Despite a shift to working from home and hybrid work since 2020, human error is the biggest cybersecurity issue for organizations, say chief information security officers (CISO) from multiple countries, including Canada.
Some 56% of respondents to a survey by Proofpoint Inc., a leading cybersecurity and compliance company, point to such errors as their companies’ most significant information vulnerability.
The California-based company’s annual Voice of the CISO report, which explores key challenges they face, also revealed that 48% of CISOs feel that their organization is at risk of suffering a cyberattack in the next 12 months — down from 64% last year.
That number is shockingly higher in Canada, where 72% feel at risk of suffering such an attack in the coming year, compared with 50% last year.
However, the data showed that 50% of global CISOs still believe their organization is unprepared to handle a cyberattack.
Lucia Milică, Proofpoint’s global resident CISO, said Canadian officers have seen an increase in targeted attacks on systems.
Further, she said that more than three-quarters of Canadian CISOs feel their demands are excessive, although most think their boards see eye-to-eye with them on security issues.
This report examined responses from more than 1,400 CISOs at mid-to-large organizations across different industries. Through early 2022, one hundred CISOs were interviewed in each market across 14 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, United Arab Emirates, Saudi Arabia, Australia, Japan and Singapore.
The report also examined the impact of the pandemic on organizations – including the departure of many workers from companies.
Researchers found that as workers leave their jobs or opt-out of returning to the workplace, security teams have found themselves managing multiple information protection vulnerabilities and insider threats.
And, the shift to the home office has not been without its security problems.
“After spending two years bolstering their defences to support hybrid working, CISOs have had to prioritize their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. As a result, their focus has gravitated towards preventing the most likely attacks such as business email compromise, ransomware, insider threats and (distributed denial-of-service attacks),” said Ryan Kalember, Proofpoint's executive vice president of cybersecurity strategy.
Still, Milică said the pandemic allowed companies to enable hybrid work environments, shifting from a temporary situation to something more permanent.
And many CISOs believe, with two years of remote work experience, that employees understand their role in protecting their organizations against cyber threats. Overall, 3 in 5 respondents agree with this statement, the report said.
"The trend is most pronounced in Canada and Australia, where belief in employee understanding has increased 39 and 34 percentage points, respectively, to 87 percent and 75 percent," it said.
And, despite dominating recent headlines, ransomware attacks came in as a concern for 28% of CISOs, although it has been a cause for concern in the corner office.
The report found recent high-profile attacks have pushed ransomware to the top of the agenda for organizations, with 58 percent revealing they had purchased cyber insurance and three in five global CISOs focusing on prevention rather than detection and response strategies.
“Despite the rising stakes, however, a concerning 42% of CISOs admit they have no ransom payment policy in place,” the report said.
However, that's a global figure.
Some 88% of Canadian CISOs reported their organization has purchased cyber insurance and is confident it will be there when needed