Security

Research

Meatbag mishaps more menacing than malware? CISOs think so

Company boards, on the other hand, aren't letting cybersecurity disturb their sleep as much


Chief information security officers (or CISOs) see human error as the most significant risk to data protection compared to other UK board directors.

Meatbag errors are keeping CISOs awake at night, according to Proofpoint, which has just released a "Cybersecurity: The 2023 Board Perspective" report. The organization told The Reg that 78 percent had tapped it as the most significant risk. Only 56 percent of UK board directors felt the same way, said the analysts.

However, while nearly three-quarters (73 percent) of CISOs were confident in their organization's ability to protect data, just over half (56 percent) of directors agreed.

Overall, the confidence of UK board members has improved year over year, according to data included in the report. In 2022, more than three-quarters (76 percent) reckoned their organization was at risk of a cyber-attack. By 2023, less than half (44 percent) were as worried. Global board members, however, remained jittery – researchers found 73 percent felt at risk of cyber-attack.

The confidence of UK boards was in marked contrast to other countries. In 2022, 50 percent of board members in Canada felt at risk of a cyber-attack. The figure rose to 95 percent in 2023. The global average for the board was 73 percent in 2023.

Other gaps in perception included worries about personal liability – a whopping 79 percent of UK CISOs were concerned about their liability in the event of a cybersecurity incident, while the board was more blasé; just over half (54 percent) of directors expressed similar concern.

There were also differences in where UK CISOs and board members felt the biggest risks lay. Board members listed malware, cloud account compromise, and ransomware as the biggest worries. CISO concerns were email fraud, insider threats, and phishing. CISOs also listed cloud account compromise, indicating the two may not be so far apart.

Finally, the specter of AI was found to be haunting UK boards as 41 percent of directors viewed emerging technology such as ChatGPT as a security risk.

Researchers surveyed 659 board members from 12 countries – the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico. While globally it was noted that CISOs and board members were relatively aligned, the UK still has work to do.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said: "Growing even stronger board-CISO relationships – particularly in the UK, where our data shows the need for significant improvement in this area – will be instrumental in the months ahead for directors and security leaders."

Kalember is correct. The report showed a marked decline in interaction between the board and cybersecurity leadership in the UK, dropping from 55 percent of directors saying they had regular chats in 2022 to 43 percent in 2023.

Andrew Rose, Resident CISO, EMEA at Proofpoint, said: "UK board members should keep in mind that the risk of material cyber-attacks are still very real and threats will continue to evolve."

Rose went on to emphasize the importance of board-CISO partnerships and warned against complacency. He said: "Boards must continue to invest heavily in improving preparedness and organisational resilience." ®

Send us news
6 Comments

What does it mean to build in security from the ground up?

As if secure design is the only bullet point in a list of software engineering best practices

Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP

PLUS: MGM settles breach suits; AWS doesn't trust you with security defaults; A new .NET backdoor; and more

Dems want answers on national security risks posed by hiring freeze, DOGE probes

Are cybersecurity roles included? Are Elon's enforcers vetted? Inquiring minds want to know

Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch

Everyone agrees defense matters. How to do it is up for debate

Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy admiral

‘No one was kicked off the NTSB in the middle of investigating a crash’

Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims

OCR plugin great for extracting crypto-wallet secrets from galleries

Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

Think government cybersecurity is bad? Guess again. It’s alarmingly so

Google: How to make any AMD Zen CPU always generate 4 as a random number

Malicious microcode vulnerability discovered, fixes rolling out for Epycs at least

CDNs: Great for speeding up the internet, bad for location privacy

Also, Subaru web portal spills user deets, Tornado Cash sanctions overturned, a Stark ransomware attack, and more

Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'

When cloud customers don't clean up after themselves, part 97

Poisoned Go programming language package lay undetected for 3 years

Researcher says ecosystem's auto-caching is a net positive but presents exploitable quirks

Guess who left a database wide open, exposing chat logs, API keys, and more? Yup, DeepSeek

Oh someone's in DeepShi...