While attack vectors remain largely the same year over year, attack volume will increase and cybercrime may be vastly underreported, according to the 2019 State of Cybersecurity Study from ISACA.
“Underreporting cybercrime—even when disclosure is legally mandated—appears to be the norm,” said Greg Touhill, Brigadier General (ret), ISACA Board Director, president of Cyxtera Federal and the first US Federal CISO. “Half of all survey respondents believe most enterprises underreport cybercrime, even when required.”
Equally concerning, only 34 percent of cybersecurity leaders have high levels of confidence in their cybersecurity team’s ability to detect and respond to cyberthreats. The highest levels of confidence are correlated with teams reporting directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. Forty-three percent of respondents say their teams report to a CISO, and 27 percent report to a CIO.
“What we can conclude from this year’s study is that governance dictates confidence level in cybersecurity,” said Frank Downs, ISACA’s director of cybersecurity practices.
These findings indicate confusion around structuring cybersecurity with information technology.
ISACA’s State of Cybersecurity Study, sponsored by HCL, captures perspectives of more than 1,500 individuals who define the field worldwide.
According to this report, released at Infosecurity Europe, the top three threat actors remain cybercriminals, hackers and nonmalicious insiders. Phishing, malware, and social engineering are the most prevalent attack types for the third year in a row. Ransomware decreased significantly; 37 percent of organizations reported experiencing ransomware in last year’s study, compared to 20 percent this year.
Just under half of organizations report an increase in cybersecurity attacks this year, and 79 percent consider it likely they will experience a cyberattack next year.
“Cybersecurity suffers from a siloed and static approach,” said Renju Varghese, Fellow & Chief Architect, CyberSecurity & GRC, at HCL Technologies Ltd. “Many teams are missing significant attacks because they don’t have the size or expertise to keep up with attackers. Moreover, their existing security tools and processes are segregated and seldom work in tandem.”
However, by carefully analyzing variables contributing to incident susceptibility and team inefficiency—including cyber reporting structure, prevalent attack methods, and team readiness through a culture of continuing professional education—organizations can better prepare themselves for dangers presented by cyber miscreants, says Downs.
State of Cybersecurity 2019 parts 1 and 2 are available for free here, as part of ISACA’s Cybersecurity Nexus, which offers credentials, training, guidance, and research for security professionals.