67% of CISOs Expect a Cyberattack or Data Breach in 2018

The perceived risk of a cyberattack or data breach occurring has increased year on year, according to a new survey conducted by the Ponemon Institute.

The Opus-sponsored survey was conducted on 612 CISOs, CIOs, and other information security professionals, who were asked questions about data security and cyber risk.

The survey revealed confidence in cybersecurity defenses is getting worse, with more than 67% of respondents now believing they will experience a data breach or cyberattack in 2018. Last year, 60% of respondents thought they would likely experience a data breach or cyberattack in 2017.

Hackers have been responsible for a large number of data breaches over the past 12 months and the threat from malware is greater than ever, but the biggest perceived data security risk comes from within. 70% of respondents said the most probable cause of a data breach was a lack of competent in-house staff, with 64% of respondents saying a lack of in-house expertise would likely result in a data breach.

Cyberattacks and malware infections are likely causes of data breaches, but the biggest threat is phishing. Respondents to the survey believed there was a 65% chance of their organization experiencing credential theft as a result of a careless employee falling for phishing scams. Malware infections were expected by 61% of respondents, while cyberattacks resulting in significant downtime were expected by 59% of respondents.

Other probable causes of data breaches were the inability to protect sensitive data (59% of respondents), the inability to keep up with increasingly sophisticated cyberattacks (56% of respondents), and the inability to control the use of sensitive data by third parties (51% of respondents).

The increased use of Internet of Things (IoT) devices is a major risk. 60% of respondents rated IoT devices as the most difficult to secure, followed by mobile devices (54%) and cloud services (50%).

The rapidly changing threat landscape and the broadening of the attack surface means defending an organization from cyberattacks has increased significantly, and as a result, jobs in information security have become harder.

69% of respondents believe their jobs will become more stressful in 2018, while there is also fear that if a data breach is experienced, heads will roll. 45% of respondents were worried they would lose their jobs following a cyberattack on their organization.

Previous surveys have shown a lack of board involvement in cybersecurity, although that does appear to be changing. Half of respondents said the C-Suite was becoming more involved in cybersecurity matters, while a third of respondents said the path to an improved security posture is clear.

Perhaps unsurprisingly considering how employees are perceived to be the main threat, top areas for improvement were staffing, better leadership, and more actionable cyber-intelligence. Technology improvements were also deemed a necessity. However, even though the risk of a cyberattack is increasing, IT security budgets are not. Information security professionals must therefore make budgets go further.

“Once again, we find that people – not just third parties – are the weak link in information security. Smart companies can’t prevent all data breaches, but implementing solid risk management programs supported by good governance, training, proven frameworks and robust technology will go a long way to reducing risk and alleviating CISO stress,” said Dov Goldman, VP, Innovation & Alliances of Opus.

Data breaches and cyber-attacks continue to plague organizations and the responsibility of protecting sensitive data stops with the CISO. It’s critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.