Global cybersecurity concerns are returning to pandemic levels as 68% of CISOs from 16 countries said they fear a cyberattack in the next 12 months, according to a ProofPoint survey.
“With the disruption of the pandemic now largely behind us, the return to normal operations may imply that CISOs can breathe easier, but the opposite is true,” said Lucia Milică Stacy, Global Resident CISO of Proofpoint. “Compared with last year, CISOs are feeling less prepared to cope with cyberattacks and more at risk, indicating a reversal to the early days of the pandemic.”
An elevated threat landscape, data protection challenges, impacted cybersecurity budgets, CISO burnout, and personal liability concerns all played a role in CISOs feeling more at risk of an attack and less prepared this year, Stacy said.
The report surveyed 100 CISOs each from 16 nations including the US, UK, Canada, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, Singapore, South Korea, and Brazil.
Cybersecurity concerns back to pandemic highs
Several observations in the report hinted at a brief period of relief followed by a quick return to pandemic-level anxiety. Sixty-eight percent of respondents said they feel at risk of experiencing a material cyberattack in the next 12 months, compared to 48% last year and 64% in 2021.
Additionally, 61% believe their organisation is unprepared to cope with a targeted cyberattack, compared to 50% last year and 66% in 2021.
“Having conquered the unprecedented challenges of protecting hybrid work environments during the pandemic, security leaders felt a sense of calm. Although attack volumes did not abate, CISOs had a brief period of reprieve as they felt their organisations were less at risk,” Stacy said.
The report also noted a strong willingness to pay ransoms, with 62% of CISOs saying they are ready to pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. This perhaps has to do with 61% of them having a cybersecurity insurance in place for various types of attacks.
“Profitability at insurance companies offering cyber insurance has already taken a hit due to the raft of ransomware-related payouts in recent years,” said Michael Sampson, senior analyst at Osterman Research. “We have already seen cases where premiums have doubled for half the coverage. It has been becoming more and more expensive to secure cyber insurance. Some are even likely to withdraw completely from offering coverage, given the negative trends.”
When asked about which attacks they perceive to be the biggest cybersecurity threats, a third of the survey respondents (33%) chose email fraud to be the most concerning, followed by insider threats (30%), cloud account compromise (29%), and DDoS attacks (29%).
CISOs also reported that their jobs are getting increasingly unsustainable, as they feel security pressures mounting. Sixty-one percent of them feel unreasonable job expectations, against last year’s 49%. While 62% are concerned about personal liability, 60% say they have experienced burnout in the past 12 months.
People risks take prominence, cybersecurity leaders say
Eighty-two percent of the security leaders reporting a material loss of sensitive data said employees leaving the organisation contributed to the loss. Overall, 63% reported such losses in the last 12 months. Just 60% of CISOs believed they have adequate controls to protect their data.
“Nearly all cybersecurity incidents can be traced to human involvement. Successful attacks almost always involve some user action enabling an attack to stick, and as such incidents continue CISOs will increasingly view protecting and educating their people as a top priority within their organisations,” Stacy said.
Sixty percent of the responding CISOs view human error as their organisation’s biggest cybersecurity vulnerability, as opposed to 56% and 58% in 2022 and 2021, respectively. Also, only 61% of CISOs are confident that their employees understand their role in protecting the organisation. These consistent numbers over the years hint at a clear alignment in terms of people risks.
“Phishing remains a key initial vector for attacks and inadequate phishing security technology makes it easier for humans to click through malicious messages and allow access to system or data” Osterman's Sampson said. “Poor training approaches is also an issue - such as when organisations rely on outdated attack intel (several months old), ineffective training and assessment methods, and operate training as a check-box activity not an enablement one.”
Supply chain remains a top priority as 64% of CISOs say they have adequate controls in place to mitigate supply chain risks.