By Reef Pearson, SecureTeam

News headlines during the COVID-19 crisis have been focused on frightening cybersecurity statistics, critiques of staff WFH, and panic-inducing discussions of the skills gap in the cybersecurity industry.

Although there have been so many avoidable cyber disasters published in the press, there hasn’t been any discussion about the security companies that failed to protect the organisations that fell victim to the attacks. 

Rather than focusing on how cybersecurity firms have failed to provide the service they promised, the media has instead been stuck on fear-mongering businesses about cyber risks – subsequently being a catalyst for demand for cybersecurity services. So, does this imply that the industry is currently booming because it’s failing?

Who Was Really Responsible for The Pandemic’s Cybersecurity Crisis?

The worldwide shift to home-working quickly became a hot topic in the news and remains a huge subject of debate because of its global impact on lifestyle. The media didn’t shy away from raising huge red flags and scary statistics about employee cyber-attacks and attempts during the pandemic, with reportedly 47% of individuals working from home falling for phishing scams. 

Decreased consumer spending prompted credit card hackers to find more creative ways to create income, and the rapid switch to remote working caused a huge increase in technological vulnerability – undoubtedly, there was reason to panic. However, the media framed the majority of this ‘cyber chaos’ to be the fault of staff working from home, caused by ignorances and mistakes, when really they were the cybersecurity failures of their employers. 

A workforce should not have to be cybersecurity experts for cyberattacks to be avoided. Instead, employers should be taking continuous steps to protect their team, whether that be with the recruitment of an external cybersecurity consultant or an in-house team. And all of these preventative measures should have been implemented long before the pandemic came into effect. Cybersecurity best practices should be preventative not reactive. 

Yet despite the click-bait reporting we’ve seen frequenting the news an Interpol assessment exposed that the largest shift in attacks during the pandemic actually didn’t affect employees, and instead shifted towards targeting major corporations and government agencies rather than smaller businesses and individuals. For example, the World Health Organization reported a 500% increase in cyber attacks at the beginning of the pandemic.

It is this influx in high-profile, large-scale attacks that is impossible to argue is the fault of any employees and provides evidence of cybersecurity failures occurring in even the largest of public and private sector companies. Because of their high visibility and their crucial place in the economy’s infrastructure, the public and private sector companies that fell victim to attacks and leaks during the pandemic should have already had world-class cybersecurity measures in place – the pandemic just showed us how easy it was to bypass these systems. 

Though yet again, much to the rejoice of cybersecurity firms, the media fixated on fearmongering other businesses rather than focusing on who was to blame for the failures. Meaning that the same cybersecurity firms that failed to prevent these huge disasters were the ones employed to prevent other businesses scared by the news. 

How The Industry is Thriving as a Result of Failing 

‘Cybersecurity job’ searches are at an all-time high on Google, and the market is facing a huge shortage of talent as a result of the rising demand accelerated by COVID-19. A recent study revealed that there are 50% fewer candidates than jobs available in the cyber labour market, with 3.5 million cybersecurity jobs expected to go unfilled this year. 

The media’s coverage of the ‘COVID-19 cybersecurity crisis’ basically acted as free organic marketing for the industry, fuelled by fear and panic. Simply put, businesses reading about the terrifying consequences of bad cybersecurity are pumping more money into services from the exact industry whose failures were the reason for their initial panic.

Of course, it isn’t quite that simple, and it is unsurprising that an increase in cyber attacks correlates with an increase in demand for cybersecurity experts. However, it is the undiscussed cycled of this process that makes the industry’s inability to be held accountable for their failures so interesting. The negative press never seems to stick to the cybersecurity firms involved, just to the companies that fall victim.

In these circumstances, the saying ‘all press is good press’ has never rung so true as the cybersecurity industry has catapulted its own growth by failing to protect its customers in the first place.