Human error among the top vulnerabilities

Proofpoint’s 2021 Voice of the CISO report explores the key challenges faced by CISOs after a challenging year for many businesses, economies and individuals worldwide. Below is the discussion with Andrew Rose, Resident CISO, EMEA at Proofpoint, on this report.

What makes ‘2021 Voice of the CISO report’ unique?
The COVID-19 pandemic has accelerated cybercriminal activities, many of which look to capitalize on the shift from office, to remote, to hybrid working environments, and provided many lures around financial support, vaccination and new working arrangements.

To shape the report, Proofpoint surveyed 1,400 CISOs globally, including in the UAE and Saudi Arabia, to highlight how security leaders face a constant barrage of attacks from all angles, how they are preparing for the continued challenges of a hybrid workforce and how all these aspects combine to increase the pressures of the CISO role.

In addition, the report sheds light on how human error is widely considered one of the top cyber vulnerabilities and this brings focus on the importance of cybersecurity awareness training for employees globally.

Elaborate on the key areas the survey explored.
Proofpoint’s survey explores three key areas – the threats, risks and types of cyberattacks that CISOs regularly encounter; the levels of employee and organizational preparedness to face them; and the impact of supporting a hybrid workforce as businesses prepare the next phase of home/office working arrangements.

Importantly, the report also covers the challenges CISOs face in their roles, their positioning amongst the C-suite, and the high level of business expectations on them and their teams.

According to the survey, what are the key challenges faced by chief information security officers (CISOs) in 2021?
2020 not only enhanced existing cybersecurity risks, but also brought new ones for CISOs. One key challenge being the shift to long-term hybrid working environments, as 66% of CISOs in the UAE agree that remote working has made their organization more vulnerable to targeted cyberattacks.

Although a startling 72% of CISOs in the UAE feel their businesses are unprepared to cope with a targeted cyberattack in 2021, there was a glimmer of positivity in that 77% of CISOs in the UAE believe they will be able to better resist and recover from cyberattacks by 2023.

In addition, there is still a strong perception of lack of support from the boardroom, with only 31% of UAE CISOs strongly agreeing that their boards see eye-to-eye with them on issues of cybersecurity.

Elaborate on the top most key finding from UAE.
Proofpoint’s 2021 Voice of the CISO report highlights that 68% of the surveyed CISOs in the UAE feel at risk of suffering a material cyberattack in the next 12 months, with the most expected methods including insider threats, phishing and Business Email Compromise.

This uncertainty towards the direct impact and consequences of a cyberattack is similarly reflected in the statistic that 71% of the UAE CISOs are more worried about attacks than they were in the previous 12 months. This data put UAE at the top of the 14 surveyed global countries, highlighted the increasing concern across the region about the frequency, and impact of cyber attacks.

As 70% of CISOs in the UAE believe that cybercrime will become even more profitable for attackers, the survey also identified the top three priorities across the board for UAE CISOs over the next two years, these included addressing supplier risk (29%), supporting remote working (28%), as well as enabling business innovation (28%).

Elaborate on the ‘Good enough’ approach taken by companies in part 12 months and how it needs to be changed.
Due to the COVID-19 pandemic, many businesses had to adapt business process and invest in new technology to support the new ways of working – and these changes had to take place when many firms were struggling financially. To balance the books, CISOs were asked to make do with the tools and controls they had, or utilize tools that were bundled with other products that had been purchased.

While this strategy enabled the organizations to survive the economic challenges, it did little to improve security levels at a time when the threats were increasing. Now that organizational change has been made, it’s essential that CISOs go back and review the changes that were rapidly implemented to ensure that all the threats and risks has been identified and addressed. As an example, new cloud solutions may have been implemented outside of the CISO’s view that store corporate data, and those data stores may not be subject to multi-factor authentication, or holding data with the correct encryption.

‘Good enough’ seems like a sensible business choice, however when the corporate technology stack has rapidly pivoted, attacker activity and capability is continuing to escalate, and the impact of a security breach, or data spill, can be so damaging in terms of financial cost and reputation, it’s a particularly risky strategy.

Only by fully understanding the style, tactics, and motives of the attacks and achieving real boardroom buy-in can we truly hope to defend our enterprises against catastrophe.