Enterprise Security Leaders See AI and Machine Learning as the Biggest Near-Term Cyberthreats, ISG Study Finds

STAMFORD, Conn.–(BUSINESS WIRE)–Global enterprise leaders see emerging AI and machine learning technologies as the biggest looming threat to cybersecurity, and are focusing future cyber investments on detection and prevention rather than remediation, according to new survey research from Information Services Group (ISG) (Nasdaq: III), a leading global technology research and advisory firm.

The ISG Cybersecurity Buyer Behavior Study of more than 200 global IT and enterprise executives found the vast majority – 95 percent – of respondents reported multiple cyberattacks and incidents in their organization over the previous 12 months. The most common incidents were phishing, which was cited by three-quarters (74 percent) of respondents, malware (60 percent) and software vulnerabilities, which affected 50 percent of survey participants.

The study also found phishing, ransomware and third-party vulnerabilities were the most challenging attacks for responding enterprises to remediate.

“The number-one security risk organizations expect over the next two years is the evolving threat from AI and machine learning, listed as a top threat by 56 percent of respondents,” said Alex Bakker, ISG Distinguished Analyst and author of the study. “Even as they face ongoing phishing and software-related attacks, senior enterprise leaders are doubling down on prevention over remediation as they prepare for more sophisticated and harder-to-detect attacks.”

The perceived risk from AI and machine learning is particularly strong in banking and financial services firms, where nearly 80 percent of participants highlighted emerging technology as a top-three challenge. Ransomware and cloud-based threats also remain an important focus for 46 percent and 45 percent of security decision makers in all industries, respectively.

The average security budget increased 4.64 percent in 2023 over 2022, against an ever-wider set of priorities for CISOs and their teams. Typical security budgets are around 0.8 percent of overall organizational revenue, the study found, rising to one percent of revenue for the largest organizations (those with 100,000 or more employees). While other department budgets are decreasing by approximately seven percent year-on-year, annual security budgets continue to increase at around four to five percent per annum.

In terms of future mitigation, companies were most likely to focus on protection and on increased training rather than improvements to response and recovery. Around half of enterprise budgets are allocated for threat detection and prevention (approximately 25 percent each), and 30 percent is allocated to response and recovery.

“Every cybersecurity program must strike a balance between protection and resiliency,” said Doug Saylors, partner and co-leader of ISG Cybersecurity. “Virtually every enterprise – large and small – experiences regular cyberattacks. Interestingly, respondents were more likely to blame prevention and detection measures – the areas that garner the highest percentage of investment – for allowing cyber incidents to occur, rather than human error or technology.

“While the protection of data and detection of attacks are critical, it is equally important to have tested and proven incident response and recovery plans in place to help restore operations quickly,” Saylors said. “Companies can take days or even weeks to recover from an attack. With attacks a near certainty, enterprises need to focus on what to do when – not if – an attack succeeds.”

Click here for more information on the 2023 ISG Cybersecurity Study.