The Danger of Overconfidence in Cybersecurity

There’s something positive about a healthy degree of fear. It lets us understand our own limitations, heightens our senses, and keeps us alive. The tendency to err on the side of caution was called out in our recent 2023 Penetration Testing Report as a smart practice when it comes to cybersecurity. In fact, though security professionals reported less confidence in their security posture, this loss confidence is a good thing. Overconfidence can blind us to risk and is more of a liability than an asset in cybersecurity.

Pen Test Report Indicates a Loss of Confidence

When surveyed about their confidence in their security posture, only 38% of respondents responded “confident,” compared to 53% the year before.

This indicates a more realistic understanding of risks, current exploits, threat vectors, and the nature of security as a whole: Not a “one and done” type of field, security is an ongoing practice that requires constant measurement, feedback, and improvement.

Additional benefits of this healthy fear within cybersecurity include:

• Understanding the limitations of current defensive practices | Acknowledging the problem is the first step towards fixing it. Feeling unsure of our ability to adequately defend against attacks with our existing solutions is nothing more than the identification of a pain point that leads us to find better ones.
• Awareness of changes in the IT environment | What worked yesterday (or eight months ago) may not work now, and what works now won’t be enough for tomorrow. This is to be expected given the breakneck pace of threat evolution today, and continual migration towards cloud-based assets and digitization promise it will be the expectation for years to come. Lower security confidence scores indicate that practitioners are aware of the fact and cognizant that changes may need to be made.
• Up-to-date threat knowledge | Only a practitioner who truly knew the landscape would understand that there are thousands of emerging exploits spun up monthly (and 10,000 new ransomware strains discovered within the first six months of 2022 alone). There is an increasing trend in unknown exploits as security technology gets better at catching what’s known. A lack of confidence in current capabilities reflects the awareness that environments constantly need to be evaluated to see if last quarter’s implementations are sound enough to stand up to future attacks.
• Clear strategy on building and maintaining a holistic security portfolio | This cyber limitation awareness also leads organizations to seek out ways to cover those gaps. Developing a clear strategy for identifying security weaknesses leads to finding solutions that will flesh out an overarching, holistic security approach.
• Program in place for upskilling and reskilling | Awareness of the state of global security also means there’s an understanding of the limited talent currently available. Professionals can seek out potential talent within their company to help expand security teams. Feeling unsure of the viability of all security assets leads security executives to invest in the training needed to create personnel who can help fill the cybersecurity skills gap.

A Healthy Fear: Balancing Confidence with Skepticism

It’s good to be optimistic about your organization’s cybersecurity stance, but it should be balanced with a healthy sense of skepticism. The saying holds true: There’s no growth in the comfort zone, and there’s no comfort in the growth zone. Security overconfidence might be one of the greatest threats to an organization’s digital well-being, and it’s a positive thing when practitioners know enough to avoid it. Staying “safely scared” can be a key motivator to stay sharp, agile, knowledgeable, and ultimately, secure.

Try to think like an attacker, and you’ll understand why security practices should always stay open to improvement. Criminal hackers are intrepid and are constantly sharpening the saw. It is their full-time job to think of ways around our defenses, and there’s never a time when they think last-year's tactics are “good enough” for the road ahead. Neither can we.

Proactive Offensive Security

One of the best ways to turn your healthy fear into action is by taking proactive steps in your security strategy in order to identify weaknesses in your infrastructure before an attack occurs. Prioritize staying informed about the state of your IT environment through vulnerability assessments, pen testing, and red teaming. Know the exploits – today's exploits – and how well your current defenses stack up against them.

First, Lay the foundation by performing an initial vulnerability assessment. Get a clear picture of the risks you face when you scan your environment for vulnerabilities. Fortra's Frontline Vulnerability Manager is an accurate, and easy-to-use SaaS vulnerability management solution that does more than just identify vulnerabilities. It uses external threat intelligence to help prioritize these vulnerabilities, providing valuable context. Remediation efforts can be easily be monitored with easy to generate reports and progress tracking.

Next, pen test your environment to know exactly what happens if these vulnerabilities are exploited. Just because you have a vulnerability, it doesn’t mean it presents an active threat. Additionally, what looks like a minor problem could become a major risk depending on where it sits within the environment. Fortra’s Core Impact is an automated pen testing software solution that simplifies the pen testing process, allowing you to safely exploit weaknesses using the same techniques as today’s threat actors in order to determine how much risk a vulnerability truly poses.

Lastly, finish off with a red team exercise to see where your organization would stand if breached. Red team exercises simulate a real-world attack campaign and put all security defenses to the test. With Fortra’s Cobalt Strike, you get the post-exploitation agent you need to simulate the actions of a deeply embedded bad actor within the system. Change your network indicators to look like new malware each time and leverage the engineering that’s designed for collaboration and unique blue team-friendly reporting.

Ultimately, cybersecurity is a constant game of cat and mouse and taking precaution is a far better approach than acting recklessly. Being aware of the inherent dangers and available solutions helps teams stay agile in their security approach and flexible when it comes to considering the tools that will help them get there.