While attack vectors remain largely the same year over year, attack
volume will increase and cybercrime may be vastly underreported,
according to the 2019
State of Cybersecurity Study from ISACA.
This press release features multimedia. View the full release here:
ISACA’s State of Cybersecurity 2019 Report, Part 2 Infographic: Attacks, Awareness and Governance (Graphic: Business Wire)
“Underreporting cybercrime—even when disclosure is legally
mandated—appears to be the norm,” said Greg Touhill, Brigadier General
(ret), ISACA Board Director, president of Cyxtera Federal and the first
US Federal CISO. “Half of all survey respondents believe most
enterprises underreport cybercrime, even when required.”
Equally concerning, only 34 percent of cybersecurity leaders have high
levels of confidence in their cybersecurity team’s ability to detect and
respond to cyberthreats. The highest levels of confidence are correlated
with teams reporting directly into the CISO, and the lowest levels are
correlated with teams reporting into the CIO. Forty-three percent of
respondents say their teams report to a CISO, and 27 percent report to a
“What we can conclude from this year’s study is that governance dictates
confidence level in cybersecurity,” said Frank Downs, ISACA’s director
of cybersecurity practices.
These findings indicate confusion around structuring cybersecurity with
of Cybersecurity Study, sponsored by HCL, captures perspectives of
more than 1,500 individuals who define the field worldwide.
According to this report, released today at Infosecurity Europe, the top
three threat actors remain cybercriminals, hackers and nonmalicious
insiders. Phishing, malware and social engineering are the most
prevalent attack types for the third year in a row. Ransomware decreased
significantly; 37 percent of organizations reported experiencing
ransomware in last year’s study, compared to 20 percent this year.
Just under half of organizations report an increase in cybersecurity
attacks this year, and 79 percent consider it likely they will
experience a cyberattack next year.
“Cybersecurity suffers from a siloed and static approach,” said Renju
Varghese, Fellow & Chief Architect, CyberSecurity & GRC, at HCL
Technologies Ltd. “Many teams are missing significant attacks because
they don’t have the size or expertise to keep up with attackers.
Moreover, their existing security tools and processes are segregated and
seldom work in tandem.”
However, by carefully analyzing variables contributing to incident
susceptibility and team inefficiency—including cyber reporting
structure, prevalent attack methods and team readiness through a culture
of continuing professional education—organizations can better prepare
themselves for dangers presented by cyber miscreants, says Downs.
State of Cybersecurity 2019 parts 1 and 2 are available for free
as part of ISACA’s Cybersecurity
Nexus, which offers credentials, training, guidance and research for