Half of information security professionals had no contingency plan in place for COVID-19
Half of infosec professionals revealed that their organizations didn’t have a contingency plan in place, or didn’t know if they did, for a situation like COVID-19 or a similar scenario.
According to the newest Bitdefender report, The Indelible Impact of COVID-19 on Cybersecurity Study, this lack of forward planning has come at great risk, as 86% of infosec professionals admitted that attacks in the most common attack vectors were on the rise during this period. Cyberwarfare and IoT as an attack vector were reported to be up by 38%, and APTs and cyberespionage IP theft and social media threats/chatbots by 37% — all of which could be an indication of a bumper year for breaches.
Infosec professionals know that strategic changes need to be made rapidly, with 81% sharing their beliefs that COVID-19 will change the way their businesses operate in the long-term. These findings, and more, are revealed today in the first installment of Bitdefender’s yet to be released global 10 in 10 Study. The section — The Indelible Impact of COVID-19 on Cybersecurity — details the pressures faced by infosec professionals during COVID-19. It explores how these pressures are testing the effectiveness of security measures, and highlights the changes they will need to make within their organizations as a result. The study takes into account the views and opinions of 6,700 infosec professionals of which 23% are CISOs, CSOs and CIOs across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden. Respondents represent a broad cross-section of organizations from fledgeling SMEs, through to publicly listed 10,000+ person enterprises in a wide variety of industries, including finance, government and energy.
The risks are immediate and felt by some more than others
No one could have foreseen the exact scenario we find ourselves in globally — with millions of employees working from home simultaneously, says the report. Rapid changes to business however often pose excellent opportunities for malicious actors to gain access to corporate information. Infosec professionals report that, in their opinion, phishing or whaling attacks (26%), ransomware (22%), social media threats/chatbots (21%), cyberwarfare (20%), trojans (20%) and supply chain attacks (19%), have risen during the pandemic — and that is to name but a few attack vectors. While this perceived rise is alarming, the rate at which attacks have seemingly increased is even more concerning. According to respondents, they believe ransomware was up by 31%, and DDoS attacks by 36%.
As more employees work from home than ever during the pandemic and possibly many more will want to in the future, infosec professionals are concerned about the security implications. More than one in three (34%) say they fear that employees are feeling more relaxed about security issues because of their surroundings. In addition, others say that employees not sticking to protocol, especially in terms of identifying and flagging suspicious activity, is a worry (33%). Considering the perceived rise in phishing and whaling attacks, 33% of infosec professionals are also concerned about their colleagues falling prey to these attacks, and 31% cite the risk of a serious data leak unwittingly caused by employees. A quarter (25%) are also rightly worried about bad actors targeting people working from home with malware and ransomware. This point may already have been proven by the reported increase in this attack vector.
Infosec professionals have also identified specific risks related to home working. Two in five say that employees using untrusted networks is a risk to their organization, and 38% say there is a definitive risk in another person having access to an employee company device. But the risk factors don’t end there. Just over a third (37%) go on to say that using personal messaging services for both business and personal reasons poses a risk, and they also see unintended company information disclosure as a hazard to contend with.
While there is no doubt that all industries are at risk of cybercrime, respondents revealed that they believe that financial services (43%), healthcare (including tele medicine) 34%, and the public sector (29%) to be the hardest hit industries in terms of increase in cybersecurity attacks during COVID-19. This is followed by retail (22%), energy (20%) and education (18%). Alarmingly, 77% of infosec professionals believe that healthcare was not adequately prepared due to budget constraints.
Change is afoot, and long-term plans are unfolding
As a result of the increase in home working, just over one in five infosec professionals (22%) reveal they have already started providing VPN and made changes to VPN session lengths. A similar group (20%) have also shared comprehensive guides to cybersecurity and working from home, and pre-approved applications and content filtering with employees, and 19% have updated employee cybersecurity training. Yet, despite their fears of a rise in attacks, only 14% have invested a significant amount of money in upgrading security stacks, 12% have bought additional cybersecurity insurance, and only 11% have implemented a zero trust policy — all of which indicates more changes are still to be made.
At the same time, the pandemic has provided a valuable opportunity to learn how to tackle changes in workforce patterns, and how to plan for unexpected events. One in three infosec professionals (31%) say they intend to keep 24/7 IT support, and will increase the number of training sessions in IT security for employees. Almost a quarter (23%) have also cited that they are going to increase the cooperation with key business stakeholders when defining cybersecurity policies, and an equal percentage will increase outsourcing IT security expertise.