Cloud threats have execs the most freaked out because they're not prepared

Efficiency and scalability are key benefits of enterprise cloud computing, but they come at a cost. Security threats specific to cloud environments are the leading cause of concern among top executives and they're also the ones organizations are least prepared to address.

That's according to PwC's latest cybersecurity report, released today, which showed that cloud threats are the biggest security concern for most (42 percent) business leaders.

The top five threats, according to PwC's 4,020 respondents, comprise hack and leak operations (38 percent), third-party breaches (35 percent), attacks on connected products (33 percent), and ransomware (27 percent).

If you've just read that and questioned why ransomware is so low on the list, you might be a CISO. The level of concern about ransomware jumped to 42 percent when analyzing responses from CISOs alone.

Here at The Register, we know many of you will also be priming your commenting fingers ready to tell us these percentages don't add up to 100 right about now. That's because the answers were taken from a survey question asking respondents to list their top three most concerning threats, so the percentage is a reflection of how many times each threat appeared in respondents' top-three rather than a single selection.

All the threats that feature in execs' top five deemed "most concerning" are perhaps unsurprisingly also the same as the threats organizations feel least prepared to address, although not quite in the same order.

Cloud attacks are both the most concerning and least prepared for (42/34 percent) while attacks on connected products sit in second (31 percent) in terms of defense preparedness. Third-party breaches came in just behind in third place (28 percent), while execs felt equally unprepared to address hack-and-leak ops and ransomware – 25 percent of leaders said they were least prepared to handle these two.

"While the cybersecurity landscape continues to evolve, organizations are struggling with increasingly volatile and unpredictable threats," reads the report, which was shared with The Register before publication.

"An expanding attack surface – spurred by growing reliance on cloud, AI, connected devices, and third parties – demands an agile, enterprise-wide approach to resilience. Aligning organizational priorities and readiness is essential for maintaining security and business continuity."

AI's double-edged sword

Of course, it wouldn't be a cybersecurity report in 2024 unless AI got its moment in the spotlight.

Despite generative AI being used for good in many cases, and the majority (78 percent) increasing their investment in the tech in the past year, it's the primary contributor to the widening attack surface faced by organizations.

More than two-thirds of respondents (67 percent) said genAI increased their susceptibility to attacks "slightly" or "significantly" – the most significant factor of any in the past year, although cloud was only narrowly behind at 66 percent.

• Ransomware gang using stolen Microsoft Entra ID creds to bust into the cloud
• RansomHub genius tries to put the squeeze on Delaware Libraries
• American Express admits card data exposed and blames third party
• EU lawmakers finalize cyber security rules that panicked open source devs

As a force for good, however, generative AI is being deployed widely across global organizations, supporting key cybersecurity functions such as threat detection and response, and threat intelligence.

"Cybersecurity is predominantly a data science problem," said Mike Elmore, global CISO at GSK. "It's becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to get closer to the data to drive timely and actionable insights that matter the most."

Rules and regs

Shockingly, PwC also found that business leaders who have regulatory and legal requirements to improve security do just that.

Indeed, 96 percent said regulations prompted an organization to improve its security, while 78 percent said the same regs have challenged, improved, or increased their security posture.

New frameworks such as DORA, CIRCIA, the Cyber Resilience Act, and the NIS2 Directive – the compliance deadline for which comes in a few weeks – join existing regulations such as GDPR in holding organizations to account when it comes to cybersecurity.

"Organizations that embrace regulatory requirements tend to benefit from stronger security frameworks and a more robust posture against emerging threats," read PwC's report. "Compliance shouldn't be viewed as a box-ticking exercise but as an opportunity to build long-term resilience and trust with stakeholders."

These new regulations have also ushered in new investment into cybersecurity. Roughly a third of organizations (32 percent) said cyber investment increased to a "large extent" in the past 12 months. 37 percent said investment increased to a "moderate extent," while 14 percent said the increase in investment was "significant."

"As regulatory requirements continue to shape the cybersecurity landscape, it's essential that executives across the C-suite stay ahead of compliance issues while leveraging regulations as a catalyst for innovation," read the report. 

"Creating alignment across security teams, risk functions, and executive leadership is crucial for maintaining compliance readiness and driving strategic improvements." ®