Splash247: Executives overestimate cyber readiness as gap with reality widens, study finds

Published by Splash247

A new survey suggests many organisations — including those tied to shipping, ports and offshore operations — may be far less secure than their leadership believes, despite rising cyber spend and increasingly complex IT setups.

Cybersecurity firm Horizon3.ai says its latest global study points to a structural problem: companies are measuring activity, not actual resilience.

Based on responses from 750 security professionals across Europe and the US, the report finds a clear disconnect between executive confidence and what is happening on the ground.

Senior decision-makers appear largely assured. More than 90% of CISOs surveyed said they could demonstrate their organisation had taken validated steps to prevent a breach. Confidence in detection systems was also high, with most believing their tools would spot attackers moving inside networks.

But operational practices tell a different story.

Only 30% of respondents said vulnerabilities are properly tested after patching to confirm the risk has been removed. Many organisations still rely on re-running automated scans rather than verifying whether weaknesses can actually be exploited. Even fewer — just 12% — said they had recently tested the effectiveness of endpoint detection systems.

For sectors like maritime, where vessels, ports and logistics chains rely on interconnected systems, that gap could have real consequences.

Activity mistaken for protection

The report highlights a common pattern: security programmes are busy, but not necessarily effective. Systems are scanned, alerts are generated and patches are applied — yet there is often no clear proof that an attacker would be stopped.

Dan Bird, Field CTO EMEA at Horizon3.ai, said many teams stop short of validating real-world attack scenarios.

“Security teams don’t struggle to find problems. They struggle to prove those problems are actually gone,” he said. “If you’re not validating real attack paths, you’re not measuring risk.”

This approach can create a false sense of security, particularly at management level, where dashboards and performance metrics suggest progress.

Slow response to real threats

The study also points to delays in dealing with known vulnerabilities already being exploited in the wild.

Just 11% of organisations said they patch or validate exposure within 24 hours of alerts from authorities such as CISA or ENISA. Many take a week or longer simply to assess whether they are at risk.

For industries operating critical infrastructure — including ports, offshore assets and energy supply chains — that lag can leave systems exposed during active threat windows.

Tools in place, but rarely tested

Modern detection tools are widely deployed, but the report finds they are rarely tested under realistic conditions. Only a quarter of organisations use penetration testing or red team exercises to check whether their systems would actually detect and stop an attack.

That lack of testing means companies may only discover weaknesses after an incident has already caused damage.

Automation not a silver bullet

The use of AI and automation is growing quickly in cybersecurity, helping teams process alerts and prioritise vulnerabilities faster. But the report warns that speed does not equal effectiveness.

Without independent validation, there is little evidence that automated actions are reducing real risk.

Shift needed from assumption to proof

The findings point to a broader shift in how cyber risk needs to be managed. Instead of focusing on how quickly tasks are completed — patches applied, tickets closed — organisations need to demonstrate that their defences actually work.

For maritime operators, where digital systems increasingly underpin navigation, cargo handling and port logistics, that shift is becoming more urgent.

As cyber threats continue to target critical infrastructure, the industry may need to move away from assumed security — and towards proving resilience under real-world conditions.