ISACA, one of the world’s oldest cybersecurity organizations and a global network of over 460,000 IT professionals, produces an annual “State of Cybersecurity” report that tracks cyber security trends and emerging threats. Part two of the 2019 edition has a number of interesting revelations, the biggest of which is the apparent scope of underreporting of cyber crime.
ISACA surveys 1,576 cyber security professionals in decision-making positions in their organization. Respondents are with organizations ranging in size from enterprise to small-to-medium.
The headliner of the most recent part of the cyber security trends report is the underreporting of cyber crime around the globe, which appears to have become normalized. About half of the respondents indicated that they feel that most enterprises do not report all of the cyber crime that they experience, including incidents that they are legally obligated to disclose.
This is taking place in a cyber security landscape in which just under half of the respondents said that cyber attacks had increased in the previous year, and nearly 80% expect to have to contend with a cyber attack on their organization next year. And only a third of the cyber security leaders reported “high” confidence in the ability of their teams to detect and respond to such an attack.
There is an interesting correlation of confidence with organizations that have a specialized Chief Information Security Officer (CISO). Organizations structured with a CISO report the highest levels of confidence in their ability to respond to an attack, while those with a more generalized CIO in charge of security report the lowest levels. Respondents actually indicated a preference for organizational cyber security running directly through a CEO rather than a CIO.
The most recent ISACA cyber security trends report identified the top threats as coming from cyber crime groups and hackers, which one would expect. The third-greatest threat is from non-malicious internal employees; that is to say, Bob in accounting who unwittingly clicks on a phishing email link and opens the entire network up to attackers.
The leading types of attacks are no surprise, either: phishing, malware and social engineering. In spite of a seeming resurgence in early 2019, the cyber security trends survey reports that ransomware is down significantly – only 20% of respondents experienced such an attack this year, down from 37% in 2018.
Non-malicious insiders have long been the leading cause of breach incidents at most businesses. Hackers are increasingly targeting specific departments or even individuals with phishing and malware links, as that initial point of compromise usually leads to much greater access to the network within as little as a few hours. Though employees are most commonly phished, weak passwords and “credential stuffing” attacks continue to be a significant issue.
Inadvertent network compromise by employees seems to have grown big enough to catch the attention of the boardroom, however. The 2019 ISACA cyber security trends study indicates that 33% of CEOs surveyed are now willing to fire an employee who causes a data breach, even if it is under non-malicious circumstances.
The expected shortfall of qualified cyber security professionals is expected to be as much as 1.8 million globally by 2022, according to recent estimates.
The findings of the second part of the 2019 ISACA cyber security trends study thus support some of the conclusions reached by the data gathered in the first part released in March, which was focused on staffing challenges.
Across the board, organizations are having trouble both recruiting and retaining good cyber security professionals. The more specialized technical skill the role requires, the harder it tends to be to find and retain the right person. ISACA board director Gregory Touhill posits that one of the main issues is simply that compensation is out of balance. Organizations tend to not properly estimate the likelihood and costs of data breaches, particularly as compared to the compensation packages offered to the professionals that can stop them.
Threat researcher and ISACA correspondent Marcelle Lee further opined that there is too much of a focus on finding the absolute ideal candidate in cybersecurity hiring practices. She points out that though there is a shortfall in terms of meeting listed requirements for job openings, there is not so much of a shortfall in terms of available candidates. Lee chalks this up to classic HR biases and overly ambitious job listings that mandate far more specific technical skills than are actually necessary for the position. Organizations are often tripped up by something as simple as requiring a computer science degree when many professionals working in that specific role do not have or need one.
The employment shortfalls definitely skew to labor rather than management. 52% of the organizations surveyed said the biggest shortfall problems were in the area of technical staff, while 72% said that they currently have no C-suite openings for cyber security management roles.
In light of this, the earlier statistic regarding CISO preference is worth revisiting. While there are many good and capable CIOs out there, the cyber security trends survey findings correctly point out that the job is oriented more toward acquisition and management of IT elements for the company. Given that, a security focus can be too much added burden for a CIO to be expected to handle; at the very least it may not be in their training and experience wheelhouse. It is also quite possible that lack of security training and knowledge in the executive ranks is contributing to the seemingly widespread failure to disclose incidents properly.
With the exception of the sharp downswing in ransomware in the first quarter of 2019, the ISACA 2019 cyber security trends study reinforces much of what is already out there. The most worrying new element is the amount of underreporting of breaches that appears to be going on, even in parts of the world that have strong government regulations mandating disclosure of these incidents. It remains to be seen if legislation will ultimately have the desired effect, but in the interim it would appear that many organizations are still playing catch-up in a cyber crime landscape that is only becoming more pernicious by the year.
READ ALSO 80 Eye-Opening Cyber Security Statistics for 2019
15 Nov, 2019  0  Comments
The government has announced plans to invest more than 350 million shillings in a skills development programme for Public Communication and Information officers.
According to Ministry of... ...Read More
Chief Justice David Maraga has downplayed the absence of key Government officials during the National Council on Administration of Justice (NCAJ) meeting.
Senior Government officers among... ...Read More
When talking about international intelligence-sharing agreements, things can get complicated fast. Don’t worry—we are going to quickly walk you through the key information... ...Read More
The U.S. government spies quite a bit on their own citizens. But these days, who doesn't?
This article originally appeared on GlobalPost.
The US... ...Read More
Sign up to receive our free newsletters!
We do not spam. We value your privacy!
© 2019 Just40days.com. All Rights Reserved. Developed by HariOm Technologies