[ad_1]
Proofpoints took stock of the state of security of Italian companies and the perception of IT risk by CISOs (Chief Information Security Officers). To photograph the situation, she commissioned a Cybersecurity Digital Club a study, which examined 130 Italian CIOs working in companies belonging to different industrial sectors.
Of these, 16% say they have experienced at least one data theft, while 10% don’t even know if they have been attacked. More than one in four (26%) say these attacks are caused by insider threats. 50% of these incidents resulted in reputational damage, 38% in financial loss, another 38% say credentials were stolen. One in four CISOs also claimed to have lost critical data as a result of an attack. In one out of four cases, restoring systems and securing them resulted in additional costs.
However, there are two facts that deserve more attention. On the one hand, no one claimed to have lost customers as a result of a cyber attack. On the other hand, according to 96% of the sample, the main threat is represented by the workers themselves.
The human being is the main risk factor
Those who work in the technology sector have long known that most cyber incidents are human-based. This is unavoidable: Exploiting vulnerabilities usually requires the intervention of one person within the company. A stolen password or one that is too easy to identify, a click on a link in a phishing email, the opening of a document that arrived via email and contains malware.
Distraction or lack of knowledge of the basics of security, in these cases. But that’s not all: more than one violation out of four (26%) is due to the work of unfaithful workers. We are not talking about errors or lightness in these cases, but about people who illegally copy confidential documents.
How to react to these problems? 65% of respondents say they are adopting technologies to better manage insider threats. On the other hand, for accidents not due to fraud, but to errors or lack of knowledge of the dangers, the solution is training: 96% of CISOs conduct email-borne threat awareness training.
The importance of training
If defending yourself against unfaithful employees is complicated and requires the adoption of specific tools, the only way to reduce the risk of accidents due to inattention or errors is training. And nearly all CISOs surveyed (96%) report conducting awareness training.
What are the topics addressed? First of all (96%) understand the risks of phishing and BEC (Business Email Compromise), but also know how to correctly manage passwords (88%), understand the policies for using corporate or personal devices safely (80%), recognize social engineering attempts (78%).
There remains a 4% who instead declare that they have not activated any ongoing security awareness programme.
It should also be emphasized that while it is true that human error (and some people’s dishonesty) is the main problem, it cannot be hidden that not all CISOs are committed to risk reduction. 31% of respondents say they lack visibility into which employees are accessing important data, while 24% have no idea where sensitive data is stored. At this point, it is obvious that it is difficult to protect information if you don’t even know where it is.
How is this possible? According to 22% of CISOs, these problems are due to hybrid working, which has reduced visibility. However, it is natural to ask whether the fault lies with the hybrid work, as they claim, or the fact that the cloud has not been implemented in the best way by some security managers.
.
[ad_2]
Source link
