A survey of 1,600 chief information security officers found that more than two-thirds of them (68%) expect a “material cyberattack” on their organizations in the next 12 months.
The survey, which is the basis of the annual “Voice of the CISO Report” by Proofpoint, an enterprise security company, showed a pronounced shift in attitude among the security chiefs toward future threats to their organizations. Just 12 months earlier, less than half the CISOs (48%) saw a cyberattack on their horizon.
This pronounced shift suggests that security professionals see the threat landscape heating up once again, the report noted, and have recalibrated their level of concern to match.
“As we emerged from the pandemic, security leaders felt they had been able to implement more long-term controls to protect their work environment, so there was a sense of calm,” explained Proofpoint’s Global Resident CISO Lucia Milica Stacy.
“However, as the volume of attacks continued to increase, coupled with geopolitical tension and global economic uncertainty, a lot of that optimism wore off,” she told TechNewsWorld.
Reasons for Pessimism
According to security experts, a number of factors could be contributing to the CISOs’ concerns about increased cyberattacks.
“New vectors of attack continue to emerge — software supply chain compromise, API-connected third parties and SaaS systems, AI-related security risks — each requiring new defensive strategies and skills,” observed Karl Mattson, CISO of Noname Security, a provider of a cloud-native API security platform, in Palo Alto, Calif.
“Meanwhile, traditional threats never go away, such as ransomware or web application attacks,” he told TechNewsWorld. “With security budgets and staffing levels largely remaining flat, the stage is set for more risk exposure this coming year.”
A proliferation of endpoints in the enterprise also gives CISOs increased reason for alarm.
“IT leaders are finding it increasingly difficult to gain comprehensive visibility, security, compliance, and control to protect every employee, on every device, from every location,” said Darren Guccione, CEO of Keeper Security, a password management and online storage company, in Chicago.
“The expanding attack surface is particularly concerning with cyberattacks on the rise and IT security teams competing for talent as macroeconomic conditions are tightening budgets,” he told TechNewsWorld.
Adoption of as-a-service models by threat actors also increases the likelihood of an organization coming under attack in the next 12 months. “Phishing-as-a-Service and Ransomware-as-a-Service enable a significant increase in the number and scale of cyberattacks,” explained Avishai Avivi, CISO of SafeBreach, a provider of a breach and attack simulation platform, in Tel Aviv, Israel.
“At that point, it becomes a statistical reality,” he told TechNewsWorld. “The more attacks, the higher likelihood of an attack succeeding.”
Insider Threat to Data
Proofpoint also reported that CISOs believe employee turnover has become a risk to data security. More than eight out of 10 of the security chiefs (82%) told researchers that employees leaving their organization has contributed to a data loss event.
“Resource constraints and the great reshuffle of employees are a potential underlying cause of the high percentage of CISOs being concerned about the loss of sensitive data because of employee turnover,” Stacy said.
The two sectors affected the most by turnover were retail (90%) and IT, technology, and telecoms (88%), the report noted.
These trends leave security teams with a near-impossible challenge, it continued. When people leave, stopping them from taking data is difficult.
Some organizations require written guarantees from former employees that they will delete all company data, it added. Others threaten new employers of potential liability if an employee shares any data from their old job. But neither is close to being a satisfactory solution.
“Many employees, upon their departure, attempt to take some aspect of their work with them,” said Daniel Kennedy, research director for information security and networking at 451 Research, which is part of S&P Global Market Intelligence, a global market research company.
“For salespeople, that can be contacts or customer account information. For other employees, it can be a form of intellectual property, models they worked on or code, for example,” he told TechNewsWorld.
“When I was a CISO,” he recalled, “I definitely correlated hits on our various data loss platforms and employees departing. I could generally predict when someone was going to give a resignation based on their behavior.”
The increased concern of CISOs about insiders contributing to data loss represents a departure from past thinking on the subject.
“What has changed recently is a shift in thought from ‘it’s wrong to distrust employees’ or ‘we hire the best’ to ‘we have to secure ourselves from all kinds of threats,” observed Sourya Biswas, technical director for risk management and governance at the NCC Group, a global cybersecurity consultancy.
“Recent U.S. defense leaks by insiders Jack Teixeira, Chelsea Manning, and Edward Snowden may have helped shape this narrative,” he told TechNewsWorld. “It’s not the prevalence of the malicious insider that changed, but rather the awareness around it.”
The level of distrust of employees displayed in the survey probably says more about a company’s overall culture than anything else, maintained Daniel Schwalbe, CISO of DomainTools, an internet intelligence company in Seattle.
“But it can also be attributed to the increase in remote work, which makes some CISOs feel like they are losing visibility into where their data ends up,” he told TechNewsWorld. “The current realities of a remote workforce throw the pre-pandemic corporate network with tight edge controls out the window.”
Call for Cyber Resilience
Proofpoint’s report also found that most organizations are likely to pay a ransom if impacted by ransomware. Three out of five CISOs surveyed (62%) believed their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months.
The report added that the CISOs’ organizations were increasingly relying on insurance to shift the costs of their cyber risks, with 61% saying they would place a cyber insurance claim to recover losses incurred in various types of attacks.
“Over the past five years, there has been general encouragement by cyber insurance companies to pay ransoms and for the cost to be covered by their premiums,” said Chris Cooper, CISO of Six Degrees, a cybersecurity consulting company, in London and a member of the ISACA Emerging Trends Working Group.
“This is, fortunately, changing, as paying ransoms only further excites incidents,” he told TechNewsWorld.
“There is also increasing evidence that some groups are coming back for a second bite at the cherry,” he added.
Proofpoint Executive Vice President of Cybersecurity Strategy Ryan Kalember urged security leaders to remain steadfast in protecting their people and data, despite trying challenges.
“If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures,” he said in a news release. “Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organizations toward cyber resilience.”