The State of Data Security in 2022: The CISOs Perspective
In the two years proceeding from the beginning of the COVID-19 pandemic, the business world has been transformed on a grand scale. Organizations have created more data than ever before, data is now spread across a wider attack surface, putting it at a heightened risk of becoming a compromised risk. The manner and location of data storage and correspondence has had to shift to meet the needs of remote and hybrid workers, with companies being forced to take a more rigorous approach to data security.
Information Security Media Group has partnered with HelpSystems in order to conduct a survey of organizations’ CISOs in order to gauge the temperature of the state of information security from the C-Level perspective. The survey asks important questions with regards to changes in data security perceptions and procedures, the relative success of data protection methods, and concerns and priorities going forward. The results of the survey provide a window into the minds of the decision makers who have the responsibility of keeping companies’ information secure. The report provides the reader with an in-depth analysis of the findings, as it includes not only respondents answers, but expert analysis and interpretation of those responses to identify what this means for the industry moving forwards.
Key findings from the Data Security Report
The conclusions drawn from the survey results are promising. Emerging trends in current practice and projected future plans show that companies are embracing the enforced changes in business practices and taking the necessary steps to increase security in the face of increasing threats. Overall, respondents feel that their enterprises are equally or more secure than one year ago. They also anticipate greater budgets and greater protections moving forward to assist them in to adapting to increasing threats.
As a result of the COVID-19 pandemic, many employees are either working remotely or in hybrid working situations. Due to this enforced change, employees are increasingly finding themselves using both company and personal devices in the course of their work. In response to this change, and in order to protect vulnerable data from growing threats, 35% of survey respondents say data security has significantly increased as a priority, while 45% say it has slightly increased. It is worth noting that an encouraging 89% of organizations surveyed have a defined data security policy, and over 80% have updated their policies within the last two years.
As organizations have been working hard to keep their data secure in a time of rapid change, cyber threats have adapted as well. While the nature of the threats remain much the same – ransomware, business email compromise, phishing – the scale and range of the attacks has increased greatly. The greatest threat to cybersecurity, according to 64% of survey respondents, is cybercriminal groups.
As far as the methods of attack, 43% of respondents say the biggest danger to their enterprise and data is ransomware or malware designed to steal data or extort money, followed by 29% citing business email compromise or phishing as their greatest concern.
Data visibility is one area of weakness, with 63% of respondents stating that they lack adequate visibility into the location of data in their enterprise. Additional difficulties include a lack of human resources and skills. In the midst of The Great Resignation, finding and retaining individuals with expertise remains a challenge for organizations. Respondents also cite transition to the cloud as a major obstacle for data security.
Despite these challenges, survey respondents did, overall, identify as feeling fairly secure. One section of the survey asked respondents to rate their level of agreement using a series of statements regarding their organizations’ data security. Encouragingly, 82% of respondents either agreed or strongly agreed that their organization has made positive progress securing their sensitive data in the past year. In addition to this 77% either agreed or strongly agreed that cybersecurity awareness training has had a positive, substantial impact on their organization’s data security in the past year. An even more encouraging statistic to come out of the survey is that 72% of respondents believe that moving to a mostly remote workforce has not significantly hindered their progress with data security initiatives.
In looking to gain a deeper insight into the agree/disagree statements, the survey asked respondents who answered mostly disagree or strongly disagree to provide their main reasons for doing so. Of those who disagree or strongly disagree with the statements, 52% replied that they answered that way because cyber threats are fiercer than before, while 43% believe that their organizations need to do more in order to secure their data, while 42% cite budget restrictions.
What the future of data security holds
Looking to the future, 97% of respondents report that they believe their organization’s budget for security will either remain level or increase in 2023. In terms of how that budget will be utilized, respondents are looking at a variety of technologies for data security planning: 56% cite plans to invest in enterprise data loss prevention, 40% in data classification, and 35% in encryption. Budget increases can be utilized for plugging gaps in current cybersecurity procedures as well as continuing to keep up with new and increasing threats.
Overall, it is important to understand that new and increased security procedures are imperative for organizations to invest in. The policies and technologies that brought businesses to this point through the difficulty of the COVID-19 pandemic will not be enough to protect against threats that continue to grow each day. New partners may be required to offer the technology and expertise that organizations require to protect their data, especially if they have gaps that cannot be filled with the personnel at their disposal.
Some particularly insightful, expert analysis comes from Cary Hudgins, Vice President of Product at PhishLabs, by HelpSystems, who gives his perspective on what the results of the survey mean and what to do with the results. Cary recommends that organizations look to the key challenges and risks facing them and form a plan to fill in those gaps, looking to the actions of “mature security teams” as role models. The significant conclusion to be drawn from the survey is that organizations should explore their weaknesses, their priorities, and their capabilities in order to develop a plan that works for them.
To learn more about this report, you can read the full survey here.