Optimism bias won’t save you

Reading Time: 4 minutes

Category: Opinion


With cybersecurity still a hot topic, news alerts about the latest data breach or security incident are hard to miss. Yet, even whilst being bombarded with these types of news items, many companies still think that they’re somehow immune to such threats.

This optimism bias tends to come in three different flavors.

First, you have the boastful CEO, convinced their security is already top-notch. Second, there’s the busy executive, who may realize their cybersecurity requires more attention, but who simply has too much on their plate to focus on optimizing.

Third, and perhaps most common, are those who simply ignore threats. They may know that smoking kills, but surely it won’t kill them. Just like they may know their cybersecurity needs some work, but until they get targeted – there isn’t really a problem.

Unfortunately, when it comes to cybersecurity, the immediate short-term consequences can sometimes seem inconsequential. Until you get hit, there is no pain. But when you do get hit (and yes, that’s a when, not an if), it is suddenly crystal clear that optimism bias or willful ignorance won’t save you.

The Titanic still sank

Lauded as the unsinkable ship, the Titanic is a prime example of how optimism bias can play a part in things going catastrophically wrong. Belief that the ship was unsinkable led to complacency in safety measures, such as carrying an inadequate number of lifeboats. Even when faced with warnings of icebergs in the vicinity, crew and passengers alike had unwavering confidence in what they were told – the largest and most luxurious ship of the era was unsinkable.

As history shows, they were tragically proven wrong.

Optimism isn’t the answer

Whilst there’s usually something to be said for looking at the bright side of things, this logic clearly didn’t apply to the Titanic, just as it doesn’t apply to cybersecurity.

Though it might be an unfortunate truth, it is very likely that you will get targeted by cyber criminals. As much as you may wish you could be, you are not the deciding factor in whether or not you will get targeted – you have very little influence on this.

What you can influence, is your approach to the matter. Thinking ‘this won’t happen to me’ despite the overwhelming facts proving that it likely will happen, does not help you.

Focus on prevention and resilience

With cybersecurity, the smartest thing to do is to take a realistic and practical approach. It is a fact that 2023 saw a 72% increase in data breaches since 2021, just as it’s a fact that ransomware attack victims rose by 128% between 2022 and 2023. It shouldn’t be a secret to anyone that cyber-attacks are on the rise and you shouldn’t consider yourself safe from those.

Cybersecurity should be a top concern and, even if your cybersecurity actually is largely in order, you should realize that you can still be targeted. Knowing what to do in the face of a cyber-attack is key to keeping your company safe.

Not all doom and gloom

Just because there’s thousands of cyber-attacks every day, doesn’t mean every attack is successful. Adopting a proactive stance and implementing robust cybersecurity measures, using Zero Trust as your strategic guidance, allows you to significantly reduce the likelihood and impact of a cyber-attack.

There are practical actions you can take outside of a broader cybersecurity strategy. Verizon’s 2023 Data Breach Investigations Report states that 74% of cybersecurity breaches are caused by human error. Your employees can be educated on this subject, which can significantly bring that number down.

Microsoft states that multi-factor authentication blocks over 99.9% of attacks that try to compromise accounts. Implementing an extra layer of authentication in your organization is a practical way to influence your cybersecurity posture.   

Yes, you getting targeted by a cyber-attack is, in our opinion, inevitable. That doesn’t mean you can’t prepare for said inevitability. Heed the warning signs, focus on prevention and resilience, and thus make sure your company doesn’t become the next Titanic.