Executive Insights: The State of Information Security in 2024

I am pleased to present the findings from our latest State of Information Security Report, conducted in partnership with independent market research firm Censuswide. This year, we expanded our survey to include respondents from the UK, USA, and Australia, providing a truly comprehensive view of the current information security and compliance landscape.

For me, the report underscores a pivotal evolution in information security. Amidst the rapid technological advancements and shifts in the global business environment, our findings highlight the profound impact of information security on business resilience and success.

The role of robust information security practices has transitioned from being a preventive measure to a fundamental driver of business growth. The report reveals that organisations that deeply integrate information security into their operational ethos enhance their defence against cyber threats and strengthen their market position, ultimately achieving significant competitive and financial advantages.

Charting Today’s Risk Landscape

As I reflect on the industry’s challenges, it’s clear that today’s business IT leaders are entering uncharted waters. The pandemic and subsequent economic uncertainties have accelerated digital transformation, yet each new investment and partnership expands our digital attack surface.

As supply chains increasingly become the lifeblood of global commerce, their vulnerability to cyberattacks is increasing, with cybercriminals often targetting smaller suppliers to infiltrate larger organisations. Our survey indicates that 64% of respondents see more frequent supply chain security risks, with 79% experiencing at least one incident in the past year.

This reality underscores why 38% of respondents flagged managing vendor and third-party risk as the most significant challenge facing their businesses, taking the number one spot. Moreover, managing and securing IoT and BYOD devices (30%) also ranked among the top five concerns. These investments hold substantial business value, but that value can only be realised if risks are appropriately managed.

Compliance with a complex web of international and domestic regulations was the second biggest challenge, cited by 33% of information security leaders.

Effective risk management and compliance are not just about avoiding penalties. They are critical for ensuring the integrity and reliability of business operations, enhancing competitive advantage, and driving business value. Streamlining compliance processes is essential to stay ahead.

The Relentless Threat of Cyber Actors

As the risk landscape intensifies, cyber criminals’ relentless innovation constantly reminds us of the vulnerabilities we must guard against. Over the past year, malware infections were the most reported incidents, particularly in the tech sector. The rise of “as-a-service” malware packages has made it easier for attackers to execute complex attacks, leading to data breaches and ransomware attacks. The outcomes range from cryptocurrency mining and network access to full system encryption and sensitive data or credential theft.

Alongside these growing risks, social engineering remains a critical threat, with 32% of respondents reporting incidents. The sophistication of AI-powered deepfakes is also particularly concerning as they become more prevalent in business email compromise schemes, and more than 40% of businesses report being impacted by deepfakes, a rise from 0% in 2023’s report.

As cyber threats become more sophisticated, maintaining vigilance and continuously updating your security strategies is essential. Failing to address these threats could result in severe consequences, including significant data loss, service outages, and financial and brand damage.

The Critical Role of Data Protection

Data remains arguably an organisation’s most valuable commodity. This value is why regulations like GDPR have set such high standards for protecting and handling information securely. It’s also why threat actors are highly motivated to access this data—whether for fraud, extortion, or strategic purposes.

Partner data breaches are the most reported, with 41% of respondents citing such incidents in the past 12 months. This highlights the persistent risks suppliers pose, as this data is often less well-secured. Notably, these breaches are more prevalent in the tech sector, at 55%, than in retailers, at 27%.

Financial data was the second most compromised type, 39%, followed by asset, 34%, customer, 33), and product data, 32%. Surprisingly, just 27% of respondents reported personally identifiable information (PII) compromised despite being a common target in ransomware attacks. This data type is particularly at risk in the energy and utilities, 38%, and 35% retail sectors.

The report did highlight that improved employee training and awareness are making a positive impact. However, the persistent use of personal devices for work without proper security measures remains a significant risk. Organisations must continue to educate employees and enforce stringent security protocols to mitigate these threats.

The Dual Role of AI in Cybersecurity

AI is both a challenge and an opportunity in cybersecurity. 76% of security professionals believe AI and machine learning (ML) technology will improve information security, and 64% plan to increase their budgets accordingly. Indeed, these tools can help bridge skills gaps, automate threat detection, and improve response times, to name a few benefits.

Despite the hype around generative AI (GenAI), only 26% of respondents reported adopting new technologies such as AI, ML, and blockchain for security in the past year. This is surprising given that AI applications in cybersecurity extend far beyond GenAI, with ML being used in spam filtering and other areas for years. The reluctance to engage in new projects might explain why only 11% view managing and securing emerging technologies as a significant challenge.

Even fewer respondents, 7%, are concerned about AI privacy breaches, which is becoming an emerging issue as organisations integrate GenAI into their operations. High-profile incidents, such as Samsung employees inadvertently sharing sensitive information via GenAI prompts, highlight the risks. Forrester predicts significant data breaches and regulatory fines for GenAI users in 2024, emphasising the threat of insecure code generated by these tools. The UK’s National Cyber Security Centre (NCSC) has also warned that GenAI could exacerbate ransomware threats by facilitating surveillance and social engineering.

However, the regulatory landscape is evolving. The EU’s AI Act holds all AI providers accountable, introducing conformity assessments for high-risk AI systems. The US relies on Presidential executive orders, with potential federal laws forthcoming. The UK is also signalling intent to regulate AI use. Standards like ISO 42001 will be crucial for organisations to provide assurances to regulators.

Although only 13% of respondents currently use information security and compliance to boost the secure adoption of new technologies, this figure is expected to rise as regulatory actions increase and technology use becomes more widespread.

The Business Value of Compliance

Historically, boardrooms have viewed compliance as a necessary evil—a means to avoid punitive fines and bad publicity. However, our research reveals a significant shift in this perception. In the UK, there is an increase in fines, with 26% of respondents being fined between £250-500K (up from 21% in 2023) and 35% being fined £100K-250K (up from 18%). While fines are a factor, they are only a part of the compliance story.

Compliance motivations extend far beyond avoiding penalties. 34% of respondents view compliance as crucial for maintaining a competitive edge, and an equal percentage are driven by increasing customer demand for robust security measures. Protecting business (30%) and customer (29%) information is also a key motivator, while 27% see compliance as essential for entering new markets and supply chains.

Investing in compliance programs yields tangible benefits, with 34% of respondents reporting enhanced reputations as secure and reliable entities. 30% have achieved cost savings by reducing cybersecurity incidents, and 29% have realised time savings through more efficient security processes. Compliance also attracts investors seeking low-risk companies (28%) and helps streamline security infrastructure (28%), making managing it easier and less costly. Additionally, 26% have improved business decision-making through secure and reliable data, while only 19% prioritise compliance to avoid fines.

Despite the benefits, challenges persist. Nearly half (46%) of respondents reported that complying with ISO 27001 took them between six and 12 months. An additional 11% say it took 12 to 18 months, and 5% claim it took more than a year and a half.

This timeline indicates a need for more streamlined processes and trusted compliance partners. By leveraging experienced partners, organisations can expedite compliance efforts, reduce associated costs, and maintain robust security measures.

What’s Next For Information Security?

What is clear is that organisations continue to navigate myriad threats and regulatory requirements while driving significant change initiatives, not least the emerging role of AI. Compliance with best practice frameworks and standards is not just about meeting regulatory demands but about building a resilient and trustworthy business.

At ISMS.online, our commitment is to support our clients in this journey, helping them streamline compliance processes and secure their digital futures. Looking ahead, I am confident that the integration of robust information security practices will be critical to sustainable growth and success.

I want to thank all the respondents who contributed to this invaluable research. If you would like to read the full report, you can do so here: https://www.isms.online/state-of-infosec-24/