Most businesses “overconfident and underprepared” for 2025 cyber threats

Gemserv’s CISO Cyber Awareness study, now in its second year, reveals widening gaps between perception of risk and preparedness to deal with cyber attacks and data breaches.

  • Wednesday, 16th October 2024 Posted 1 month ago in by Phil Alsop

UK digital transformation consultancy Gemserv has published the findings of its latest CISO report, The Future CISO. The report has been compiled after its second annual survey of chief information security officers (CISOs) at 200 large UK & EU enterprises, across a range of sectors including financial services, energy, retail, IT and manufacturing.

Most leadership boards expect the cybersecurity landscape to become more complex, and believe that the risk of attacks on the UK businesses is increasing, yet most CISOs believe boards are overconfident of their understanding of the issues, and are failing to provide CISOs with the support they need to properly protect the organisation, its reputation, and its customers from data breaches and cyber attacks.

Gemserv’s Director of Cyber and Digital Mandeep Thandi said: “Given the significant impact a cyber breach can have on organisations, including potential damage to reputation and share price, it’s encouraging to see CISOs have elevated cyber security to a board-level concern rather than it remaining an IT department issue.

“Confidence among CISOs in their ability to manage these threats remains low. They anticipate an increase in both the volume and sophistication of cyber attacks. At the same time, IT leaders face mounting pressure to rapidly implement transformational technologies such as cloud computing and GAI, which can heighten an organisation’s attack surface and therefore vulnerability to cyber threats.”

Key findings:

• 72% of organisations are actively incorporating AI into customer-facing products and services, but 37% of CISOs say they are not confident the business fully understands the risks

• 48% of CISOs describe the board's general understanding of risks as ‘excellent’, a significant increase from 2023 (37%) but 62% believe that staff lack the required knowledge and training to avoid a breach

• 79% of large enterprises invest in specialist cyber threat intelligence for CISOs, but the remainder rely solely on the press, social media, vendor marketing and regulators for information, which is not real-time and can be less reliable

• 88% of CISOs think the threat landscape is becoming more complex, with 37% not confident they have the resources they need. 44% struggle to recruit and retain the skilled people they need, amid a 3.2m ‘workforce gap’ for IT talent

On the positive side, compared to last year’s findings, there has been a rapid and marked improvement in board-level awareness, driven by

• new legislation such as GDPR and the introduction of pan-European standards such as the NIS Directive

• more CISOs moving upstream to take seats on boards, and increasing awareness of the wider reputational and business impacts beyond IT disruption

• increasing media coverage and awareness of the damage that can be caused by high-profile cyber attacks, such as those on British Airways, Marriott, SolarWinds, CrowdStrike and many more

• the roll out of more frequent, higher-quality training and the growth of better data security culture within large organisations

• increasing dependence on potentially vulnerable, but business-critical technologies that power cloud computing, remote working, and applied AI

Gemserv’s Director of Cyber and Digital Mandeep Thandi added: “While huge strides have been made by UK business to enhance their cyber defences and protect themselves against breaches, these findings show that the majority of UK enterprises remain largely unprepared for the year ahead, and should review their cybersecurity strategies as a matter of urgency.”

The report recommends a five point checklist for boards and CISOs to audit their preparedness for attacks

1. Create a business case for cyber security investment based on the direct and indirect costs of a successful attack (ransom fees, damage to share price, reputational damage, cost of downtime, cost of repair).

2. Routinely review business continuity and attack response plans at board level, whilst making continual investment in building a security-conscious culture through the organisation, backed up by habit-forming training and a zero-trust approach to all new technology

3. Provide CISOs with an emergency budget to access in the event of attack, as well as flexibility to review investments and change course during the year as the threat landscape changes

4. Involve CISOs in all technology procurement processes, ensuring vendors are only selected if they meet specific security thresholds, and that any third-party technology is continually monitored to ensure it maintains the standards

5. Immediately consider investment in three core areas, if not already: GAI defence technology - to mitigate GAI attacks; Managed Service Security Providers (MSSPs - to outsource and mitigate for skills gaps; and specialist Cyber Threat Intelligence software - to predict and prevent the majority of attacks.

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 3 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 3 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 3 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 3 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 4 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.