82% of CISOs believe employees leaving the organization contributed to data loss incidents, a challenge exacerbated by staff turnover

How much protection can your organization’s data truly have if you fail to establish a strong security culture that emphasizes the significance of safeguarding data?

The latest Voice of the CISO Report from Proofpoint – one of the most extensive studies done by a cybersecurity vendor – revealed that nearly 7 in 10 chief information security officers (CISOs) globally believe they are at risk of experiencing a material cyber attack in the next 12 months compared to just 48% last year. 

While the global average is 68%, CISOs in the UK (84%), Germany (83%) and Singapore (80%) are most concerned about experiencing a material cyber-attack.

While organizations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs. In light of this, the report found 8 in 10 CISOs globally attributing data loss to employees leaving the organization.

The annual report surveys 1,600 CISOs at mid- to large-sized organizations across 11 different industries and in 16 countries, 4 of which are from APAC – Singapore, Australia, Japan and South Korea.

Additional key findings from the report include:

    • Insider threats and cloud account compromise top the list of the most significant threats: the top threats perceived by CISOs have shifted, with insider threats and cloud account compromise now leading the way, followed by email fraud (business account compromise). Last year, DDoS attacks were the top concern, followed by cloud account compromise and smishing/vishing.
    • Most organizations are likely to pay a ransom if impacted by ransomware: 72% of CISOs believe their organisation would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are relying on insurance to shift the risk — 60% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
    • Supply chain risk is an increasing priority: 69% of CISOs say they have adequate controls in place to mitigate supply chain risk, a significant increase from last year’s 50%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources — 58% say the shaky economy has negatively impacted their cybersecurity budget.
    • People risk grows as a prominent concern: there has been a consistent rise in the number of CISOs who view human error as their organizations’ biggest cyber vulnerability — 60% in this year’s survey vs. 56% in 2022 and 58% in 2021. At the same time, 61% of CISOs believe that employees understand their role in protecting the organization, compared to 60% in 2022 and 58% in 2021; this illustrates a struggle to build a strong security culture.
    • CISOs and boards are much more in tune: 60% of CISOs agree their board members see eye-to-eye with them on cybersecurity issues. This is a substantial increase from the 44% of CISOs who shared this view last year and the 46% who felt this way in 2021.
    • Mounting CISO pressures are making the job increasingly unsustainable: 67% of CISOs feel they face unreasonable job expectations, a significant increase from last year’s 35%. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well — 56% are concerned about personal liability and 70% say they have experienced burnout in the past 12 months.

“Organizations are finally back to ‘business as usual’ following years of coping with the pandemic and its aftermath,” said Deborah Wheeler, SVP & CISO, Delta Air Lines. “CISOs fully understand how critical their supply chains are and the significant impact of cyber-attacks and ransomware on those supply chains. There is a need for a continuous and constantly evolving partnership between companies and their suppliers on the topic of cybersecurity that results in stronger requirements and cyber controls. Working collaboratively across sectors to raise the level of security yields benefits for all and creates greater deterrence for the adversaries.”

“Research consistently finds that human error is one of the key contributors to successful cyber-attacks,” said Paige H. Adams, Global Chief Information Security Officer, Zurich Insurance. “As long as this vulnerability remains, CISOs will struggle to protect their data and systems. Although human error is inevitable, having guardrails, as well as strong policies and procedures in place, can go a long way in mitigating this risk and hardening your people perimeter.”

“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, Executive Vice President of Cybersecurity Strategy, Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Therefore, CISOs must ensure they focus on the right priorities to move their organisations toward cyber resilience.”