Half of infosec professionals (50%) revealed that their organisations didn’t have a contingency plan in place, or didn’t know if they did, for a situation like COVID-19 or a similar scenario. This lack of forward planning has come at great risk, as 86% of infosec professionals admitted that attacks in the most common attack vectors were on the rise during this period. Cyberwarfare and IoT as an attack vector were reported to be up by 38%, and APTs and cyberespionage IP theft and social media threats/chatbots by 37% — all of which could be an indication of a bumper year for breaches.
Infosec professionals know that strategic changes need to be made rapidly, with 81% sharing their beliefs that COVID-19 will change the way their businesses operate in the long-term. These findings, and more, are revealed today in the first instalment of Bitdefender’s yet to be released global 10 in 10 Study. The section — The Indelible Impact of COVID-19 on Cybersecurity — details the pressures faced by infosec professionals during COVID-19. It explores how these pressures are testing the effectiveness of security measures, and highlights the changes they will need to make within their organisations as a result. The study takes into account the views and opinions of 6,700 infosec professionals of which 23% are CISOs, CSOs and CIOs across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden. Respondents represent a broad cross-section of organisations from fledgeling SMEs, through to publicly listed 10,000+ person enterprises in a wide variety of industries, including finance, government and energy.
The risks are immediate and felt by some more than others
No one could have foreseen the exact scenario we find ourselves in globally — with millions of employees working from home simultaneously. Rapid changes to business however often pose excellent opportunities for malicious actors to gain access to corporate information. Infosec professionals report that, in their opinion, phishing or whaling attacks (26%), ransomware (22%), social media threats/chatbots (21%), cyberwarfare (20%), trojans (20%) and supply chain attacks (19%), have risen during the pandemic — and that is to name but a few attack vectors. While this perceived rise is alarming, the rate at which attacks have seemingly increased is even more concerning. According to respondents, they believe Ransomware was up by 31%, and DDoS attacks by 36%.
As more employees work from home than ever during the pandemic and possibly many more will want to in the future, infosec professionals are concerned about the security implications. More than one in three (34%) say they fear that employees are feeling more relaxed about security issues because of their surroundings. In addition, others say that employees not sticking to protocol, especially in terms of identifying and flagging suspicious activity, is a worry (33%). Considering the perceived rise in phishing and whaling attacks, 33% of infosec professionals are also concerned about their colleagues falling prey to these attacks, and 31% cite the risk of a serious data leak unwittingly caused by employees. A quarter (25%) are also rightly worried about bad actors targeting people working from home with malware and ransomware. This point may already have been proven by the reported increase in this attack vector.
Infosec professionals have also identified specific risks related to home working. Two in five say that employees using untrusted networks is a risk to their organisation, and 38% say there is a definitive risk in another person having access to an employee company device. But the risk factors don’t end there. Just over a third (37%) go on to say that using personal messaging services for both business and personal reasons poses a risk, and they also see unintended company information disclosure as a hazard to contend with.
While there is no doubt that all industries are at risk of cybercrime, respondents revealed that they believe that financial services (43%), healthcare (including tele medicine) 34%, and the public sector (29%) to be the hardest hit industries in terms of increase in cybersecurity attacks during COVID-19. This is followed by retail (22%), energy (20%) and education (18%). Alarmingly, 77% of infosec professionals believe that healthcare was not adequately prepared due to budget constraints.
“At least half of organisations admitted they were not prepared for a scenario such as this, whereas the attackers are seizing the opportunity. But within the current situation there is a great opportunity for positive change in cybersecurity,” comments Liviu Arsene, Global Cybersecurity Researcher at Bitdefender.
Change is afoot, and long-term plans are unfolding
Arsene continues, “In cybersecurity with high stakes around monetary and reputational loss the ability to change, and change rapidly, without increasing risk is critical. With COVID-19 changing the business landscape for the foreseeable future security strategy has to change. The good news is that the majority of infosec professionals have recognised this need for rapid change, although forced by current by circumstances, and have started taking action.”
As a result of the increase in home working, just over one in five infosec professionals (22%) reveal they have already started providing VPN and made changes to VPN session lengths. A similar group (20%) have also shared comprehensive guides to cybersecurity and working from home, and pre-approved applications and content filtering with employees, and 19% have updated employee cybersecurity training. Yet, despite their fears of a rise in attacks, only 14% have invested a significant amount of money in upgrading security stacks, 12% have bought additional cybersecurity insurance, and only 11% have implemented a zero trust policy — all of which indicates more changes are still to be made.
At the same time, the pandemic has provided a valuable opportunity to learn how to tackle changes in workforce patterns, and how to plan for unexpected events. One in three infosec professionals (31%) say they intend to keep 24/7 IT support, and will increase the number of training sessions in IT security for employees. Almost a quarter (23%) have also cited that they are going to increase the cooperation with key business stakeholders when defining cybersecurity policies, and an equal percentage will increase outsourcing IT security expertise.
Arsene concludes, “Change is an undeniable threat to cybersecurity, as is being unprepared. The stakes are high in terms of loss of customer loyalty and trust — not to mention to the bottom line.
“COVID-19 has however presented infosec professionals with the opportunity to reassess their infrastructure and refocus on what end users/employees really need and want in terms of cybersecurity support. The 10 in 10 Indelible Impact of COVID-19 on Cybersecurity Study reveals that unprecedented change does pose risks, but that it also provides an opportunity to reassess strategy. It is also evident that, despite identifying risks, there is still a need for further investigation into what investments need to be made to ensure that corporate data and employees are both safe from bad actors. While it’s a challenge to make changes now, it will shore up business for the future and many more unknown scenarios.”