Attackers thrive on misaligned incentives, executive overconfidence

Cybercriminals have the advantage, thanks to the incentives for cybercrime, while defenders are hard-pressed to keep up as they often operate in bureaucratic hierarchies, according to Intel Security.

Based on interviews and a global survey of 800 cybersecurity professionals, additional misalignments occur within defenders’ organizations as more than 90% of firms report having a cybersecurity strategy, but less than half have fully implemented them.

Moreover, 83% say their organizations have been affected by cybersecurity breaches, indicating a disconnect between strategy and implementation.

And while cybercriminals have a direct incentive for their work, the survey not only shows there are few incentives for cybersecurity professionals, but that executives are much more confident than operational staff about the effectiveness of the existing incentives.

For example, 42% of cybersecurity implementers report that no incentives exist, compared to only 18% of decision-makers and eight percent of leaders. 

“The cybercriminal market is primed for success by its very structure, which rapidly rewards innovation and promotes sharing of the best tools,” said Candace Worley, VP of enterprise solutions for Intel Security.

“For IT and cyber professionals in government and business to compete with attackers, they need to be as nimble and agile as the criminals they seek to apprehend, and provide incentives that IT staff value,” said Worley.

The report also found that non-executives are three times more likely than executives to view shortfalls in funding and staffing as causing problems for the implementation of their cybersecurity strategy.

Also, even though incentives for cybersecurity professionals are lacking, 65% are personally motivated to strengthen their organizations’ cybersecurity.

Further, 95% of organizations have experienced effects of cybersecurity breaches, including disruption of operations, loss of IP, harm to reputation and company brand, among other effects. However, only 32% report experiencing revenue or profit loss, which could lead to a false sense of security.

The government sector was the least likely to report having a fully implemented cybersecurity strategy (38%). This sector also reports having a higher share of agencies with inadequate funding (58%) and staff (63%) than the private sector (33% and 43%, respectively).