Proofpoint’s Second Annual Board Perspective Report Reveals Nearly Half of UK Board Members Feel at Risk of Cyber Attack and Unprepared
41% of UK board members view generative AI as a security risk for their organisation
LONDON, September 6, 2023 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released its second annual Cybersecurity: The 2023 Board Perspective report, which explores board of directors’ views on the global threat landscape, cybersecurity priorities, and relationships with CISOs. The global findings reveal that nearly three-quarters (73%) of those surveyed feel at risk of a material cyber attack, a notable increase from 65% in 2022. In contrast, a year-over-year comparison shows that while almost half of UK board members (44%) feel their organisation is at risk of a material cyber attack, they are in fact much less concerned about this risk than previously (76% in 2022).
With geopolitical tensions, rises in disruptive ransomware and supply chain attacks, the threat landscape remains volatile, and cybersecurity continues to be a priority for board members globally. The emerging risk of artificial intelligence (AI) tools such as ChatGPT are also a concern: 59% of global board members (41% in the UK) believe generative AI is a security risk for their organisation.
Global board members have those concerns even though 73% view cybersecurity as a priority, 72% believe their board clearly understands the cyber risks they face, and 70% believe they have adequately invested in cybersecurity.
The Cybersecurity: The 2023 Board Perspective report examines global, third-party survey responses from 659 board members at organisations with 5,000 or more employees across different industries. In June 2023, more than 50 board directors were surveyed in each market in each of the following 12 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.
The report explores three key areas: the cyber threats and risks boardrooms face, their level of preparedness to defend against those threats, and their alignment with CISOs based on the sentiments Proofpoint uncovered in our 2023 Voice of the CISO report. Globally, we found a similar year-over-year increase in the number of CISOs who feel at risk and unprepared, and a closer alignment than before between board directors and security leaders.
“The newfound alignment between board members and their CISOs on cyber risk and preparedness is a positive sign that the two sides are working closer together and making progress. However, this growing alliance hasn’t yet delivered significant changes in cybersecurity posture, despite boards feeling good about the time and resources they’re investing to combat this risk,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “Our findings show that it remains a challenge to translate increased awareness into effective cybersecurity strategies that protect people and data. Growing even stronger board-CISO relationships – particularly in the UK, where our data shows the need for significant improvement in this area - will be instrumental in the months ahead so directors and security leaders can have more meaningful conversations and ensure they’re investing in the right priorities.”
Key UK findings from Proofpoint’s Cybersecurity: The 2023 Board Perspective report include:
- Generative AI has some of the boardroom’s attention: with tools such as ChatGPT getting much of the spotlight in recent months, 41% of surveyed UK board directors view this emerging technology as a security risk to their organisation.
- Year-over-year comparison shows UK board members feel much less concerned about cyber risk: 44% of those surveyed feel their organization is at risk of a material cyber attack, compared to 76% in 2022. This is in contrast with global board members, 73% of whom now feel at risk.
- Awareness and funding do not translate into preparedness: 56% of UK board directors agree that cybersecurity is a priority for their board, 50% believe their board clearly understands the cyber risks they face, 48% think they have adequately invested in cybersecurity, and 66% believe their cybersecurity budget will increase over the next 12 months; however, these efforts are not leading to better preparedness—44% still view their organisation as unprepared to cope with a cyber attack in the next 12 months.
- Board members and CISOs have different concerns about their biggest threats: UK board members ranked malware (35%), cloud account compromise (33%), and ransomware (33%) as their top concerns. This is mostly different from CISOs’ top concerns of email fraud/BEC (34%), insider threat (30%), cloud account compromise (30%), and smishing/vishing (30%).
- Directors and CISOs have widely different views about people risk and data protection: UK board directors (56%) feel much less strongly than CISOs (78%) that human error is their biggest risk. Board members are also much less confident in their organisation’s ability to protect data—56% of directors share this view, compared to 73% of CISOs.
- Better technical controls, a bigger budget, and stronger cyber regulations top boardrooms’ wish lists: 33% of UK board directors said their organisation’s cybersecurity would benefit from better technical controls, 31% would like to see a bigger budget, and 31% would like stronger cyber regulations.
- Board-CISO interactions and relationships need significant improvement: 43% of UK board directors say they interact with security leaders regularly, a sharp decrease from last year’s 55%. This leaves nearly half of all boardrooms without strong CISO-C-suite relationships. Board members and CISOs also lack alignment when they do interact, with only 39% of board members saying they see eye-to-eye with their CISO compared with 74% of CISOs who share this view.
- Personal liability is more of a concern for CISOs than boards: 79% of UK CISOs expressed concern about personal liability in the wake of a cybersecurity incident at their own organisation compared with 54% of board directors.
“UK board members should keep in mind that the risk of material cyber attacks are still very real and threats will continue to evolve,” says Andrew Rose, Resident CISO, EMEA at Proofpoint. “Establishing and nurturing strong board-CISO partnerships is more critical than ever, and this is certainly not a time to grow complacent. Boards must continue to invest heavily in improving preparedness and organisational resilience. This means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”
To download Cybersecurity: The 2023 Board Perspective report, please visit: https://www.proofpoint.com/uk/resources/white-papers/board-perspective-report
For more insights, research, trends, resources, events, and other CISO-level content, visit Proofpoint’s CISO Hub at www.proofpoint.com/us/ciso-hub.
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.