Large companies unprepared for cyberattacks, boards say


Board members in Singapore, Canada, and Japan feel their organizations are most exposed, according to a new report from cybersecurity company Proofpoint.

Almost three-quarters, or 73%, of board members at companies with over 5,000 employees fear their organization is at risk of a major cyberattack within the next year, a survey commissioned by Proofpoint in 12 countries showed.

This is a marked increase from last year, when 65% of respondents agreed with the statement.

ADVERTISEMENT

“Geo-political tensions are almost certainly raising perceived threat levels as hostile nations take an increasingly vested interest in disrupting Western infrastructure and organizations,” Proofpoint said in its Cybersecurity: The 2023 Board Perspective report.

The shift of office culture to large-scale hybrid and remote work has also contributed to the increased threat perception, according to cybersecurity experts.

“Like it or not, the traditional office setup is no more. That means security teams must get used to protecting disparate and dispersed workforces as a standard practice,” the report said.

“Awareness-preparedness paradox”

Board members in Singapore are the most skeptical about their organizations’ cyberdefenses, with 81% saying that they’re unprepared for a cyberattack. The city-state is followed by Canada, at 67%, and Japan, at 63%.

Interestingly, at 86%, board members in Singapore are also most confident their organizations have adequately invested in cybersecurity. Only 48% agreed with the statement in the UK, the lowest number in the surveyed countries.

“The boardroom appears to have a good understanding of risk levels and common threats. Unfortunately, this does not always mean they’re prepared for them,” Proofpoint said, describing it as the “awareness-preparedness paradox.”

In contrast, in the US, where the cybersecurity market is considered more mature, only half of board members said they considered it a top priority, seeing it as an integral part of “business as usual,” the report noted.

ADVERTISEMENT

Malware perceived as top threat

Malware is top of the list when it comes to cyberthreats, with 40% of board members saying that it’s a leading security risk. Insider threat and cloud account compromise follow close behind, both cited by 36% of respondents.

It’s a slight change from last year, according to Proofpoint, when email fraud and business email compromise were perceived as the top threat (41%), followed by cloud account compromise (37%), and ransomware (32%).

“The shifting concern of boards from email fraud (business email compromise) last year to malware this year is likely driven by an increase in effective inbox security tools and high staff turnover,” Proofpoint said.

“It takes time to train new staff on security best practices; in the meantime, new starters are much more vulnerable to malicious links and rogue attachments,” the report noted.

Insider threats are costing businesses up to $15 million a year and are still on the rise, but this is a problem that companies increasingly recognize and take action to tackle – unlike supply-chain attacks, which only over a quarter of board members cite as a top concern.

Insider threats are costing businesses upwards of $15 million a year and are still on the rise, so it can only be good news that CISOs and board members are taking notice. But security teams need to act fast to effectively mitigate them.

“As MOVEit and victims of other supply chain attacks can attest, there is no room for complacency. Attacks on the supply chain are projected to cost businesses almost $46 billion by the end of 2023 and more than $80 billion by 2026 – a 76% jump,” Proofpoint warned.

AI increasing cause of concern

The risks posed by artificial intelligence (AI) tools have caught the attention of boardrooms, according to the report, with 59% of board members believing the technology already poses a security risk to their organizations.

ADVERTISEMENT

Cybercriminals leverage AI to reduce the “time-consuming” aspects of phishing, as well as finding and exploiting vulnerabilities, according to Proofpoint. It can also be used to enhance cyberattacks launched by threat actors with limited technical scope.

“As it stands now, the biggest threat from tools such as ChatGPT is employees uploading sensitive content to assist with research or report writing. But bigger problems are no doubt on the horizon,” Proofpoint said.

Boards in Japan, Singapore, and Australia are the most concerned about generative AI, according to the survey, which was also carried out in Brazil, Canada, France, Germany, Italy, Mexico, Spain, the UK, and the US.

More than 600 board members at both public and private organizations of over 5,000 employees were surveyed, with most (36%) citing disruption of operations, internal data becoming public (36%), and reputational damage (34%) as their greatest concern about the potential damage caused by cyberattacks.