Singapore’s Boards Wary of Generative AI Security Risk: Proofpoint Report
Proofpoint, Inc., a leading cybersecurity and compliance company, today released its second annual Cybersecurity: The 2023 Board Perspective report, which explores the board of directors’ views on the global threat landscape, cybersecurity priorities, and relationships with CISOs. The findings reveal that board members in Singapore believe they are at a higher risk of a material cyber-attack (89%) in 2023, a 35% increase compared to last year (66%) and higher than the global average of 73%. Paradoxically, Singapore board members rank last in terms of feeling prepared to cope with a cyber-attack despite the country ranking first in terms of agreeing their organisation has adequately invested in cybersecurity.
This year-over-year change may reflect the ongoing volatility of the threat landscape, including lingering geopolitical tensions and rises in disruptive ransomware and supply chain attacks. The emerging risk of artificial intelligence (AI) tools such as ChatGPT may also be contributing to these sentiments: 78% of Singapore board members believe generative AI is a security risk for their organisation, just behind Japan (79%).
The Cybersecurity: The 2023 Board Perspective report examines global, third-party survey responses from 659 board members at organisations with 5,000 or more employees across different industries. In June 2023, more than 50 board directors were surveyed in each market from 12 countries.
According to the report, Malware (40%), Cloud Account Compromise (36%), and Insider Threats (36%) are perceived as the biggest cybersecurity threats that will emerge in the next year. Last year, the top 3 biggest threats were Business Email Compromise (41%), Cloud Account Compromise (37%), and Ransomware Attacks (32%). Worryingly, only 26% of boards think that supply chain attacks are a top concern, despite a marked increase that is projected to cost businesses almost $46 billion by the end of 2023 and more than $80 billion by 2026.
Yvette Lejins, Resident CISO, Asia Pacific and Japan at Proofpoint, said: “While it is encouraging that boards are recognising changes in the cybersecurity landscape and taking steps to mitigate these attacks — we must remember not to become too complacent. As we saw with MOVEit, supply chain attacks are becoming increasingly costly, so it is important that organisations take steps to break the attack chain by protecting their employees and defending sensitive data.”
According to the report, The report also compares the board’s alignment with CISOs based on the sentiments uncovered in Proofpoint’s 2023 Voice of the CISO report released in May this year.
“The newfound alignment between board members and their CISOs on cyber risk and preparedness is a positive sign that the two sides are working closer together and making progress. However, this growing alliance hasn’t yet delivered significant changes in cybersecurity posture,” said Ryan Kalember, Executive Vice President of Cybersecurity Strategy at Proofpoint. “Our findings show that it remains a challenge to translate increased awareness into effective cybersecurity strategies that protect people and data. Boards must continue to invest heavily in improving preparedness and organisational resilience, which means pushing for even deeper, more productive conversations with CISOs to ensure directors are making informed, strategic decisions that drive positive outcomes.”
Key Singapore findings from Proofpoint’s Cybersecurity: The 2023 Board Perspective report include:
- Generative AI has most of the boardroom’s attention: with tools such as ChatGPT getting much of the spotlight in recent months, 78% of surveyed Singaporean board directors view this emerging technology as a security risk to their organisation.
- Year-over-year comparison shows Singaporean board members are much more concerned about cyber risk: 89% of those surveyed feel their organisation is at risk of a material cyber-attack, compared to 66% in 2022.
- Awareness and funding do not translate into preparedness: 79% of Singaporean board directors agree that cybersecurity is a priority for their board, 89% believe their board clearly understands the cyber risks they face, 86% think they have adequately invested in cybersecurity, and 97% believe their cybersecurity budget will increase over the next 12 months. However, 81% still view their organisation as unprepared to cope with a cyber-attack.
- Board members and CISOs have different concerns about their biggest threats: Singaporean board members ranked malware (43%), ransomware (41%), insider threat (40%), and supply chain attacks (40%) as their top concerns. This is mostly different from CISOs’ top concerns of insider threat (35%), cloud account compromise (35%), and email fraud/BEC (32%).
- Directors are not aligned with CISOs in the areas of people risk and data protection: while most Singaporean board directors (68%) and CISOs (59%) agree that human error is their biggest risk, board members are much more confident in their organisation’s ability to protect data—86% of directors share this view, compared to 68% of CISOs.
- Improved security awareness and culture, bigger budgets, and additional cyber resources top boardrooms’ wish lists: 44% of Singaporean board directors said their organisation’s cybersecurity would benefit from improved security awareness and culture amongst employees, 43% would like to see a greater cybersecurity budget, and 38% would like additional cyber resources.
- Board-CISO interactions and relationships are improving: 59% of Singaporean board directors say they interact with security leaders regularly. While a significant increase from last year’s 37%, it still leaves nearly half of all boardrooms without strong CISO-C-suite relationships. Board members and CISOs are generally aligned when they do interact, however, with 76% of board members saying they see eye-to-eye with their CISO and 60% of CISOs agreeing.
- Personal liability is much more of a concern for boards than CISOs: 76% of Singaporean board directors expressed concern about personal liability in the wake of a cybersecurity incident at their own organisation, while only 56% of CISOs agree.