A study of 600 CISOs explores how the COVID-19 pandemic has triggered a transformation in the shift to home working and how this has contributed to the rise in the number of cyberattacks targeting organisations.
A new study has revealed an overwhelming percentage (75%) of CISOs consider their organisation to be at greater risk of a cybersecurity attack due to the transition to home working, with a third admitting they’ve taken their eye off the ball during these past 12 months, losing track of leavers and devices.
The study, which was conducted by cybersecurity solutions provider, BlueFort Security, surveyed 600 CISOs from a broad range of UK organisations. It found that the combination of the COVID-19 pandemic, the resulting accelerated shift to digital and the ongoing skills gap have created a perfect cybersecurity storm leaving them more vulnerable to attacks than ever before. The survey included responses from CISOs across a range of sectors, including financial services, professional services, non-profit, healthcare, travel & transport, education, manufacturing and the public sector.
A consequence of squeezed budgets and priorities has meant that CISOs are struggling with limited visibility, with 30% of CISOs admitting they’ve lost track of movers, joiners and leavers, and 29% stating they are missing corporate devices. Over a quarter (27%) of CISOs surveyed said gaps in staff cybersecurity awareness and knowledge have emerged, and the same percentage (27%) said the same of concerns regarding supply chain partner cybersecurity.
More than three quarters (77%) of CISOs admitted their business had experienced a cybersecurity incident in the last 12 months. This is despite the fact that almost the same percentage (74%) said their organisation had introduced additional cybersecurity measures due to remote working. Almost half (47%) said that mitigating cybersecurity threats had been their key priority and 41% prioritised identity and access management over the same period.
And while there is a great deal at stake when things go wrong, CISOs surveyed are more likely to think that damage to the trust in their brand (26%) would be more costly than the loss of data in a breach (18%). However, across all industries, fines and compliance are seen as the costliest result of a successful cyberattack.
Challenges with remote working
Less than a quarter (23%) of CISOs surveyed said that their organisation was working from home permanently before COVID-19 restrictions came into force, increasing to around two-thirds (63%) during the pandemic. Once COVID restrictions have eased, however, 38% of UK CISOs expect their organisation to adopt a permanent hybrid working framework, with 31% expecting their organisations to work from home permanently.
The research suggests very few organisations will return to a pre-pandemic way of working, with just 7% stating they expect most staff to work from physical office locations permanently. Across the board, CISOs are anticipating a disparate workforce, facing the challenge of securing employees working either permanently remotely, permanently in the workplace, and some who will continue to work in a hybrid way.
Across the industries surveyed, respondents in financial services were most likely to state that once restrictions have eased, they expect their organisation to work in a hybrid way (52%), and least likely to expect a long-term move to permanent home working. Non-profit and public sector CISOs on the other hand were the most likely to state that once restrictions have eased, they expect their organisation to work from home permanently (42%).
Looking at the potential challenges associated with a disparate workforce, all (100%) CISOs surveyed said they face both security and compliance barriers to the potential permanent enablement of hybrid working. Of these challenges, the top barriers for CISOs are productivity (44%), connectivity and reliability (43%) and data leakage (43%).
The road ahead
Looking ahead, the majority (85%) of CISOs believe managing cyber-risk will become more complicated. For example, nearly half (44%) think their company should introduce a rigorous enforcement of cybersecurity policies and sanctions to encourage tighter cybersecurity practices. Other reasons given include managing a remote workforce is more difficult (30%); the threat surface is more disparate and diverse due to hybrid or remote working (26%); it will be less clear where the end-points data is (24%); and there are more threats to worry about (20%).
In terms of future measures, over half (53%) of CISOs surveyed said they will ensure their organisation’s information is protected when laptops and other devices return to the office or connect to the corporate network with network segmentation. Moreover, the same percentage (53%) said they will protect their organisation’s information with proactive remote patching / security management and almost half (47%) said they would do this with Access Control.
CISOs are also expecting a bigger compliance headache ahead, with half (49%) expecting new legislation around the health and safety of their home workers and the same percentage expecting control around remote monitoring of staff. Almost half (45%) of the CISOs surveyed expect there to be control around home working hours and the same percentage expect more complexity around workers’ right to privacy. What is interesting to note here is that CISOs surveyed are more likely to anticipate the monitoring of staff, rather than their right to privacy.
A silver lining
On a positive note, the vast majority (89%) of respondents believe that cybersecurity has become more of a priority to their Board in the last 12 months, and CISOs are investing in new technologies to help address these emerging challenges. A total of 35% are looking at automation, 34% at Machine Learning and the same percentage (34%) at network detection and response. Some (32%) CISOs are looking to deploy Zero Trust architecture and the same percentage (32%) said endpoint detection and response. More than a quarter (27%) of CISOs said they are looking to deploy AI.
Ian Jennings, Co-founder of BlueFort Security, said: “The fact that CISOs have had a particularly tough time these past 18 months isn’t a surprise. What shocked me was the severity of the impact. It’s a sorry tale of a lack of visibility – of their infrastructure, their devices and their people – which has led to poor intelligence and restricted control. The positive takeaway from this is the recognition that new technology will play a significant role when it comes to redressing the balance.”