Half of Canada’s business cyber security officers believe their companies are very or somewhat likely to experience an attack, according to a survey of 100 global field leaders released May 12.
Just less than half of those leaders believe employees understand their role in protecting the organization against cyber threats, while 51% believe human error is their organization’s biggest cyber vulnerability.
The numbers, however, are lower than those globally, where 60% of chief information security officers (CISOs) believe their organization is unprepared to handle cyberattack and 58% consider human error to be their biggest cyber vulnerability.
The research by California based Proofpoint in its inaugural Voice of the CISO report found the threat landscape for cyber criminals has been proving more fertile as employees divide their time between work and home offices – what has become known as a hybrid working model.
And, 63% of Canadian cyber security leaders said business has seen more targeted attacks since enabling widespread remote working. Proofpoint said the work-from-home model necessitated by the pandemic has tested CISOs like never before.
Proofpoint global resident CISO Lucia Milică said with the future of work becoming increasingly flexible, challenges extend into 2022 and beyond. Further, she said, in addition to securing points of attack and educating users on long-term remote and hybrid work, CISOs must instil confidence among customers, internal stakeholders and the market that such setups are workable indefinitely.
Key to this, Milaca and Derek Manky, chief of security insights and global threat alliance for Fortinet a California-based company with a research and development centre in Burnaby, there needs to be board level buy-in and oversight.
But, for that to happen, IT people and boards need to find common language. Discussing cyber threats leveraging risk-assessments is part of a solution, Milică said.
“Boards and executives are supportive but it’s difficult to understand cyber risks if you don’t have the background to understand.”
“There’s not a meeting of minds,” she said, noting CISOs are struggling to articulate their concerns at the board level.
“It is becoming a board-level conversation,” Manky said. “People are starting to become aware this is a pandemic of its own when it comes to ransomware.”
But, she said, organizations still face issues of employees using unauthorized devices, other tools, unprotected devices and leaking data.
“Ninety per cent of the security risk out there has a human element,” Milică said.
However, cyber threats continue to morph as technology changes and crooks become more sophisticated.
Part of that, said Manky, is that crooks are increasingly using flaws in software more than three years old as routes for attacks. Software patching and education can mitigate there, he said.
But, as Milică said, “humans are often the weak link,” Manky said.
Manky stressed, though, that education numbers are rising even as crooks move away from blanket attacks to more focused ones.
Such targeted attacks can involve ransomware concerns where data is seized from systems. It’s not about the data itself, though, Manky said. Rather, it’s the release of the data which is the concern and that’s where the crooks make their money.
“They’re being rewarded for this,” he said. “Organizations are paying ransoms.”
Manky said the international Ransomware Task Force has released recommendations on cyberattack preparedness.
Key global findings in the Proofpoint report include:
• CISOs are on high alert across a range of threats, faced with a relentless attack landscape;
• 64% of surveyed CISOs feel at risk of suffering a material cyberattack in the next 12 months;
• Asked what types of attacks they expect to face, CISOs had no clear answer, with diverse threats such as business email compromise (34%), cloud account compromise (O365 or G suite accounts being compromised, 33%) and insider threats (31%) topping the list;
• Supply chain attacks came in fifth with 29% and ransomware seventh with 27%;
• 66% of CISOs feel their organization is unprepared to cope with a targeted cyberattack in 2021; cyber risk is also on the rise as 53% of CISOs are more concerned about cyberattack repercussions in 2021 than they were in 2020;
• User awareness doesn’t always lead to behavioural change: while more than half of survey respondents believe employees understand their role in protecting their organization from cyber threats; and
• 58% of global CISOs still consider human error to be their organization's biggest cyber vulnerability.
Global CISOs listed purposefully leaking data (criminal insider attack) and clicking malicious links or downloading compromised files as the most likely ways employees put their business at risk.