internal and third party networks and explore how organizations can overcome the limitations of perception by expanding visibility.
More and more surveys are confirming what we already know: many businesses are underestimating their potential for a breach or security event. A recent report from BAE Systems Applied Intelligence reveals just how optimistic some leaders are when it comes to information security. Out of the executives surveyed a whopping 88% expressed confidence in their organization’s ability to defend against a cyber attack. Our own analysis of the S&P 500 uncovered over 80% of companies showed evidence of external security events, and a large number had improperly configured SPF records and SSL certificates. Clearly there is a disconnect here. When it comes to understanding IT risk in comparison to competitors and industry peers, it seems that some companies revert to psychological assurance over quantitative measurement of risk.
But if organizations are so confident in their own security posture, does this optimism bias extend to third party business relationships? This is a particularly important question as the outsourcing trend continues to grow. In a 2013 The Institute of Internal Auditors Research Foundation (IIARF) study on third party risk management, 65% of surveyed organizations classified their reliance on third parties as “significant” or “extensive”. Recent breaches emphasis the risk that these third parties can bring. Target’s breach is blamed on its HVAC contractor, Bright Horizons’ breach on its payment processor. Even the most recent breach at the California DMV was likely the result of a vulnerability on a payment card processor’s network. While the risk associated with sharing data among partners is well known, it seems there is worrying evidence indicating that this optimism bias permeates into the perception of third party security postures as well.
A recent academic study in the journal Computers & Security titled “Unrealistic optimism on information security management” notes that business leaders see partner networks as more secure than those of an average company. The authors of the study write, “... directness of connectivity with a comparison target influences the extent of this bias. Executives perceived that their risk is significantly lower than an average company’s risk but is similar to their business partner’s risk.” So instead of viewing business partners and vendors as an “average” company with “average” risk, they are often perceived as having a security posture that is more in line with themselves, likely meaning better than most.While standard best practices and a comprehensive security program should give risk managers confidence, overestimation of security performance in comparison to peers and in third party networks can be detrimental to understanding the full scope of threats facing an organization. Implementing tools and methods of benchmarking internal performance against industry peers and monitoring third party networks can give an organization drastically expanded visibility into its potential risk by helping to establish what is normal performance and the causes of fluctuation. In order to overcome bias in perception, businesses should be looking to gain visibility through data that can give them a clearer picture of the risks.