Meatbag mishaps more menacing than malware? CISOs think so

Company boards, on the other hand, aren't letting cybersecurity disturb their sleep as much

Chief information security officers (or CISOs) see human error as the most significant risk to data protection compared to other UK board directors.

Meatbag errors are keeping CISOs awake at night, according to Proofpoint, which has just released a "Cybersecurity: The 2023 Board Perspective" report. The organization told The Reg that 78 percent had tapped it as the most significant risk. Only 56 percent of UK board directors felt the same way, said the analysts.

However, while nearly three-quarters (73 percent) of CISOs were confident in their organization's ability to protect data, just over half (56 percent) of directors agreed.

Overall, the confidence of UK board members has improved year over year, according to data included in the report. In 2022, more than three-quarters (76 percent) reckoned their organization was at risk of a cyber-attack. By 2023, less than half (44 percent) were as worried. Global board members, however, remained jittery – researchers found 73 percent felt at risk of cyber-attack.

The confidence of UK boards was in marked contrast to other countries. In 2022, 50 percent of board members in Canada felt at risk of a cyber-attack. The figure rose to 95 percent in 2023. The global average for the board was 73 percent in 2023.

Other gaps in perception included worries about personal liability – a whopping 79 percent of UK CISOs were concerned about their liability in the event of a cybersecurity incident, while the board was more blasé; just over half (54 percent) of directors expressed similar concern.

There were also differences in where UK CISOs and board members felt the biggest risks lay. Board members listed malware, cloud account compromise, and ransomware as the biggest worries. CISO concerns were email fraud, insider threats, and phishing. CISOs also listed cloud account compromise, indicating the two may not be so far apart.

Finally, the specter of AI was found to be haunting UK boards as 41 percent of directors viewed emerging technology such as ChatGPT as a security risk.

Researchers surveyed 659 board members from 12 countries – the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico. While globally it was noted that CISOs and board members were relatively aligned, the UK still has work to do.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said: "Growing even stronger board-CISO relationships – particularly in the UK, where our data shows the need for significant improvement in this area – will be instrumental in the months ahead for directors and security leaders."

Kalember is correct. The report showed a marked decline in interaction between the board and cybersecurity leadership in the UK, dropping from 55 percent of directors saying they had regular chats in 2022 to 43 percent in 2023.

Andrew Rose, Resident CISO, EMEA at Proofpoint, said: "UK board members should keep in mind that the risk of material cyber-attacks are still very real and threats will continue to evolve."

Rose went on to emphasize the importance of board-CISO partnerships and warned against complacency. He said: "Boards must continue to invest heavily in improving preparedness and organisational resilience." ®

Send us news

Not-so-OpenAI allegedly never bothered to report 2023 data breach

Also: F1 authority breached; Prudential victim count skyrockets; a new ransomware actor appears; and more

IcedID henchman gets nine years in clanger for abusing malware to drain bank accounts

The slippery Ukrainian national must also pay a hefty $74 million on top of the jail time

Malware that is 'not ransomware' wormed its way through Fujitsu Japan's systems

Company says data exfiltration was extremely difficult to detect

ViperSoftX variant spotted abusing .NET runtime to disguise data theft

Freeware AutoIt also used to hide entire PowerShell environments in scripts

China's APT41 crew adds a stealthy malware loader and fresh backdoor to its toolbox

Meet DodgeBox, son of StealthVector

Houthi rebels are operating their own GuardZoo spyware

Fairly 'low budget', unsophisticated malware, say researchers, but it can collect the same data as Pegasus

Microsoft tells yet more customers their emails have been stolen

Plus: US auto dealers still offline; Conti coders sanction; Rabbit R1 hardcoded API keys; and more

Baddies hijack Korean ERP vendor's update systems to spew malware

Notorious 'Andariel' crew takes a bite of HotCroissant backdoor for fresh attack

Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown

Private sector helped out with week-long operation – but didn't touch China

Affirm fears customer info pilfered during ransomware raid at Evolve Bank

Number of partners acknowledging data theft continues to rise

Avast secretly gave DoNex ransomware decryptors to victims before crims vanished

Good riddance to another pesky tribe of miscreants

CISA director: US is 'not afraid' to shout about Big Tech's security failings

Jen Easterly hopes CSRB's Microsoft report won't impede future private sector collaboration