IT leaders appear overconfident against cybersecurity risks

17 Nov 2023

Duncan Bradley, Kyndryl UK and Ireland practice leader for security and resiliency. Image: Duncan Bradley

Kyndryl’s Duncan Bradley discusses the ‘duality’ of a recent company report, the risk of underplaying IT risks and the importance of adopting a security first culture.

There are positives to being confident in one’s abilities, but a recent report suggests that IT leaders may be too confident in terms of their defences against cyberattacks.

A survey from IT infrastructure services provider Kyndryl suggests that many companies are dealing with disruptions to their services from cyberattacks and system failures. Kyndryl surveyed 300 IT decision-makers, from large enterprises that have more than 1,000 employees.

Of those surveyed, 92pc said their organisation had experienced an adverse event in the past two years that compromised or disrupted their IT systems. More than 70pc of the respondents said they had experienced a disruption from a cybersecurity-related event, while 88pc reported disruptions from other issues such as hardware failures or data centre outages.

Most of the respondents said they had experienced three or four different types of disruption events, according to Kyndryl. Despite this, 88pc said they are well prepared to manage and recover from any adverse conditions, attacks or compromises.

Speaking to, Duncan Bradley, Kyndryl’s UK and Ireland practice leader for security and resiliency, said the company was “surprised” at the confidence from IT decision-makers, despite global events and the noted challenges.

“When asked to compare themselves to peers, 65pc rate their organisation’s preparation for adverse events ahead of other organisations,” Bradley said. “Only 8pc rate themselves at least somewhat behind others.

“The high level of confidence particularly caught our attention, given that 92pc also confirmed their organisations have experienced adverse events. The duality is at least curious, if not reason to question if such confidence is justified.”

Communicating the risks

Bradley said that those working within these domains want to be “perceived as doing a good job”, which can lead to security risks being underplayed or “not so openly discussed”.

“In a world where tight budgets are prevalent and where it is almost impossible to be truly safe, complacency by not having yet been attacked, is breeding this overconfidence,” Bradley said.

While concerns of cybersecurity is a global issue, a recent report by Dell Technologies suggests that Irish businesses are struggling to deal with the number of cyberattacks taking place.

Nearly 65pc of the respondents in the Dell survey said that the growing number of cyberattacks is their main barrier to enhancing the security of their companies. The second biggest barrier was a lack of in-house cybersecurity skills, identified by 13pc of respondents.

While a lack of skilled staff was highlighted as a risk in the Kyndryl survey, it was only the fourth biggest challenge in terms of getting ahead of IT risks.

The biggest challenge listed among respondents was the lack of ability to recover systems and data from an encrypted, clean backup. This was followed by the challenge of expanding an organisation’s IT footprint and the inability to stay up to date with emerging threats.

“Companies’ security leaders need to find better ways to communicate with their boards about the risks that they are exposed to and what the true impact of not mitigating these risks really is,” Bradley said.

“I have seen many companies use tabletop or cyber simulation exercises with companies’ boards and senior leaders to bring these risks to life and therefore secure the support to mitigate them more effectively rather than just accepting the risk.”

Dealing with overconfidence

Bradley said that organisations need to adopt a “security first” culture and decide whether their security services are outsourced or insourced. He also said the entirety of an organisation needs to take responsibility to keep their systems secure.

“Organisations need to educate their employees on their security standards so that each of them has a personal responsibility to keep their company safe, and provide tooling to allow their employees to see whether their endpoint meets these standards,” Bradley said.

This security first culture also needs to make it “not unacceptable” to delay patching workstations or to prioritise other changes over security updates, as this can leave systems unprotected.

“Companies need to educate all their teams to understand that it only takes one weak link in the chain to allow the bad actors to compromise their entire organisation,” Bradley said. “They need to report on the number of machines which have vulnerabilities or which are without protection.”

“Only this week, I am dealing with a customer-managed internet-facing environment which they left down level and unpatched which the bad actors used as the vector to gain control of their entire LDAP (lightweight directory access protocol).”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic