Production Perig - stock.adobe.c
Two-thirds of CISOs say they’ll be cyber attack victims this year
Security professionals are ever alert to the threats they face, but some still seem to think it is unlikely they will be attacked
Over 50% of security leaders in the UK and Ireland say their organisations experienced some form of cyber attack in 2020 and more than 60% are concerned that they are at risk of attack this year, rising to almost 90% in the largest organisations, according to a survey of security professionals conducted for Proofpoint by polling firm Censuswide.
The study, which set out to assess the level of cyber security preparedness at end-user organisations, also revealed that one-fifth of security leaders thought a cyber attack was unlikely – which should be a source of concern.
In terms of threats to organisations, security leaders tend to reflect the zeitgeist of the past 12 months, with 46% saying ransomware was the biggest threat they faced. Other sources of concern were cloud account compromises (39%), insider threats (33%) and phishing (30%). Less than 25% said they were worried about business email compromise (BEC), which is actually now one of the most expensive threats globally, with losses exceeding $25bn in the past three years alone.
“It is encouraging that the majority of IT leaders are showing awareness of the risks and challenges they face,” said Andrew Rose, Proofpoint’s resident CISO for EMEA.
“However, it is a little concerning to see that attack vectors such as BEC are not as highly prioritised as they could be – given that they are more commonplace than ransomware, and still create massive financial losses.”
The survey also revealed the biggest sources of risk in the eyes of security professionals, with 55% saying human error and lack of basic security awareness was the biggest risk they faced, largely because even the most advanced security tools are rendered powerless against them.
But at the same time, many leaders said they did not really know who were the most at-risk people in their organisations, suggesting there is much work still to do on user training and awareness. The statistics bear this out – just 28% of respondents said they ran a comprehensive security training programme more than twice a year, and 73% conceded that they needed to do much more in this regard. Many said they wanted to make training a priority, but ran up against obstacles when trying to make the case to their boards.
“The fact that employee awareness is high on the list of priorities is positive, as regular and comprehensive training is vital to building a security culture, which can protect your firm,” said Rose. “A people-centric strategy is a must for organisations, and that starts with identifying the most vulnerable users and ensuring they are equipped with the knowledge and the tools to defend themselves and the business.”
Despite remote working now being a well-established element of the organisational tech stack, the survey also showed that most businesses are still not entirely comfortable with the practice from a security perspective – only 22% of CISOs “firmly” believed their charges were fully equipped to work securely from home, and 64% said the practice was making them more vulnerable. This topic was explored in depth by Computer Weekly’s own Security Think Tank expert panel this month.
Finally, Proofpoint also revealed that 73% of security leaders expect their cyber budgets to increase over the next couple of years, with a quarter expecting to get at least 10% more cash than before. Many also expect to be able to hire more security talent.
Read more about security strategy
- Enterprise security best practices must account for changes in cloud landscapes. Learn how to overcome such challenges and bolster multi-cloud security with technology and policy.
- As hackers target the ever-increasing complexity of company networks, enterprises need to find a balance between machine learning and human intelligence when protecting systems and data.
- More CISOs are turning to security operations centres to centralise infosec processes, but experience shows SOC use cases will depend on the organisation’s infosec objectives.