1 in 3 Organizations Experiencing More Cyberattacks This Year, Says New ISACA Study

ISACA’s 2021 State of Cybersecurity Part 2 looks at the threat landscape, the impact of the pandemic on security programs and the challenges—and importance—of assessing cybersecurity maturity. Many of these findings will reinforce or mirror past reporting despite new challenges that enterprises face amidst the ongoing global pandemic and opportunistic threat actors. (Graphic: Business Wire)

SCHAUMBURG, Ill.--()--Ransomware attacks have been increasingly in the headlines—and reaching historic levels of impact with the recent Colonial Pipeline and Kaseya attacks. Findings from the State of Cybersecurity 2021, Part 2 survey report from ISACA in partnership with HCL Technologies show that 35 percent of respondents report that their enterprises are experiencing more cyberattacks, three percentage points higher than last year. This second part to ISACA’s annual State of Cybersecurity 2021 survey report examines cyber threat landscape trends.

While respondents indicate that their enterprises are getting attacked more—with 35 percent indicating there has been an increase in cyberattacks from the year before—the most frequent types of attacks remain similar to the year before:

  1. Social engineering – 14%
  2. Advanced persistent threat (APT) – 10%
  3. Ransomware – 9%
  4. Unpatched system – 9% 

The global pandemic has presented a range of challenges, including those impacting cybersecurity teams. More than one in three enterprises reported either adopting a Secure Access Service Edge (SASE) model (12 percent) or Zero Trust security strategy (23 percent) as a cybersecurity approach because of the pandemic.

“With the increase in the number and rate of cyberattacks worldwide, cybersecurity professionals are facing a challenging threat landscape that requires constant vigilance,” says David Samuelson, ISACA CEO. “These survey findings illustrate just how essential it continues to be for the global cybersecurity community to actively keep up to date with best practices and training, and ensure their teams are well staffed to detect and respond to attacks.”

When it comes to cybersecurity teams and leadership, the report findings revealed no strong differences between the security function having a CISO or CIO at the helm and organizational views on increased or decreased cyberattacks, confidence levels related to detecting and responding to cyberthreats or perceptions on cybercrime reporting. However, it did find that security function ownership is related to differences regarding executive valuation of cyberrisk assessments (84 percent under CISOs versus 78 percent under CIOs), board of director prioritization of cybersecurity (61% under CISOs versus 47% under CIOs) and alignment of cybersecurity strategy with organizational objectives (77% under CISOs versus 68% under CIOs).

The report also found that artificial intelligence (AI) is fully operational in a third of the security operations of respondents, a four percent increase from the year before. Seventy-seven percent of respondents also revealed they are confident in the ability of their cybersecurity teams to detect and respond to cyberthreats, a three-percentage point increase from last year. Additionally, 78% noted that they believe cybersecurity training and awareness programs have a positive impact.

The report found that 65 percent of respondents indicate their enterprises assess their cybermaturity, and those that perform cybermaturity assessments are more likely to have appropriately staffed security teams and report appropriately funded cybersecurity budgets. Respondents that were attentive to security program measurement and maturity are also more than two times more confident in the ability of their organization to detect and respond to cyberattacks.

However, respondents indicated that they faced some obstacles in determining cybermaturity, including:

  1. Integrating risk with maturity and keeping up with industry threats (30 percent)
  2. Difficulty differentiating concept of maturity versus compliance to management (29 percent)
  3. Having the necessary experience to understand and assess cybermaturity (27 percent)

Despite these challenges, 80 percent indicated that their executive leaders see value in conducting cyberrisk assessments; 39 percent of enterprises perform these assessments annually and 76 percent of respondents cited regulatory compliance as the primary driver for conducting them.

“In a complex, constantly changing cybersecurity landscape that is subjecting enterprises to increasingly severe attacks, assessing cybersecurity maturity can play a role in determining whether enterprises have effective security programs,” says Renju Varghese, Fellow & Chief Architect, CyberSecurity & GRC Services, HCL Technologies. “Taking a proactive, risk-based approach to assessments, versus simply meeting compliance requirements, will serve enterprises well in ensuring their cybersecurity goals are met and that they can continue to pivot as needed as the threat landscape shifts.”

For a complimentary copy of State of Cybersecurity 2021 Part 2 or Part 1 and related resources, visit www.isaca.org/state-of-cybersecurity-2021.

About ISACA

For more than 50 years, ISACA® (www.isaca.org) has equipped individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enabled enterprises to train and build quality teams. ISACA has a presence in 188 countries, including more than 220 chapters, and leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. In 2020, ISACA launched One In Tech, a philanthropic foundation.

Contacts

Emily Van Camp, evcamp@isaca.org, +1.847.385.7223
Kristen Kessinger, communications@isaca.org, +1.847.660.5512

Contacts

Emily Van Camp, evcamp@isaca.org, +1.847.385.7223
Kristen Kessinger, communications@isaca.org, +1.847.660.5512