Sponsored IT security leaders say they are ill-prepared for a cyber attack and believe that human error and a lack of security awareness are major risk factors for their organisations, according to a series of reports and surveys from cybersecurity vendor Proofpoint. But there are some marked variations in both the rates and the types of cyber attack between the regions surveyed.
It’s a dynamic attack landscape: in the DACH countries of Germany, Austria and Switzerland 67 per cent of IT security leaders say they have suffered at least one attack in the last 12 months, while in Benelux 72 per cent of respondents say their business has suffered at least one cyber attack in the same time period. In Sweden 59 per cent of businesses have been attacked at least once, while in the UAE the figure is much higher at 82 per cent - with 51 per cent of IT security leaders in the UAE saying their business has been targeted multiple times.
Whatever form they take, the fall-out from a cyber attack can be devastating for the organisations involved – the World Economic Forum estimates that, between 2019 and 2023, $5.2 trillion in global value will be at risk from malicious actors. And the financial impact of attacks can be far-reaching, encompassing lost revenues, reputational damage, downtime, legal fees, compensation and remediation.
Business email compromise
Email fraud via business email compromise, where an attacker gains access to an email account ad spoofs the owner is on the rise, according to Proofpoint. This can prove expensive: an FBI report estimates that total worldwide losses from business email compromise were $1.7 billion last year.
The most common type of cyber attack varies around the regions surveyed. Email attacks with phishing and ransomware were the most common means of attack over the last 12 months in the DACH countries, followed by insider threats. In Benelux insider threats or data leaks were the most common type of cyber attack in the last 12 months, followed by cloud account (Office 365 or Google Workspace) compromise, business email compromise, then phishing. Cloud account compromise was the most common form of attack in Sweden and the UAE, possibly reflecting higher rates of cloud adoption in these regions. In Sweden DDoS was the second most common form of attack, while in the UAE it was credential phishing.
Respondents are alive to the risks associated with a cyber attack, although the resultant damage from an attack varies amongst the regions surveyed. In the DACH countries IT security leaders indicate that successful attacks result in the loss of sensitive information, followed by business disruption, then reputational damage, while in Benelux and the UAE CISOs most frequently mention the financial loss as primary result of a cyberattack. In Sweden the chief consequence of a successful cyber attack mentioned by CISOs is the potential for brand and reputational damage, followed by data breaches and business and operational disruption.
Unprepared to face a cyber attack
Although they may be aware of the risks, security leaders are far from ready to face them. In the DACH territories only 24 per cent strongly feel they are prepared for a cyber attack, and in large companies with more than 5,000 employees, the figure plummets to 12 per cent. There’s also a big divide between public and private sectors in the DACH countries - only 46 per cent of public sector organisations say they can respond appropriately to cyber attacks. It is slightly better In Benelux and Sweden with 38 per cent and 29 per cent respectively strongly feeling that they are prepared for a cyber attack. In the UAE the number drops to a worryingly low 21 per cent of security leaders who strongly feel they are prepared.
Organisations face challenges to protect themselves. Throughout the regions surveyed respondents cite human error and a lack of security awareness, outdated or insufficient cybersecurity solutions and technology, and a lack of proper access controls and process as the biggest risks to their business. In the DACH countries, human error and lack of security awareness is seen as the biggest risk to the organisation by 70 per cent of respondents. In Benelux, 61 per cent of IT security leaders think that human error and a lack of security awareness is the biggest risk to the organisation. In Sweden the figure is 46 per cent and in the UAE it is 55 per cent.
There seems to be a mismatch between the lack of board-level concern about potential cyber attacks, companies’ perceived lack of preparation and ability to deal with an attack, and the potential for employees to act recklessly and make a company vulnerable to attack.
Employees make businesses vulnerable
The security leaders surveyed think there are a number of ways in which employees make their businesses vulnerable to attack. In the DACH countries, phishing attacks are thought to be the most common cause of vulnerability, cited by 70 per cent of respondents. In Sweden, a staggering 50 per cent of respondents said that criminal insider attack – the intentional leaking of data or intellectual property – is putting their business at risk. In Benelux employee mishandling of sensitive information is seen as the most common security error, cited by 53 per cent of respondents, while in the UAE poor password hygiene is seen as the most common cause of vulnerability, cited by 29 per cent of respondents.
Remote working as a result of the pandemic is another contributory factor to a business’s vulnerability to cyber attack. In the DACH region, for example, Proofpoint has found significant phishing activity related to Covid-19 in the transport and logistics sector, and the company’s researchers have seen a significant increase in the creation of templates for phishing sites that target pandemic-related government aid payments. It’s clear that employees need to be better educated and equipped to combat such cyber attacks.
Employee awareness training could help these companies protect themselves. However, even though they face a fast-evolving threat landscape and consider the human factor to be a primary risk, only a small percentage of the companies surveyed regularly train their employees. In the DACH countries almost half (47 per cent) of those surveyed do not believe their company is vulnerable to cyber attack by employees – only 22 per cent of respondents train their employees more than twice a year on cyber security best practice and only six per cent run a continuous awareness programme.
The picture is hardly better elsewhere: in Sweden 52 per cent of respondents don’t believe that their employees make them vulnerable to attack and only 25 per cent say they train their staff on cyber security best practice more than twice a year. In Benelux only 11 per cent admit to training their employees on cyber security best practice more than twice a year.
Look to the future
Given the dynamic threat landscape, do businesses intend to take a more active approach to the review of their cyber strategies? Most security leaders expect their cyber defence budgets to increase to some extent in the next couple of years: in the DACH countries 55 per cent of respondents expect their budget to increase by up to 20 per cent in the next two years, while in Benelux and Sweden nearly three-quarters of respondents expect their budget to rise by more than 11 per cent.
Looking ahead, IT security leaders in the DACH region expect that within the next three years there will be a significant increase in negligent insider threats or criminal threats, with more than half the respondents (54 per cent) expecting these to be the biggest cyber threat in the future. In Benelux, IT security leaders believe that phishing and cloud account compromise will continue to be the biggest cyber threats to their organisations, in Sweden and the UAE respondents believe that cloud account compromise will continue to be the biggest cyber threat.
What is clear, says Proofpoint, is that a people-oriented approach is needed when businesses review their cyber strategies. With people spending less time in their fixed office workplace, due to the pandemic and changes in working practices, they are now clearly the perimeter of the company and as such are a fruitful target for sophisticated cyber criminals.
Sponsored by Proofpoint