Two in three chief information security officers (CISOs) globally believe their organization is unprepared to handle a cyber attack, a new study said.
In keeping with other research pointing to remote working as a consequential security risk, slightly less than three in five CISOs peg human error as their biggest cyber liability, according to security provider Proofpoint's 2021 Voice of the CISO report. The COVID-19 pandemic has challenged CISOs as never before, the Sunnyvale, California-based security provider said.
“Last year, cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight,” said Lucia Milică, global resident CISO at Proofpoint. “This required a balancing act between supporting remote work and avoiding business interruption, while securing those environments,” she said.
The survey’s key findings by the numbers:
- 64%: CISOs believe their organizations could suffer a material cyber attack in the next 12 months. Topping the list are business email compromise (34%), cloud account compromise (33%) and insider threats (31%). Of note, supply chain attacks came in fifth with 29% and ransomware seventh with 27%.
- 66%: CISOs believe their organization is unprepared to cope with a targeted cyber attack in 2021.
- 53%: CISOs are more concerned about the repercussions of a cyber attack in 2021 than they were in 2020.
- 58%: Global CISOs still consider human error to be their organization's biggest cyber vulnerability, including criminal insider attack and clicking malicious links or downloading compromised files as the most likely ways employees put their business at risk.
- 58%: CISOs agree that remote working has made their organization more vulnerable to targeted cyber attacks.
- 60%: CISOs have seen an increase in targeted attacks in the last 12 months.
- 63%: CISOs believe that cyber crime will become even more profitable for attackers.
- 60%: CISOs believe that cyber crime it will become riskier for cyber criminals.
- 65%: CISOs believe they will be able to better resist and recover from cyber attacks by 2023.
- 35%: Core security controls (35%), supporting remote working (33%), security awareness (32%) and security automation (32%) top three priorities for global CISOs in next two years.
- 57%: Global CISOs agree that expectations on their function are excessive.
- 25%: Global CISOs strongly agree that their board sees eye-to-eye with them on issues of cybersecurity.
- 11%: Amount global CISOs expect their cybersecurity budget to increase over the next two years.
“The ‘good enough’ approach of the past 12 months will simply not work in the long term,” said Ryan Kalember, Proofpoint’s cybersecurity strategy executive vice president. “With businesses unlikely to ever return to pre-pandemic working practices, the mandate to strengthen cyber security defenses has never been more pressing,” he said. “CISOs hold a business-critical function, now more than ever.”
Input from some 1,400 CISOs at mid- to large organizations in a variety of industries was used to compile the study’s findings, Proofpoint said. The survey focused on three areas:
- Threat risk and types of cyber attacks CISOs combat daily.
- Levels of employee and organizational preparedness to face them.
- Impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices.