Most CISOs believe that human error is the biggest risk for their organization

53% of CISOs and CSOs in the UK&I reported that their organization suffered at least one significant cyberattack in 2020, with 14% experiencing multiple attacks, a Proofpoint survey reveals.

This trend is not set to slow down, with 64% expressing concern that their organization is at risk of an attack in 2021. Those in larger organizations feel at greater threat, with this figure jumping to 89% amongst CSOs and CISOs from organizations over 2,500 employees and 83% from those with 5,000 employees or more. Perhaps more worryingly, 28% of respondents believe an attack in 2021 is unlikely a cause for concern.

Ransomware, the biggest cybersecurity threat

46% of CSOs/CISOs in the UK&I consider ransomware the biggest cybersecurity threat to their business in the next two years. This was followed by cloud account compromise (39%), insider threats (33%) and phishing (30%). Worryingly, 24% of CSOs/CISOs in the UK&I consider impersonation attacks and Business Email Compromise (BEC) attacks as the potential biggest cyber threat.

With BEC attacks quickly becoming one of the most expensive cyber risks globally – the FBI estimates the losses due to which at $26.5 billion over three years – this indicates that many IT leaders in the region underestimate the risk.

Human error, the biggest risk

55% of UK&I CISOs/CSOs believe that human error/lack of cybersecurity awareness is the biggest risk for their business, no matter what cybersecurity solutions are in place.

Common employee behaviours likely to result in cyberattacks include clicking on a malicious link or downloading a compromised file (43%), followed by falling victim to phishing emails (39%), intentional leaking of data (35%) and unauthorised use of devices and applications (35%).

However, while IT leaders in the UK&I are aware of the risk employees may pose to their business, 44% stated they did not know who the most at-risk employees in their organization are.

Employee training and awareness is a top priority

Improving employee training and awareness is a top priority, but obstacles remain. Even though human error and lack of cybersecurity awareness pose a high risk to organizations, only 28% of UK&I organizations admit to running a comprehensive training program more than twice a year.

However, 73% agree that they need to improve their employee cybersecurity awareness training and, despite the numerous challenges facing CISOs, 49% have made it their number one priority in 2021.

Unfortunately, it could be an uphill battle for many CSO/CISOs, as 54% agree that limited time and resources are an obstacle to developing an effective program, and 50% do not feel their board pays enough attention to delivering effective cybersecurity.

Businesses still not prepared for secure remote working

In 2021, many businesses are looking at their long-term remote working plans for their employees.

Despite most businesses having had nine months to plan and prepare since the beginning of the COVID-19 pandemic, only 22% of CISOs firmly believe that their employees are fully equipped to work remotely which, perhaps, reflects the scramble to enable the business to continue through the pandemic and that corners may have been cut in that rush.

This is supported by the fact that 64% of CISOs believe that their organizations are currently more vulnerable to cyber threats as a result of remote working.

Cybersecurity budget expected increase

73% of CSOs/CISOs in the UK&I expect to see their cybersecurity budget increase over the next two years. In fact, 25% expect an increase to their budgets by more than 10%. CSOs/CISOs also reported that investing in hiring new talent and upskilling employees was their second highest priority for 2021 (47%) after improving employee cybersecurity awareness (49%).

“It’s encouraging that the majority of IT leaders are showing awareness of the risks and challenges they face,” said Andrew Rose, Resident CISO (EMEA) at Proofpoint.

“However, it is a little concerning to see that attack vectors such as Business Email Compromise are not as highly prioritised as they could be – given that they are more commonplace than ransomware, and still create massive financial losses. The fact that employee awareness is high on the list of priorities is positive, as regular and comprehensive training is vital to building a security culture, which can protect your firm.

“A people-centric strategy is a must for organizations, and that starts with identifying the most vulnerable users and ensuring they are equipped with the knowledge and the tools to defend themselves and the business.”