Two thirds of CISOs across world expect damaging cyberattack in next 12 months

Proofpoint surveyed 1,400 CISOs across the globe about the current cybersecurity landscape.

More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic, according to a new survey from security company Proofpoint.

The Proofpoint 2021 Voice of the CISO survey was conducted in the first quarter of 2021 and features insights from 1,400 CISOs at organizations of 200 employees or more across different industries in 14 countries. 

One hundred CISOs from the U.S., Canada, the U.K., France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cybersecurity landscape. 

Lucia Milică, global resident chief information security officer at Proofpoint, said CISOs are now facing a "constant barrage of attacks from all angles" and have had to take a variety of new measures in order to prepare for the challenges that come with protecting a hybrid workforce. 

"The pandemic placed an enormous strain on the global economy, and cybercriminals took advantage of this disruption to accelerate their nefarious activities," Milică said. "We were inundated with cyberattacks, both new and familiar, from pandemic-themed phishing scams to the unwavering march of ransomware." 

On average, 64% of CISOs surveyed said they felt like their organization is at risk of suffering from a material cyberattack in the next 12 months, with more than 65% of CISOs from the U.S., France, UAE, Australia, Sweden, Germany, U.K. expressing this fear. The fear was highest among CISOs in the U.K., at 81%, and Germany, at 79%. 

The fear was highest among CISOs at retail companies and was lowest among those working in the public sector. Another 66% of respondents said they did not believe their enterprise was ready to handle the effects of an attack, particularly CISOs in the Netherlands, Germany and Sweden. 

When it comes to the kinds of attacks CISOs are most concerned about, 34% said business email compromise attacks, 33% said cloud account compromise and 31% cited insider threats. Others mentioned DDoS attacks, supply chain attacks, physical attacks, ransomware attacks and phishing. 

CISOs living in 12 out of the 14 countries surveyed cited business email compromise as a top three risk, coming in at number one in Canada, Sweden, Spain and Japan. Cloud account compromise was the number one risk in the U.S., France, Italy and Saudi Arabia. 

More than half of all CISOs said they are more worried about the repercussions of a cyberattack in 2021 than they were in 2020.

Many CISOs said the current rise in the number of attacks was being exacerbated by the pandemic, the shift to teleworking and hastily deployed remote environments that made it difficult to protect sensitive information. 

Nearly 60% of respondents said they have seen more targeted attacks since remote working began at the beginning of the pandemic. Almost 70% of CISOs from companies with more than 5,000 employees reported having a workforce being targeted more since remote working began, particularly those in industries like IT, technology and telecoms. 

CISOs in the UAE and Saudi Arabia saw the biggest increases in attacks since the beginning of remote working. More than half of all CISOs said remote working negatively impacted their ability to keep classified and sensitive information safe. 

A majority of CISOs said they have had to introduce stronger security policies since the pandemic began

Human error is quickly becoming one of the main attack vectors being exploited by cyberattackers, according to the survey. 

Seth Edgar, CISO for Michigan State University, told the survey that attackers "used to focus on exploiting infrastructure" but now explicitly target people.

"Our focus has shifted to protecting people, which illustrates the changing boundary of security," Edgar said. "That boundary has gotten very personal, very quickly." 

When it comes to an organization's ability to detect an attack or breach, less than two thirds of respondents said they were confident they were prepared, mostly due to a lack of technical tools and support from superiors. 

Looking ahead, 65% of CISOs surveyed said they believed they would be better prepared to "resist and recover" from cyberattacks by 2022 or 2023, particularly in the retail industry. 

Alongside that, a majority of CISOs surveyed said they expected at least an 11% increase in cybersecurity budgets over the next two years, but 32% said they expected their budgets to actually decrease over the next two years. Despite concerns over budgets, more than 60% said overall awareness among the public about cybersecurity would help them do their job. 

One concern raised by CISOs was the profitability of cybercrime, with 63% of respondents saying they expect the business to be even more lucrative in the coming years. Penalties for breaches or attacks will also increase, according to respondents. 

CISOs also said the pressure on them is becoming overbearing, with 66% of those working for organizations with more than 5,000 employees calling the expectations "excessive." Half of all CISOs said they are not being put in positions to succeed.