New hybrid and remote work environments have employees in the IT sector worried, and chief information security officers (CISOs) are no exception. As part of Proofpoint’s “2022 Voice of the CISO” report, it was revealed that 50% of 1,400 CISOs surveyed feel their company is unequipped to deal with a cyberattack, and 48% feel that their organization is at risk of suffering a material cyberattack within the next year.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world,” said Lucia Milică, vice president and global resident CISO at Proofpoint. “But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture.”
Why CISOs feel unready for potential attacks
If the majority of CISOs have said they feel confident with more employees working outside the office now more than ever, then why do they feel unprepared?
One major aspect is that many CISOs believe that the preparedness level of their employees still has major room for improvement. The Achilles’ heel for many businesses stems from potential human error, as 56% consider this to be the biggest vulnerability from a virtual perspective. Additionally, within the last year only half of the global CISOs surveyed have increased the frequency of cybersecurity training for employees. While 60% of survey respondents believe employees in their organization understand their role in protecting their organization from cyber threats, supplementary training could pay dividends in the long run when attempting to avoid an attack.
Another pressing issue is finding a way to adapt to the changes brought about by the Great Resignation and staff members working outside of the office. Over half (51%) of CISOs surveyed said that they have seen an increase in targeted attacks in the last 12 months, and while increased employee awareness can help, it is still the responsibility of an IT team to ensure that all employee devices are secure in the event of a targeted attack.
“As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats,” said Milică.
Half of the CISOs surveyed for the report also said that the increased rate of employees moving in and out of the organization presents an increased challenge when it comes to protecting their company’s sensitive information and intellectual property.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
What CISOs can do to be better prepared
To help defend against ransomware and malware attacks, it is recommended by Proofpoint that employing zero-trust architecture and enhancing information protection solutions along with increased awareness training for employees are a good place for CISOs to start. Skill and resources shortages attributed to the Great Resignation should also be addressed, with those in the CISO role potentially outsourcing security solutions if necessary.
“After spending two years bolstering their defenses to support hybrid working, CISOs have had to prioritize their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. As a result, their focus has gravitated towards preventing the most likely attacks such as business email compromise, ransomware, insider threats and DDoS,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint. “Overall, CISOs appear to have embraced 2022 as the calm after the storm but may be falling into a false sense of security. With rising geopolitical tensions and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more.”
2022 is believed to be a relief compared to the adjustments CISOs had to make during the pandemic, but there are still several areas that need to be addressed in order to keep organizations from suffering catastrophic attacks and prevent important data from falling into the wrong hands.