As cyber attacks continue to increase in frequency, acompany's cybersecurity action plan must be able torein in and mitigate threats as they develop.

ISACA's third annual cybersecurity study finds that this issueis increasingly a business priority. The challenge? Resources andavailable skills are not keeping pace with a threat landscape thatis rapidly escalating in complexity and volume.

The ISACA survey targets managers and practitioners who havecybersecurity job responsibilities. Respondents primarily came fromNorth America (42%) and Europe (31%), and were employed in anenterprise with at least 1,500 employees (49%).

Its “State of Cyber Security 2017″ report comparesthe results of this year's survey with previous results todetermine recognizable trends that impact how cybersecurity ispracticed, particularly where such trends point to an overall shiftin the profession.

With this in mind, here are four trends shaping cybersecurity in2017:

As cybersecurity budgets fall short, businesses areincreasingly relying on third-party vendors. (Photo:Shutterstock)

No. 4: Growing areas of concern.

Organizations with a chief information security officer (CISO)in 2017 increased to 65% compared to 50% in 2016. Staffingchallenges and budgetary distribution, however, reveal whereorganizations face exposure.

Finding qualified personnel to fill cybersecurity positions isas ongoing challenge. For example, one-third of study respondentsnote that their enterprises receive more than 10 applicants for anopen position. More than half of those applicants, however, areunqualified. Even skilled applicants require time and trainingbefore their job performance is up to par with others who arealready working on the company's cybersecurity operation.

Half of the study respondents reported security budgets willincrease in 2017, which is down from 65% of respondents whoreported an increase in 2016. This, along with staffing challenges,has many enterprises reliant on both automation and externalresources to offset missing skills on the cybersecurityteam.

Another challenge: Relying on third-party vendors means theremust be funds available to offset any personnel shortage.

If the skills gap continues unabated and the funding forautomation and external third-party support is reduced, businesseswill struggle to fill their cybersecurity needs.

As cyberattacks increase in volume and sophistication,businesses are increasingly exposed, particularly as their budgetsto fight such breaches are declining. (Photo:Shutterstock)

No. 3: More complicated cyber threats.

Faced with declining budgets, businesses will have less fundingavailable on a per-attack basis. Meanwhile, the number ofattacks is growing, and they are becoming more sophisticated.

More than half (53%) of respondents noted an increase in theoverall number of attacks compared previous years. Only half(roughly 50%) said their companies executed a cybersecurityincident response plan in 2016.

Here are some additional findings regarding the recent uptick incyber breaches:

• 10% of respondents reported experiencing a hijacking ofcorporate assets for botnet use;
• 18% reported experiencing an advanced persistent threat (APT)attack; and
• 14% reported stolen credentials.
• Last year's results for the three types of attacks were:
• 15% for botnet use;
• 25% for APT attacks; and
• 15% involving stolen credentials.

Phishing (40%), malware (37%) and social engineering (29%)continue to top the charts in terms of the specific types ofattacks, although their overall frequency of occurrence decreased:Although attacks are up overall, the number of attacks in thesethree categories is down.

Managing the Internet of Things (IoT) has risen as an areaof business concern. (Photo: Shutterstock)

No. 2: Mobile takes a backseat to IoT.

Businesses are now more sophisticated in the mobile arena. Theproof: Cyber breaches resulting from mobile devices are down. Only13% of respondents cite lost mobile devices as an exploitationvector in 2016, compared to 34% in 2015. Encryption factors intothe decrease; only 9% indicated that lost or stolen mobile deviceswere unencrypted.

IoT continues to rise as an area of concern. Three out of five(59%) of the 2016 respondents cite some level of concern relativeto IoT, while an additional 30% are either “extremely concerned” or“very concerned” about this exposure.

IoT is an increasingly important element in governance,risk and cybersecurity activities. This is a challenging area formany, because traditional security efforts may not already coverthe functions and devices feeding this digital trend.

Ransomware continues to be favorite means of attack forcriminals. Respondents believe this is likely because of thepossibility for financial gain. (Photo:Shutterstock)

No. 1: Ransomware is the new normal.

The number of code attacks, including ransomware attacks,remains high: 62% of respondents reported their enterprisesexperienced a ransomware attack specifically.

Half of the respondents believe financial gain is the biggestmotivator for criminals, followed by disruption of service (45%)and theft of personally identifiable information (37%). Despitethis trend, only 53% of respondents' companies have a formalprocess in place to deal with ransomware attacks.

What does that look like?

Businesses can conduct “tabletop” exercises that stage aransomware event or discuss in advance decisions about paymentvs. non-payment. Payment may seem like the easiest solution, butlaw enforcement agencies warn it can have an encouraging effect onthose criminals as some cases lead to repeated attacks of the samebusiness.

Many cybersecurity specialists argue that the best way to fighta ransomware attack is to avoid one in the first place. Advanceplanning that might include the implementation of a governingcorporate policy or other operating parameters, can help to ensurethat the best cybersecurity decisions are made when the time comesto battle a breach.