Meatbag mishaps more menacing than malware? CISOs think so

Chief information security officers (or CISOs) see human error as the most significant risk to data protection compared to other UK board directors.

Meatbag errors are keeping CISOs awake at night, according to Proofpoint, which has just released a "Cybersecurity: The 2023 Board Perspective" report. The organization told The Reg that 78 percent had tapped it as the most significant risk. Only 56 percent of UK board directors felt the same way, said the analysts.

However, while nearly three-quarters (73 percent) of CISOs were confident in their organization's ability to protect data, just over half (56 percent) of directors agreed.

Overall, the confidence of UK board members has improved year over year, according to data included in the report. In 2022, more than three-quarters (76 percent) reckoned their organization was at risk of a cyber-attack. By 2023, less than half (44 percent) were as worried. Global board members, however, remained jittery – researchers found 73 percent felt at risk of cyber-attack.

The confidence of UK boards was in marked contrast to other countries. In 2022, 50 percent of board members in Canada felt at risk of a cyber-attack. The figure rose to 95 percent in 2023. The global average for the board was 73 percent in 2023.

Other gaps in perception included worries about personal liability – a whopping 79 percent of UK CISOs were concerned about their liability in the event of a cybersecurity incident, while the board was more blasé; just over half (54 percent) of directors expressed similar concern.

There were also differences in where UK CISOs and board members felt the biggest risks lay. Board members listed malware, cloud account compromise, and ransomware as the biggest worries. CISO concerns were email fraud, insider threats, and phishing. CISOs also listed cloud account compromise, indicating the two may not be so far apart.

• US government to investigate China's Microsoft email breach
• Quick: Manually patch this Zimbra bug that's under attack
• Qbot malware adapts to live another day … and another …
• No more macros? No problem, say miscreants, we'll adapt

Finally, the specter of AI was found to be haunting UK boards as 41 percent of directors viewed emerging technology such as ChatGPT as a security risk.

Researchers surveyed 659 board members from 12 countries – the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico. While globally it was noted that CISOs and board members were relatively aligned, the UK still has work to do.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said: "Growing even stronger board-CISO relationships – particularly in the UK, where our data shows the need for significant improvement in this area – will be instrumental in the months ahead for directors and security leaders."

Kalember is correct. The report showed a marked decline in interaction between the board and cybersecurity leadership in the UK, dropping from 55 percent of directors saying they had regular chats in 2022 to 43 percent in 2023.

Andrew Rose, Resident CISO, EMEA at Proofpoint, said: "UK board members should keep in mind that the risk of material cyber-attacks are still very real and threats will continue to evolve."

Rose went on to emphasize the importance of board-CISO partnerships and warned against complacency. He said: "Boards must continue to invest heavily in improving preparedness and organisational resilience." ®