Global cybersecurity leaders say they feel unprepared for attack: report

A majority of global chief information security officers (CISOs) surveyed as part of a report released Wednesday said they feel their organizations are unprepared to face a cyberattack, despite many believing they will face an attack in the next year.

The report, compiled by cybersecurity group Proofpoint, was based on a survey of 1,400 CISOs in 14 different countries including the United States. The results highlighted a brutal year for security professionals struggling to cope during the COVID-19 pandemic.

“Organizational cyber preparedness is still a major concern, and more than a year into this pandemic, it really changed the threat landscape, 66 percent of CISOs feel their organization is unprepared to cope with a targeted cyberattack in 2021,” Lucia Milică, global resident CISO at Proofpoint and the report’s lead author, told The Hill ahead of the report’s release.

The findings of the survey revealed that CISOs are overworked and overwhelmed after a year in which the COVID-19 pandemic pushed more daily activities online, giving cyber criminals more targets for attack. 

Around 64 percent of CISOs said they believe they will face some form of cyberattack in the next 12 months.

Many of these concerns were due to increased remote work, with more than half of the CISOs surveyed agreeing with the notion that a hybrid work environment had made their jobs more difficult, and 60 percent seeing an increase in targeted attacks due to remote work over the past year. 

Additionally, many security leaders felt a perceived lack of understanding from company leadership, with only 25 percent reporting that their boards were on the same page with them in terms of cybersecurity threats and resources.

“2020 has elevated the CISO role to where you have continuous visibility into the executive board level, but the expectations from the business on their functions seem excessive,” Milică said.

The cybersecurity leaders cited a broad range of cyberattacks they feared could impact their businesses, but zeroed in particularly on concerns around business email compromise, insider threats within their organizations, supply chain attacks and ransomware.

Their concerns were voiced following a year in which cyberattacks multiplied at an ever-increasing rate.

Hospitals, schools and government organizations have all been targeted by ransomware attacks amid the COVID-19 pandemic, along with critical infrastructure, such as the recent attack that forced the Colonial Pipeline Company to temporarily shut down its operations.

The U.S. was also hit by a series of major cyberattacks with widespread impacts, including the SolarWinds attack, which involved Russian hackers compromising nine federal agencies and 100 private sector groups. New vulnerabilities on Microsoft’s Exchange Server, exploited by both Chinese and Russian hackers, compromised potentially thousands more organizations.

“CISOs are on high alert across a range of different threats,” Milică said. “As you’ve seen the last 12 months, they have been really faced with a relentless attack landscape.”

With the attacks increasing and the future of work likely to be a more hybrid landscape in the wake of the pandemic, other industry leaders pushed for more resources and support for overburdened CISOs.

“The ‘good enough’ approach of the past 12 months will simply not work in the long term: with businesses unlikely to ever return to pre-pandemic working practices, the mandate to strengthen cyber security defenses has never been more pressing,” Ryan Kalember, executive vice president of Cybersecurity Strategy for Proofpoint, said in a statement Wednesday.

“The findings from our report emphasize that CISOs need the tools to mitigate risk and develop a strategy that takes a people-centric approach to cybersecurity protection to address ever-changing conditions, like those experienced by organizations throughout the pandemic,” he said.