As cyber attacks continue to increase in frequency, a company's cybersecurity action planmust be able to rein in and mitigate threats as they develop. 

ISACA's third annual cybersecurity study finds thatthis issue is increasingly a business priority. The challenge?Resources and available skills are not keeping pace with a threatlandscape that is rapidly escalating in complexity and volume.

The ISACA survey targets managers and practitioners who havecybersecurity job responsibilities. Respondents primarily came fromNorth America (42%) and Europe (31%), and were employed in anenterprise with at least 1,500 employees (49%).

Its "State of Cyber Security2017" report compares the results of thisyear's survey with previous results to determinerecognizable trends that impact how cybersecurity ispracticed, particularly where such trends point to an overall shiftin the profession. 

Related: Key findings for businesses from the 2017 FM GlobalResilience Index report

With this in mind, here are four trends shaping cybersecurity in2017:

As cybersecurity budgets fall short, businesses areincreasingly relying on third-party vendors. (Photo:Shutterstock)  

No. 4: Growing areas of concern.

Organizations with a chief information security officer (CISO)in 2017 increased to 65% compared to 50% in 2016. Staffingchallenges and budgetary distribution, however, reveal whereorganizations face exposure. 

Finding qualified personnel to fill cybersecurity positions isas ongoing challenge. For example, one-third of study respondentsnote that their enterprises receive more than 10 applicants for anopen position. More than half of those applicants, however, areunqualified. Even skilled applicants require time and trainingbefore their job performance is up to par with others who arealready working on the company's cybersecurityoperation. 

Related: 7 ways to improve insurance industry ITrecruitment

Half of the study respondents reported security budgets willincrease in 2017, which is down from 65% of respondents whoreported an increase in 2016. This, along with staffing challenges,has many enterprises reliant on both automation and externalresources to offset missing skills on the cybersecurityteam. 

Another challenge: Relying on third-party vendors means theremust be funds available to offset any personnel shortage.

If the skills gap continues unabated and the funding forautomation and external third-party support is reduced, businesseswill struggle to fill their cybersecurity needs.

Related: Bridging the talent gap

As cyberattacks increase in volume and sophistication,businesses are increasingly exposed, particularly as their budgetsto fight such breaches are declining. (Photo:Shutterstock) 

No. 3: More complicated cyber threats. 

Faced with declining budgets, businesses will have less fundingavailable on a per-attack basis. Meanwhile, the number of attacks is growing, and they arebecoming more sophisticated.

More than half (53%) of respondents noted an increase in theoverall number of attacks compared previous years. Only half(roughly 50%) said their companies executed a cybersecurityincident response plan in 2016. 

Related: Cyber-breach communications plans: What insuranceprofessionals (and clients) need to know

Here are some additional findings regarding the recent uptick incyber breaches:

• 10% of respondents reported experiencing a hijackingof corporate assets for botnet use;
• 18% reported experiencing an advanced persistent threat (APT)attack; and
• 14% reported stolen credentials.
• Last year's results for the three types of attacks were:
• 15% for botnet use;
• 25% for APT attacks; and
• 15% involving stolen credentials.

Phishing (40%), malware (37%) andsocial engineering (29%) continue to top the charts in terms of thespecific types of attacks, although their overall frequency ofoccurrence decreased: Although attacks are up overall, the numberof attacks in these three categories is down.  

Related: Humans: The weakest link in social engineering andcyber attacks

Managing the Internet of Things (IoT) has risen as an areaof business concern. (Photo: Shutterstock)

No. 2: Mobile takes a backseat to IoT.

Businesses are now more sophisticated in the mobile arena. Theproof: Cyber breaches resulting from mobile devices are down. Only13% of respondents cite lost mobile devices as an exploitationvector in 2016, compared to 34% in 2015. Encryption factors intothe decrease; only 9% indicated that lost or stolen mobile deviceswere unencrypted. 

IoT continues to rise as an area of concern. Three out of five(59%) of the 2016 respondents cite some level of concern relativeto IoT, while an additional 30% are either "extremely concerned" or"very concerned" about this exposure.

IoT is an increasingly important element ingovernance, risk and cybersecurity activities. This is achallenging area for many, because traditional security efforts maynot already cover the functions and devices feeding this digitaltrend. 

Related: The Internet of Things and corporate riskmanagement

Ransomware continues to be favorite means of attack forcriminals. Respondents believe this is likely because of thepossibility for financial gain. (Photo:Shutterstock) 

No. 1: Ransomware is the new normal.

The number of code attacks, including ransomware attacks,remains high: 62% of respondents reported their enterprisesexperienced a ransomware attack specifically. 

Half of the respondents believe financial gain is the biggestmotivator for criminals, followed by disruption of service (45%)and theft of personally identifiable information (37%). Despitethis trend, only 53% of respondents' companies have a formalprocess in place to deal with ransomware attacks. 

Related: Ransomware attacks leave insurers and businessesexposed

What does that look like?

Businesses can conduct "tabletop" exercises that stage aransomware event or discuss in advance decisions about payment vs.non-payment. Payment may seem like the easiest solution, butlaw enforcement agencies warn it can have an encouraging effect onthose criminals as some cases lead to repeated attacks of the samebusiness.

Many cybersecurity specialists argue that the best way to fighta ransomware attack is to avoid one in the first place. Advanceplanning that might include the implementation of agoverning corporate policy or other operating parameters, can helpto ensure that the best cybersecurity decisions are made when thetime comes to battle a breach.

Related: No business is totally safe from cyberattacks