Proofpoint, Inc., a cybersecurity and compliance firm, released its annual Voice of the CISO report, which examines the key challenges that chief information security officers face (CISOs). While the world’s CISOs spent 2021 grappling with new ways of working, many now feel much more in command of their surroundings: In the UAE, 44% of CISOs believe their organization is at risk of a material cyber-attack in the next 12 months, down from 68% last year.
However, feeling prepared for a cyber attack is not the same as being prepared. This increased confidence among CISOs is more likely the result of successfully overcoming a seismic event (the pandemic) than any tangible change in risk levels of preparedness. According to our findings, 47 percent of CISOs in the UAE still believe their organization is unprepared to handle a cyberattack, and 50 percent believe the human error is their greatest cyber vulnerability, with established work-from-anywhere setups and The Great Resignation posing new challenges in information security.
The survey delves into three key areas: the threat risk and types of cyber attacks that CISOs face on a daily basis, the levels of employee and organizational preparedness that they face, and the impact of supporting a hybrid workforce as companies prepare to reopen their corporate offices. It also reveals the challenges that CISOs face in their roles, their position within the C-suite, and the business expectations of their teams.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world. But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture,” commented Andrew Rose, Resident CISO for EMEA at Proofpoint. “As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.”
“After two years of unprecedented disruption and new ways of working, CISOs in the UAE have had to prioritize their efforts to address cyber threats targeting today’s distributed, hybrid workforce. Their focus has gravitated towards preventing the most likely attacks such as business email compromise, cloud account compromise and insider threats,” said Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint. “Overall, CISOs now feel more in control of their environment and may be falling into a false sense of security. With our research revealing human error as an organization’s biggest cyber vulnerability, security awareness education across the organization should be a priority for CISOs to mitigate cybersecurity threats.”
The Proofpoint Voice of the CISO 2022 report highlights both general trends and regional differences among the global CISO community. The following are key findings from UAE respondents:
CISOs in the UAE are more confident about their cyber security posture: after two years of unprecedented disruption, CISOs now feel more in control of their environment. Two in five surveyed (44%) feel that their organization is at risk of suffering a material cyber attack in the next 12 months, compared with 68% last year.
There is a lack of consensus among CISOs as to the most significant threats targeting their organization: this year, Business Email Compromise and Cloud Account Compromise (O365 or G suite accounts being compromised) topped the list for UAE CISOs, both at 35%. They were closely followed by insider threats–whether negligent, accidental, or criminal–with 31%. Despite dominating recent headlines, ransomware came in at 28%.
Organizational cyber preparedness has greatly improved: increasing familiarity with the post-pandemic work environment has also left CISOs feeling better equipped to deal with cyber threats. While 72% of CISOs believed they were unprepared for a targeted attack in 2021, this is down to 47% this year.
Employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defense: while 51% of UAE survey respondents believe employees understand their role in protecting their organization from cyber threats, 50% still consider human error to be their organization’s biggest cyber vulnerability. Despite this, only 36% of UAE CISOs surveyed have increased the frequency of cyber security training for employees in the last 12 months.
Long term hybrid work makes protecting data a top new challenge for CISOs: with employees now forming the defensive perimeter wherever they work, 32% of CISOs agree that they have seen an increase in targeted attacks in the last 12 months. And more than 1 in 3 (37%) say that increases in employee transitions means that protecting data has become a greater challenge and investment in information protection is top of the list of priorities for the next two years. When asked how employees were most likely to cause a data breach, UAE CISOs named malicious insider as the most likely vector, where employees intentionally steal company information.
Ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts: recent high-profile attacks have pushed ransomware to the top of the agenda for organizations, with 41% of CISOs in the Emirates revealing they had purchased cyber insurance and 53% CISOs focusing on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 53% of CISOs admit they have no ransom payment policy in place.
While CISOs feel less pressured, board buy-in remains precarious as cyber risk worries business leaders: 38% of CISOs feel that expectations on their role are excessive, down from 67% last year. However, the perceived lack of alignment with the boardroom has increased, with only 14% of UAE CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, Emirati CISOs listed significant downtime, impact on business valuation and loss in revenue as top board concerns.