With the 2020 scramble to enable remote working, many CISOs have now come to terms with new ways of working. Many CISOs feel more in control of their environment: 48% feel that their organization is at risk of suffering a cyber attack within the next 12 months, down from 64% last year, according to Proofpoint’s annual Voice of the CISO report.
The Sunnyvale, Calif.-based cybersecurity and compliance company’s survey also reveals half of global CISOs still feel their organization is unprepared to handle a cyber attack and more than half (56%) consider human error to be their biggest cyber vulnerability. Established work-from-anywhere setups and The Great Resignation have presented CISOs with new challenges around information protection.
With employees now forming the defensive perimeter wherever they work, 51% of CISOs agree that they have seen an increase in targeted attacks in the last 12 months. And half say that increases in employee transitions means that protecting data has become an increased challenge and investment in information protection is top of the list of priorities for the next two years.
When asked how employees were most likely to cause a data breach, CISOs named compromised insider attacks as the most likely vector, where employees inadvertently expose their credentials, giving cyber criminals access to sensitive data.
Employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defense: while 60% of survey respondents believe employees understand their role in protecting their organization from cyber threats, 56% of global CISOs still consider human error to be their organization’s biggest cyber vulnerability. In the last year, only half of the global CISOs surveyed have increased the frequency of cybersecurity training for employees
Top Cyber Attack Threats Targeting Organizations
There is a lack of consensus among CISOs as to the most significant threats targeting their organization: this year, insider threats – whether negligent, accidental or criminal – topped Proofpoint’s list at 31%, but were closely followed by DDoS attacks, business email compromise, and cloud account compromise (O365 or G suite accounts being compromised), all at 30%. Despite dominating headlines, ransomware came in at 28%.
Ransomware headlines have increased cyber risk awareness among the C-Suite and driven strategy shifts: high-profile attacks (i.e. Colonial Pipeline, Kaseya, etc) have pushed ransomware to the top of the agenda for many organizations. More than half (58%) revealed they purchased cyber insurance and 3 in 5 global CISOs are focusing on prevention over detection and response strategies. Despite the rising stakes, however, 42% of CISOs admit they have no ransom payment policy in place.
“Overall, CISOs appear to have embraced 2022 as the calm after the storm but may be falling into a false sense of security. With rising geopolitical tensions and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint.