After the high-profile security messes that have graced headlines the last two years, many business owners finally stopped dragging their feet and upped their security posture. Now there’s a new level of confidence when it comes to cyberdefenses — but is it misplaced?

A new survey and report released today by Scale Venture Partners, Cybersecurity Perspectives 2019, says that despite a threat landscape that’s more complex than ever, 78 percent of executives are confident they’re well-equipped to handle cybersecurity risks — a 17 percent increase from a year ago. This despite no sign that cybersecurity threats are dying down. In fact, the World Economic Forum says that a cyberattack is nearly as likely as a natural disaster.

Compass MSP’s Tom Praschak

“I absolutely feel this is a false sense of security,” says Tom Praschak, president and CEO of Compass MSP. “While many executives have taken steps to make cybersecurity a priority at their companies, the fact remains that no matter what systems and processes are put in place it will never completely remove the risk and ‘beat’ threat actors. At best it stops all known threats and helps minimize the unknown threats by detecting them sooner and minimizing the possible damage done.”

eGroup’s Mike Carter

And with the average cost of a data breach now running about $3.86 million, minimizing that damage should be a top imperative for executives. Mike Carter, CEO of managed service provider eGroup, says that’s certainly what he’s seeing among his clients.

“The real motivator to cybersecurity postures across 2018 was the realization that no one is safe from data breach or risks of ransomware,” says Carter. “The risk of being taken down and plastered across the headlines has been the greatest contributor we’ve seen to organizations embracing a more realistic, comprehensive and thoughtful cybersecurity approach.”

Organizations have certainly become more alert as a result of major breaches and implementation of broad-based data privacy regulations such as GDPR. According to the Scale VP report, 55 percent of executives upped their investment in data privacy solutions, 49 percent increased measurement and reporting around data privacy and 48 percent devoted more resources to data privacy personnel.

“Our manufacturing clients were especially observant and working toward compliance,” says Gavin Livingstone, president of managed IT provider Bryley Systems. “Their security postures have improved significantly, with no data breaches in 2018 for these clients.”

That’s a great start, but it doesn’t change the fact that the threat landscape is scarier than ever. Last month, security researchers discovered a collection of 2.2 billion stolen usernames and passwords being bartered on hacker forums. Clearly, investments in data privacy aren’t coming fast enough.

“I wish [GDPR] would become law in the U.S.,” says Philipp Bauman, CEO of BoomTech IT. “The average SMB client will not make any changes until they have to.”

Still, at least conversations are happening more often and more freely than they were a couple of years ago, and respondents to the survey report a significant shift in drivers behind their security strategies. While threats and vulnerabilities remain the number one issue shaping businesses’ security postures, executives have stopped using budget constraints as an excuse to not act. Concerns about budget came in second place (31 percent) in the list of strategy drivers in 2017. In 2018, only 12 percent cited cost as …

… an influencing factor, putting it in last place.

“We’re seeing more clients acknowledge the threats facing their business but not an immediate budget to act in many cases,” reports Compass MSP’s Praschak. “It’s a step in the right direction; however, it places them behind in the race against threat actors in defending their business.”

The survey showed that if there’s one frustration shared by executives and managed service providers alike, it’s that surrounding tech that’s past its prime. As fast as technology in general and cyberwarfare in particular are evolving, it’s beyond the means of many organizations to keep up in terms of the technology they use.

NexusTek’s Randy Nieves

“That’s a big part of why we have this mess,” laments BoomTech’s Baumann. “Ninety-seven percent of breaches could have been prevented with today’s technology.”

Managed service provider NexusTek says that good engineers are hard to find, much less keep, and that each engineer who touches a design winds up leaving their own stamp, resulting in layers of past bad decisions. Randy Nieves, NexusTek’s CTO and senior vice president of product management, likens such an unmanageable network mess to software “spaghetti code.”

“Fixing the network architecture is hard but doable,” says Nieves. “Planning a budget for that isn’t rocket science. The real challenge is meeting compliance with the legacy apps that is the life-blood of the business. You require expertise from multiple disciplines and finding that in one place is hard as well.”

Survey respondents clearly relate to that challenge. More than half say that complex legacy data center infrastructure (53 percent) and outdated security technology and processes (52 percent) are the top obstacles holding their organization back from achieving the security posture it needs.

Gordon Flesch’s David Eichkorn

“Legacy platforms and outdated tools play a huge role in weak cybersecurity postures. Threats and countermeasures are constantly evolving, and organizations need to treat cybersecurity as a daily conversation, not a ‘one and done,’” says eGroup’s Carter. “Flexible response is key, and using modern tools and platforms provide the greatest flexibility in evolving the right stance to match the threat. As the old saying goes, you don’t bring a knife to a gun fight.”

Bottom line is that despite a heightened awareness of cybersecurity risks, many executives have a false sense of security around their security posture, particularly at the SMB level. David Eichkorn, managed IT solutions manager for the Gordon Flesch Company, says that recovery from hardware failure or accidental deletion is what’s traditionally on the forefront of these business owners’ minds, not data security.

“Unfortunately, I think too many SMB owners still need education on today’s cyberthreats and how they can impact them,” says Eichkorn. “The good news is that more of our clients want to hear and understand the issues and are increasingly willing to invest in the relevant tools to mitigate their risk.”