New report finds nearly two-thirds of UK CISOs feel unprepared to cope with a cyber attack
Proofpoint, Inc., a cybersecurity and compliance company, recently released its annual Voice of the CISO report, which explores key challenges facing chief information security officers (CISOs).
While the world’s CISOs spent 2021 coming to terms with new ways of working, many now feel much more in control of their environment: globally, 48% feel that their organisation is at risk of suffering a material cyber attack in the next 12 months, down from 64% last year. In the UK, this rises to 60%, compared with 81% last year.
But feeling prepared for a cyber attack is vastly different than being prepared. This growing confidence of CISOs is likely a result of successfully overcoming a seismic event (the pandemic) rather than any tangible change in risk levels of preparedness. Proofpoint’s report reveals that 50% of global CISOs still feel their organisation is unprepared to handle a cyber attack and 56% consider human error to be their biggest cyber vulnerability, with established work-from-anywhere setups and The Great Resignation presenting new challenges around information protection.
This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid-to-large size organisations across different industries. Throughout the course of Q1 2022, one hundred CISOs were interviewed in each market across 14 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Australia, Japan, and Singapore.
The survey explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organisational preparedness facing them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also uncovers the challenges CISOs experience in their roles, their position among the C-suite, and business expectations of their teams.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world. But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture,” commented Andrew Rose, EMEA resident CISO at Proofpoint.
“As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt-out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.”
Proofpoint’s Voice of the CISO 2022 report highlights general trends as well as regional differences among the global CISO community. Key findings from UK respondents include:
- UK CISOs are more confident about their cybersecurity posture: after two years of unprecedented disruption, UK CISOs now feel more in control of their environment. Three in five surveyed (60%) feel that their organisation is at risk of suffering a material cyber attack in the next 12 months, compared with 81% last year. The global average was 48%.
- There is a lack of consensus among CISOs as to the most significant threats targeting their organisation: this year, denial-of-service attacks topped the list for UK CISOs at 40% but were closely followed by malware (36%) and Business Email Compromise (34%). Despite dominating recent headlines, ransomware came in at 21% this year.
- Organisational cyber preparedness continues to be of concern for UK CISOs: post-pandemic work environments have left 65% of UK CISOs feeling unprepared to face a targeted attack, compared with a global average of 50%. This is marginally down from last year at 68%.
- Employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defence: while 68% of UK respondents believe employees understand their role in protecting their organisation from cyber threats, 65% of UK CISOs still consider human error to be their organisation’s biggest cyber vulnerability. In the last year, 57% of the UK CISOs surveyed increased the frequency of cybersecurity training for employees.
- Long-term hybrid work and The Great Resignation make protecting data a top new challenge for UK CISOs: with employees now forming the defensive perimeter wherever they work, 56% of UK CISOs agree that they have seen an increase in targeted attacks in the last 12 months. And 53% say that increases in employee transitions mean that protecting data has become a significant challenge. When asked how employees were most likely to cause a data breach, UK CISOs named compromised insider attacks as the most likely vector, where employees inadvertently expose their credentials, giving cybercriminals access to sensitive data.
- Ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts: recent high-profile attacks have pushed ransomware to the top of the agenda for organisations, with 68% of UK CISOs revealing they had purchased cyber insurance and 70% saying they focus on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 36% of UK CISOs admit they have no ransom payment policy in place.
- UK CISOs feel under pressure, as cyber risk worries boards and business leaders: 60% of UK CISOs feel that expectations on their role are excessive, down from 66% last year. However, the perceived lack of alignment with the boardroom remains a concern with only 35% of UK CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, UK CISOs listed impact on business valuation, significant downtime, and reputational damage as top board concerns.
“After spending two years bolstering their defences to support hybrid working, CISOs have had to prioritise their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. As a result, their focus has gravitated towards preventing the most likely attacks such as business email compromise, ransomware, insider threats and DDoS,” said Ryan Kalember, Executive Vice President of Cybersecurity Strategy for Proofpoint.
“Overall, CISOs appear to have embraced 2022 as the calm after the storm but may be falling into a false sense of security. With rising geopolitical tensions and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more.”