CISOs Are Ignoring Critical Cybersecurity Guidance Amid Rising Threats

Absolute Security, a global leader in enterprise cyber resilience, has revealed alarming trends among Chief Information Security Officers (CISOs) in the UK.

The survey, part of the Absolute Security United Kingdom Cyber Resilience Report 2024, highlights that over one-third (35%) of CISOs admit to ignoring the National Cyber Security Centre’s (NCSC) cybersecurity guidance. This finding is particularly concerning given that 48% of respondents reported their organization was hit by a ransomware attack in the past year, a period during which the NCSC issued multiple warnings and response procedures for increased ransomware threats.

The report, compiled from responses of 250 UK CISOs at enterprise organizations via independent polling agency Censuswide, provides a comprehensive look at the state of cyber resilience, security, and AI across the UK. It uncovers several critical issues, including a widespread perception of inadequate national cyber resilience strategies. Two-thirds (64%) of CISOs believe the UK lacks a clear and effective cyber resilience strategy, failing to define response policies for recovering from cyber breaches. Additionally, 77% feel the UK is falling behind the US and EU in terms of national cyber policies, possibly explaining why many CISOs disregard NCSC guidance.

“Ransomware and state-sponsored attacks are increasingly on the rise, both of which are a case of when, not if. Now, more than ever, organizations need a robust cyber resilience strategy in place to respond and recover from attacks when they happen,” said Andy Ward, VP International for Absolute Security. “While no set of standards or frameworks will eliminate the certainty of an eventual incident, NCSC guidance is there to help protect CISOs. Ignoring nationwide protocols puts organizations at much greater risk, jeopardizing jobs, causing significant financial and reputational damage, and potentially even heaping personal liability on security leaders.”

Echoing Ward's concerns, Bharat Thakrar, CISO/CTO of CyberBTX, stated, “The fact that 35% of CISOs ignore NCSC guidance is alarming. Ignoring these guidelines not only undermines organizational security but also exposes their sensitive data to significant risks. Adhering to these standards is crucial for robust cybersecurity.”

The report also highlights the persistent threats posed by mobile and remote working environments. According to the International Monetary Fund (IMF), cyberattacks have more than doubled since the start of the Covid-19 pandemic. This surge is compounded by the challenges of remote working, with 72% of CISOs stating that remote working has complicated their organization’s cyber resilience posture.

Notably, 73% believe that remote working devices are the biggest weakness for their organization, as these devices often operate weeks or even months behind enterprise patching policies. Furthermore, these devices frequently encounter failures in essential security tools. When unsupported by remediation capabilities, Endpoint Protection Platforms (EPP) and network access security applications fail to operate effectively 24% of the time, creating high-risk security gaps. These vulnerabilities are underscored in the recent Absolute Security Cyber Resilience Risk Index 2024.

“The increased attack surface facing organizations due to remote devices presents a difficult challenge for CISOs as they ward off the rising number of cyber threats. Implementing an approach of cyber resilience can significantly bolster cyber defenses by increasing visibility for CISOs and their security teams,” added Ward. “Adopting technology that can continuously monitor remote devices, applications, and networks can alert centralized security teams to suspicious behavior, enabling them to freeze or shut off potentially compromised devices. This prevents threat actors from moving laterally across a network and causing major damage. These devices can then be repaired to patch up weak security controls and mitigate future cyber risks.”