Pandemic impact report: Security leaders weigh in

In early March, as I prepared to fly home from a business trip to Seattle, we began hearing stories of U.S. businesses sending their workers home with the expectation that they may be working from home for weeks, if not months. CISOs started to share stories of employees exiting their offices with monitors under one arm and desktop computer systems under the other. With social and work restrictions imposed by governments and businesses in response to the novel coronavirus COVID-19, organizations around the U.S. were about to come face-to-face with “the new normal,” and it was going to be anything but normal. From the beginning it was clear that the rules we have operated under for decades were about to change.

IDG

In order to get a better understanding of the situation at hand, CSO surveyed 150 security leaders at some of the nation’s largest organizations. Some of what we learned was expected (e.g., vastly increased numbers of employees working from home); some was disturbing (26% are seeing increased attacks in the wake of the pandemic); and some was profound (our perception and understanding of risk will be changed for years to come).

A situation that would have been incomprehensible six months ago is reality today. Businesses of all descriptions across the U.S. are temporarily shuttered. Governors in California, New York and elsewhere have advised, if not ordered, their citizens to stay indoors. Billions upon billions of dollars in economic value were erased in a matter of days.

How long will this go on? How prepared were businesses? How is security impacted? These were all questions we explored in the survey in hopes of gaining a greater understanding of where we came from, where we are, and where we may be going.

Methodology

This survey was conducted March 19-23, 2020 among 150 U.S.-based security & technology leaders. Eighty-seven percent of respondents were senior security executives representing an average company size of 23,825. Top represented industries were: financial services, including banking, insurance, and brokerage (27%); healthcare, including providers and pharmaceuticals  (17%); high tech (14%); and retail, wholesale & distribution (8%).

We’re in this for a while

We asked security and IT leaders to estimate how long they expect social and work restrictions, resulting from the pandemic, to remain in place. In general, responses averaged 7.7 weeks, with respondents in the retail industry being more hopeful (6.5 weeks) and healthcare respondents, as one might expect them to be, coming in the longest at 9.1 weeks. Essentially, we’re looking at a range that would see social and work restrictions remaining in place until somewhere between May 7th and Memorial Day (May 25th).

Work from home has exploded

Not surprisingly, the survey found significant changes in employee work from home (WFH) levels. Three months ago, 16.5% of survey respondent’s employees worked from home at least 60% of the time. As of March 23^rd, that number had climbed to 77.7%, an increase of 4.7-fold. High tech firms had the highest level of WFH prior to the pandemic’s impact at 31.9%, and continue to have the highest today at 90.2%. Retail/wholesale/distribution organizations have experienced the most drastic change in WFH levels, increasing from 3.7% prior to the pandemic to 66.4% today, a nearly 18-fold increase.

While 81% of respondents expressed confidence that their existing security infrastructure could handle their employees working from home, 61% were more concerned about security risks targeting WFH employees today than they were three months ago. Surprisingly, small & medium-sized businesses (SMB) — those with fewer than 1,000 employees — expressed the least concern (29%) about attacks focusing on their WFH workforce.

How prepared were businesses?

In 2006/7 CSO magazine dedicated extensive coverage to pandemic planning around Avian Flu. While, thankfully, that pandemic never materialized, and despite SARS, MERS, and the outbreaks of other infectious diseases, we didn’t hear the same amount of “pandemic buzz” in the years that followed.

It seems that businesses learned their lesson, and many kept their resiliency plans fresh in the intervening years. While only 54% of survey respondents indicated that their pandemic/ resiliency plans had them prepared for the current situation, 67% indicated that their security infrastructure was fully prepared for the range of risks associated with the new operating environment.

Time to go shopping?

Despite the high levels of confidence that their security infrastructures are up to the task at hand, 22% of organizations have found themselves out shopping for new security solutions/services to address the new work dynamic.

As one might expect, the businesses least likely to be investing in new technology or services are in industries that identified as most prepared: financial services (12%) and healthcare (14%).

Surprisingly, only 7% of SMB organizations indicated that they had to make security purchases in response to the current conditions, which may indicate either a lack of visibility into their risk environments, a lack of available budget to support new investments, or a combination of both.

Attacks are up

When the shift to a pandemic-defined work environment began, it was widely speculated that there would be an increase in attacks designed to take advantage of the uncertainly caused by the pandemic and its impact on work structure, as well as holes that might open up with the transitioning workforce.

Unfortunately, this speculation has proven to be accurate:  More than 26% of survey respondents say their organizations have seen an increase in the volume, severity, and/or scope of cyber attacks since March 12th. While the increase in attacks has been fairly consistent across company size, with SMBs seeing numbers only slightly higher than enterprise businesses, the financial services industry has been especially impacted, with 37% seeing an increase.

The impact will be felt for years

Across all vertical industries and company sizes, 73% of survey respondents say they believe that the impact of this pandemic will alter the way their business evaluates risk for at least the next five years. In some industries, like retail, that number was as high as 83%. This is an issue that will radiate from financial regulators to boards of directors and so on, down the institutional food chain. Risks that were thought to have a low likelihood of occurring will now be getting a second look. Likelihood will be the number focused on when considering risk, and resiliency will be the mantra. 

A closer look at some select groups

• SMB: A story of over-confidence and disconnects
• SMB respondents were relatively unconcerned about risks from employees working from home despite the fact that 9 out of every 10 employees is currently WFH (29% of SMB respondents report being concerned about WFH risks v. an average of 61% across all respondents)
• While SMBs were the least likely to say that their pandemic planning prepared them for the current situation (43%), they have the highest level of confidence that their security infrastructure can handle the range of risks associated with the new operating environment (79%)
• They are a third as likely to have had to purchase new security solutions/services in order to address the new work dynamic. The survey did not provide insight into why that is the case: It may indicate either a lack of visibility into their risk environments, a lack of available budget to support new investments, or a combination of both.
• They are also least likely to say that the pandemic will alter the way their business evaluates risk in the future (57% v. 73% across all respondents).
• Retail: hardest hit and perhaps least prepared
• With the largest increase in employees working from home (3.7% before vs. 66.4% today, a 17.9-fold increase), retailers indicated the highest level of confidence across all industries that their security infrastructure can handle all those employees who WFH.
• Despite that confidence in preparedness, 25% of retail organizations have had to purchase new security solutions/services in order to address the new work dynamic.
• Only 42% (the lowest among all industries) indicated that their pandemic/ resiliency plans had prepared them for the current situation
• Retailers overwhelmingly (83%) believe that the pandemic will alter the way their businesses evaluate risk for at least the next five years
• Only 17% of retailers report an increase in the volume, severity, and/or scope of cyber attacks since March 12th, the lowest of all industries.
• Healthcare: well prepared, but under pressure and attack
• At 9.1 weeks, healthcare has the longest expectation of social and work restrictions remaining in place.
• With 59.3% of their employees working from home (follow-up conversations I have had indicate the bulk of those are administrative workers), 88% of healthcare survey respondents expressed confidence that their security infrastructure can adequately address employees working from home.
• They expressed the highest level of concern about security risks specifically targeting WFH employees (73%).
• Fully 27% (the highest across all industries) of healthcare organizations have had to acquire new security solutions/ services in order to address the new work dynamic.
• All this being said, 19% of healthcare organizations reported an uptick in the volume, severity, and/or scope of cyber attacks since March 12^th.
• High Tech: perception vs. reality
• For an industry that had the highest share of WFH employees prior to the COVID-19 crisis (31.9%) and the highest share since March 12th (90.2%), survey respondents in high tech are the least confident that their security infrastructure can adequately address employees working from home (67% high tech v. 81% across all respondents).
• They also have the lowest level of confidence that their infrastructure was fully prepared for the range of risks associated with the new operating environment (57%)
• Sixty-two percent of survey respondents in high tech say they believe this pandemic will alter the way their businesses evaluate risk for at least the next five years. This number, while high, is the lowest among the industries we surveyed.
• Financial Services: leading the pack
• Despite seeing a 6.3-fold increase in the number of employees working at home (13.6% before/85.7% today), financial services firms were most likely to say they were prepared for their employees to WFH (88%), were prepared for the new work environment (70%), and were least likely to have to acquire new security solutions/services to address the new work dynamic (12%). And 37% of financial services firms surveyed reported an acceleration in the volume, severity, and/or scope of cyber attacks since March 12^th, the highest among surveyed industries.

Moving forward

For years now we’ve been talking about the importance of corporate resiliency — the ability of the business to take a punch and continue to operate. Security’s role in resiliency got more broadly noticed when ransomware hit in full force, crippling some major businesses, albeit temporarily. But now that ability to take a punch will echo across board rooms around the world. 

It’s clear that whatever the new normal will be is yet to be determined, and security is going to have to adapt to meet the risks it will bring. It’s also clear that these unfortunate circumstances will shine an even brighter light on the security organization, as risk management will no longer be considered a nice to have, but will instead be seen as a must have.

IDG