Cloud threats have execs the most freaked out because they're not prepared
- Reference: 1727695817
- News link: https://www.theregister.co.uk/2024/09/30/pwc_security_survey/
- Source link:
That's according to PwC's latest cybersecurity report, released today, which showed that cloud threats are the biggest security concern for most (42 percent) business leaders.
The top five threats, according to PwC's 4,020 respondents, comprise hack and leak operations (38 percent), third-party breaches (35 percent), attacks on connected products (33 percent), and ransomware (27 percent).
[1]
If you've just read that and questioned why ransomware is so low on the list, you might be a CISO. The level of concern about ransomware jumped to 42 percent when analyzing responses from CISOs alone.
[2]
[3]
Here at The Register , we know many of you will also be priming your commenting fingers ready to tell us these percentages don't add up to 100 right about now. That's because the answers were taken from a survey question asking respondents to list their top three most concerning threats, so the percentage is a reflection of how many times each threat appeared in respondents' top-three rather than a single selection.
All the threats that feature in execs' top five deemed "most concerning" are perhaps unsurprisingly also the same as the threats organizations feel least prepared to address, although not quite in the same order.
[4]
[5]Cloud attacks are both the most concerning and least prepared for (42/34 percent) while attacks on connected products sit in second (31 percent) in terms of defense preparedness. [6]Third-party breaches came in just behind in third place (28 percent), while execs felt equally unprepared to address hack-and-leak ops and [7]ransomware – 25 percent of leaders said they were least prepared to handle these two.
"While the cybersecurity landscape continues to evolve, organizations are struggling with increasingly volatile and unpredictable threats," reads the report, which was shared with The Register before publication.
"An expanding attack surface – spurred by growing reliance on cloud, AI, connected devices, and third parties – demands an agile, enterprise-wide approach to resilience. Aligning organizational priorities and readiness is essential for maintaining security and business continuity."
AI's double-edged sword
Of course, it wouldn't be a cybersecurity report in 2024 unless AI got its moment in the spotlight.
Despite generative AI being used for good in many cases, and the majority (78 percent) increasing their investment in the tech in the past year, it's the primary contributor to the widening attack surface faced by organizations.
[8]
More than two-thirds of respondents (67 percent) said [9]genAI increased their susceptibility to attacks "slightly" or "significantly" – the most significant factor of any in the past year, although cloud was only narrowly behind at 66 percent.
[10]Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud
[11]RansomHub genius tries to put the squeeze on Delaware Libraries
[12]American Express admits card data exposed and blames third party
[13]EU lawmakers finalize cyber security rules that panicked open source devs
As a force for good, however, generative AI is being deployed widely across global organizations, supporting key cybersecurity functions such as threat detection and response, and threat intelligence.
"Cybersecurity is predominantly a data science problem," said Mike Elmore, global CISO at GSK. "It's becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to get closer to the data to drive timely and actionable insights that matter the most."
Rules and regs
Shockingly, PwC also found that business leaders who have regulatory and legal requirements to improve security do just that.
Indeed, 96 percent said regulations prompted an organization to improve its security, while 78 percent said the same regs have challenged, improved, or increased their security posture.
New frameworks such as [14]DORA , [15]CIRCIA , the [16]Cyber Resilience Act , and the NIS2 Directive – the compliance deadline for which comes in a few weeks – join existing regulations such as [17]GDPR in holding organizations to account when it comes to cybersecurity.
"Organizations that embrace regulatory requirements tend to benefit from stronger security frameworks and a more robust posture against emerging threats," read PwC's report. "Compliance shouldn't be viewed as a box-ticking exercise but as an opportunity to build long-term resilience and trust with stakeholders."
These new regulations have also ushered in new investment into cybersecurity. Roughly a third of organizations (32 percent) said cyber investment increased to a "large extent" in the past 12 months. 37 percent said investment increased to a "moderate extent," while 14 percent said the increase in investment was "significant."
"As regulatory requirements continue to shape the cybersecurity landscape, it's essential that executives across the C-suite stay ahead of compliance issues while leveraging regulations as a catalyst for innovation," read the report.
"Creating alignment across security teams, risk functions, and executive leadership is crucial for maintaining compliance readiness and driving strategic improvements." ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvrLJesilpP9azlCbOd2JgAAAVA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvrLJesilpP9azlCbOd2JgAAAVA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvrLJesilpP9azlCbOd2JgAAAVA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvrLJesilpP9azlCbOd2JgAAAVA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/09/27/microsoft_storm_0501/
[6] https://www.theregister.com/2024/03/04/american_express/
[7] https://www.theregister.com/2024/09/25/delaware_libraries_ransomware_attack/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvrLJesilpP9azlCbOd2JgAAAVA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/08/21/microsoft_ai_copilots/
[10] https://www.theregister.com/2024/09/27/microsoft_storm_0501/
[11] https://www.theregister.com/2024/09/25/delaware_libraries_ransomware_attack/
[12] https://www.theregister.com/2024/03/04/american_express/
[13] https://www.theregister.com/2023/12/04/infosec_in_brief/
[14] https://www.theregister.com/2023/11/14/compliance_and_dodging_vendor_lockin/
[15] https://www.theregister.com/2024/03/28/critical_infrastructure_cyberattack_reporting/
[16] https://www.theregister.com/2023/12/04/infosec_in_brief/
[17] https://www.theregister.com/2024/02/21/gdpr_data_processing_costs/
[18] https://whitepapers.theregister.com/
PWC Report location
It appears that this is the source of the report for those that are interested. Requires a email and checkbox..
https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights/report-download-2025.html
Enjoy... if it was in the original story I missed it.. :(
"business leaders who have regulatory and legal requirements to improve security do just that"
And once again, the old song about capitalism regulating itself flies out the window.
I have trouble believing that, in this day and age, there are still utter morons who prefer to wait for a catastrophe to do something about the security of their IT infrastructure.
Today, as soon as you are connected to the Internet, you are a possible target for a legion of very savvy, dedicated miscreants who would like nothing more than to bring your company to its knees in exchange for money. And then more money. And the bigger the company, the bigger the target.
If that's not enough to get your finger out and start securing your network, then you deserve the cost that is coming to you.
Priorities
The greatest source of cyber threat in the cloud is the widespread assumption that your security management can be devolved on the cloud provider. It can't. They look after the security of their infrastructure, but every entry point to your cloud service is a potential attack target, and the responsibility for the security of all of these remains yours.
Those who thought they could "move to the cloud" and abandon their local IT security support were much mistaken.