The top three cybersecurity threat actors this year are cybercriminals, hackers, and non-malicious insiders, at 32, 23, and 15% of top actors, respectively, which are statistics that barely deviate from last year
The most prevalent types of threat actors and attack vectors of recent years will remain consistent but increase in attack volume in 2019, according to cybersecurity professionals polled in the 2nd part of ISACA’s State of Cybersecurity 2019 report.
As per the findings, the top three cybersecurity threat actors this year are cybercriminals, hackers, and non-malicious insiders, at 32, 23, and 15% of top actors, respectively, which are statistics that barely deviate from last year’s report.
Leading attack vectors this year are also consistent with last year’s results. 44% of respondents to ISACA’s survey said that phishing was the most prevalent type of attack – an unchanging percentage from last year’s survey. The second two top attack vectors were malware and social engineering, as 31 and 27% of respondents said they were most prevalent.
Despite the consistencies in threat types and actors, ISACA found that the frequency of attacks frequency is likely to increase this year, as it has with prior years.
Although organizations will likely see an increase in attacks, 75% of respondents said they believe cybercrime is underreported in their organizations. More specifically, 25% of respondents believe cybercrime is underreported, even if their enterprise is not legally required to do so, and 50% believe cybercrime is underreported, even if their organizations are legally required to report incidents.
“The high percentage of respondent skepticism regarding cybercrime reporting substantially may offset the optimism indicated by any leveling of cybersecurity attack volume and consistency of threat actors and exploitation techniques,” ISACA said.
Furthermore, respondents indicated that organizations will commonly promote cybersecurity awareness programs and that while these programs make employees more confident in the awareness programs themselves, they do not drive confidence in the cybersecurity organization’s capability in mitigating cybersecurity threats.
Along the lines of confidence levels in cybersecurity, respondents to ISACA’s survey indicated that they had the greatest confidence in a cybersecurity team’s capability to detect and respond to threats effectively when they report to Chief Information Security Officers (CISOs). The CISO was the figure most respondents report to, and 79% who report to CISOs said they are “at least somewhat confident in their cybersecurity team’s ability to detect and respond to threats.”
Since attack frequency is expected to increase this year, ISACA provided advice for organizations to strengthen their cybersecurity implementation and management. This includes that:
- Executives should consider examining the cyber program and management in terms of governance structure, given that CISOs instill the most confidence in cybersecurity teams;
- Organizations could find more effective impact through in-house management of cybersecurity awareness programs than external management; and
- Enterprises assess all of its programs to determine and maintain their efficacy and efficiency.