Proofpoint has released its annual Voice of the CISO Report, revealing that adopting hybrid working policies and cloud tools have made organisations more vulnerable to cyber threats, with 44% of CISOs in Singapore reportedly seeing more targeted attacks in 2022 since enabling widespread remote working, an uptick of 13% from 2021.
Since flexible arrangements are preferred by the majority of Singaporeans, CISOs need to be prepared to tackle new challenges around information protection in work-from-anywhere setups – especially as 53% consider human error to be their biggest cyber vulnerability. In fact, long-term hybrid work coupled with “The Great Resignation” has seen nearly half of CISOs respond that increases in employee transitions means that protecting data has become a greater challenge, with CISOs naming malicious insider attacks as the most likely vector, where employees intentionally steal company information.
Proofpoint’s report also found that CISOs in Singapore believe threat actors are likely to take advantage of the rapid adoption of cloud collaboration tools – counting cloud account compromise (e.g. Microsoft 365, Google Workspaces, etc.) as the second most significant threat targeting their organisation (33%). This perception echoes findings from Proofpoint’s earlier State of the Phish report, which saw an increase in the abuse of Microsoft and Google infrastructures.
This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid-to-large size organisations across 14 countries[1] and various different industries. In Singapore, Proofpoint interviewed over 100 CISOs over the course of Q1 2022.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world. But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture,” commented Lucia Milică, vice president and global resident CISO at Proofpoint. “As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.”
Additionally, the report showed that CISOs in Singapore have a higher risk perception (64%) than the reported global average (48%), highlighting that CISOs in Singapore are less confident about their cyber security posture than global counterparts. This is somewhat surprising, considering 61% of CISOs on the island believe that their organisation is prepared for a targeted attack in 2022.
“After spending two years bolstering their defences to support hybrid working, CISOs have had to prioritise their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. As a result, their focus has gravitated towards preventing the most likely attacks such as business email compromise, ransomware, insider threats and DDoS,” said Yvette Lejins, resident chief information security officer (CISO), APJ at Proofpoint. “Overall, CISOs appear to have embraced 2022 as the calm after the storm but may be falling into a false sense of security. With rising geopolitical tensions and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more.”
Proofpoint’s Voice of the CISO 2022 report highlights general trends as well as regional differences among the global CISO community. Key Singapore findings include:
- There is a lack of consensus among CISOs as to the most significant threats targeting their organisation: this year, distributed denial-of-service (DDoS) attacks topped the list for CISOs in Singapore at 37% but were closely followed by Cloud Account Compromise attacks (Microsoft 365 or Google Workspace accounts being compromised) at 33% and smishing/vishing attacks at 31%. Despite dominating recent headlines, ransomware was of lesser concern at 21%.
- Employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defence: while 59% of Singapore-surveyed respondents believe employees understand their role in protecting their organisation from cyber threats, 53% of global CISOs still consider human error to be their organisation’s biggest cyber vulnerability. In the last year, 51% of CISOs in Singapore surveyed have increased the frequency of cyber security training for employees.
- Ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts: recent high-profile attacks have pushed ransomware to the top of the agenda for organisations, with 52% of CISOs in Singapore revealing they had purchased cyber insurance and 48% focusing on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 56% of CISOs in Singapore admit they have no ransom payment policy in place
- While CISOs in Singapore feel slightly less pressured than their counterparts, cyber risk worries business leaders and board members: 35% of CISOs in Singapore feel that expectations on their role are excessive, down from 37% last year. However, the perceived lack of alignment with the boardroom continues with a marginal 16% of CISOs in Singapore strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, CISOs in Singapore listed significant downtime, disruption to operations and loss of current customers as top board concerns.
The report explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organisational preparedness facing them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also uncovers the challenges CISOs experience in their roles, their position among the C-suite, and business expectations of their teams.
You can read the full report here.
