The annual Voice of the CISO report by Proofpoint reveals that adopting hybrid working policies and cloud tools have made organisations more vulnerable to cyber threats. In Singapore 44% of CISOs surveyed reported seeing more targeted attacks in 2022 since enabling widespread remote working, an uptick of 13% from 2021.
With Singaporeans favouring flexible work arrangements, CISOs need to be prepared to tackle new challenges around information protection in work-from-anywhere setups – especially as 53% consider the human error to be their biggest cyber vulnerability.
The long-term hybrid work coupled with “The Great Resignation” has seen nearly half of CISOs commenting that increases in employee transitions mean that protecting data has become a greater challenge. CISOs identified malicious insider attacks as the most likely vector, where employees intentionally steal company information.
The report also found that CISOs in Singapore believe threat actors are likely to take advantage of the rapid adoption of cloud collaboration tools. Cloud account compromise (e.g., Microsoft 365, Google Workspaces, etc.) is the second most significant threat targeting their organisation (33%). This is echoed in Proofpoint’s earlier State of the Phish report, which saw an increase in the abuse of Microsoft and Google infrastructures.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world. But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture,” commented Lucia Milică, vice president and global resident CISO at Proofpoint.
She opined that as workers leave their jobs or opt-out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.
The report also showed that CISOs in Singapore have a higher risk perception (64%) than the reported global average (48%), highlighting that CISOs in Singapore are less confident about their cyber security posture than their global counterparts. This is somewhat surprising, considering 61% of CISOs on the island believe that their organisation is prepared for a targeted attack in 2022.
“After spending two years bolstering their defences to support hybrid working, CISOs have had to prioritise their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. As a result, their focus has gravitated towards preventing the most likely attacks such as business email compromise, ransomware, insider threats and DDoS,” said Yvette Lejins, resident chief information security officer (CISO), APJ at Proofpoint.
She added that CISOs appear to have embraced 2022 as the calm after the storm but may be falling into a false sense of security.
"With rising geopolitical tensions and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more,” she continued.
Key Singapore findings include:
The most significant threats target their organisation. In 2022, distributed denial-of-service (DDoS) attacks topped the list for CISOs in Singapore at 37%, closely followed by Cloud Account Compromise attacks (Microsoft 365 or Google Workspace accounts being compromised) at 33% and smishing/vishing attacks at 31%. Surprisingly, despite media coverage, ransomware was of lesser concern at 21%.
Rising employee security awareness does not equate to adequate cyber defence skills. While 59% of Singapore-surveyed respondents believe employees understand their role in protecting their organisation from cyber threats, 53% of global CISOs still consider the human error to be their organisation's biggest cyber vulnerability. In 2021, 51% of CISOs in Singapore surveyed have increased the frequency of cyber security training for employees.
Ransomware headlines influencing C-Suite strategies. The recent high-profile attacks have pushed ransomware to the top of the agenda for organisations, with 52% of CISOs in Singapore revealing they had purchased cyber insurance and 48% focusing on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 56% of CISOs in Singapore admit they have no ransom payment policy in place
Singaporean business leaders worry about cyber risks. 35% of CISOs in Singapore feel that expectations of their role are excessive, down from 37% in 2021. However, the perceived lack of alignment with the boardroom continues with a marginal 16% of CISOs in Singapore strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity.
When considering cyber risk, CISOs in Singapore listed significant downtime, disruption to operations and loss of current customers as top board concerns.