By Cyber Defense Magazine News Staff
A recent report conducted by Osterman Research and sponsored by TrapX Security[1] provides valuable insights on the problems facing cybersecurity professionals in protecting their organizations from cyber exploits.
The extensive survey of Information Technology (IT) and Operational Technology (OT) workers and their organizations indicates that the “new normal” in these services will occur in a vastly different cyber landscape than pre-COVID 19.
Over 300 organizations, with a mean number of 6,622 employees and headquartered in 9 countries, were polled. The companies cover a wide range of activities, from manufacturing (21 percent of survey respondents), financial services/insurance (13 percent), energy/utilities (13 percent), retail/distribution (12 percent), and business services (11 percent).
Among the most serious security problems that have resulted from the pandemic are the difficulty (and in many cases, inability) for security teams to effectively support end-users working largely from home.
The survey found that prior to the pandemic, 11 percent of IT workers were working from home, but this swelled to 51 percent in the August-September 2020 timeframe when the survey was conducted. The impact on OT workers was also significant – growing from eight percent of workers to 18 percent – but has been far less profound owing to the nature of OT-related jobs that cannot be as easily migrated to an in-home environment.
Readers will be interested to learn about several developing trends and effects identified by the survey. The following are illustrative and tend to shed light on the challenges facing cybersecurity professionals and also suggest some of the means at their disposal for dealing with potential problems in the longer term.
Increased proportion of workers are and will remain at home
From January 2020 to Summer 2020, the proportion of IT workers working from home increased nearly five-fold, while the proportion of OT workers working from home more than doubled. It appears that many of these workers will not return from home-based employment to the main-office location, even after the pandemic has passed. As a result, there will be long-term effects on cybersecurity and related issues.
Most organizations were not prepared for their IT and OT workers to work remotely
The vast majority of organizations were not prepared for the pandemic: only six percent considered that they were “very well prepared” for it. The result has been that cybersecurity risk has increased considerably.
The COVID-19 pandemic and the ensuing business- and government-imposed lockdowns caught most organizations off-guard. As the survey demonstrated, only six percent of decision-makers considered their organizations to be “very well prepared”, while only another 25 percent were “pretty well prepared”. The bulk of organizations – slightly more than two-thirds of them – were, at best, only modestly prepared and many were “not prepared at all”.
One cogent comment came from a manager from BlackBerry, who noted in a webcast in September 2020, information-focused organizations “went from an office with 5,000 employees to 5,000 offices.”
Security has suffered dramatically
Among the most serious security problems that have resulted from the pandemic is the inability for security teams to effectively support end users now working largely from home, and the security team’s ability to fund new purchases.
The suddenness and magnitude of hundreds of millions of IT and, to a lesser extent, OT workers migrating from an in-workplace to an in-home environment have had profound impacts on cybersecurity. The survey showed that more than four in five decision-makers report that their security team’s ability to effectively support end-users has been impacted by the migration to the remote workers – nearly 40 percent reported that the impact has been significant. Similarly, the migration to remote work has had significant impacts for 35 percent of organizations on their ability to fund new security applications and initiatives, and 28 percent reported a significant impact on even communication between security teams and the business.
The actionable intelligence from this report is that cybersecurity has been heavy – and largely negatively – impacted by the pandemic and the sudden shift to working from home. Not surprisingly, the most significant impact has been in supporting users who used to be in just one or a handful of locations and are now widely dispersed across hundreds
or thousands of locations. Complicating matters for security teams still further is not only the suddenness of the migration to at-home work, but also the rapid expansion of the attack surface because of the use of home routers and Wi-Fi networks, and the fact that corporate systems are now being accessed on the same networks as gaming systems, home automation systems, and Internet-enabled home appliances.
Digital transformation is accelerating
The pandemic has also driven a significant acceleration in digital transformation initiatives: nearly three in five organizations have accelerated these initiatives. This has not been a one-way process.
Immediately after the lockdowns began, digital transformation initiatives slowed down dramatically as security, IT, and business decision-makers acted initially to outfit workers with new laptops, set up security solutions, and otherwise support a suddenly-remote workforce.
However, soon thereafter decision-makers realized that they needed to accelerate the digital transformation initiatives they already had, or implement ones where there were none before.
By now, over half of the surveyed organizations have increased the rate of acceleration for their digital transformation projects since the pandemic began, and another 22 percent have maintained them at the same level.
At this stage, only about one in five organizations have actually seen a slowdown in these initiatives since the beginning of the pandemic. Over the near term, it is likely that the rate of acceleration for digital transformation will increase significantly.
Risk has increased significantly
While most of the participating organizations believe that they have the right tools in place to address their risk, there is evidence to suggest that may not be the case.
Most organizations are reporting that their overall cybersecurity risk exposure is higher in this new environment: 71 percent of respondents reported that their cybersecurity risk exposure is “a little risker now” or “much riskier now” as a result of the work-from-home environment in which most of their workers now operate.
Most believe they have the right tools in place, with a caveat
Most organizations have inadequate visibility and insight into various aspects of the threats that operate in their IT networks, and especially in their OT networks. Risk has increased substantially since before the pandemic: whereas only 16 percent of organizations were experiencing more risk than they could tolerate pre-pandemic, that figure is now 28 percent.
Still, nearly 70% reported they believe they do have the right tools in place to mitigate their perceived risks. Only 10% responded with a firm “no” in answering this question.
Nonetheless, the skills shortage survey resulted in differing findings, in fact shedding some doubt on the positive self-evaluation. Some examples are reflected in these statistical figures:
- Only 15 percent agree or strongly agree that they have the right mix of tools in place to make their security team as efficient as it could be.
- Only five percent believe that they can fully correlate all of the necessary data on security threats they need to have a holistic view of these threats.
- Only 17 percent agree or strongly agree that they have enough cybersecurity professionals on their security teams.
- Only 20 percent agree or strongly agree that they have the right mix of talent on their security teams.
- Only 29 percent agree or strongly agree that their security team is operating as efficiently as it can.
As a result, the survey reports that while many cybersecurity professionals believe they have the right tools in place, there is reason to question their self-assessment.
IT and OT networks are integrated
Only 14 percent of IT and OT networks operate with complete separation, as shown in Figure 9. IT and OT networks that have even some level of integration will enable threats and attacks to impact both since any level of integration creates a bridge between the two environments. Seventy-five percent of organizations report some level of integration between these networks, meaning that if OT is vulnerable to attack, IT is as well.
In practical terms, this means that the vast majority of organizations must implement security solutions and protocols that will enable protection across both IT and OT networks, since a threat that impacts one can easily migrate to the other.
In the New Normal, Networks are Riskier
While most believe in the greater agility and flexibility of their IT networks compared to their OT networks, most organizations believe that their IT networks are today riskier than they were before the pandemic. Some 53 percent of decision-makers consider that their IT networks are riskier compared to only 44 percent of those who believe the same about their OT networks. The proportion of those who believe their IT and OT networks are less risky than they were before the pandemic is quite similar.
Actual Risk may exceed stated risk tolerance
Many organizations are facing levels of risk that are higher than their risk tolerance. As shown in Figure 12, 28 percent of organizations feel that their current levels of cyber risk are above their tolerance for that risk, with a small proportion considering that current risk is much higher than their risk tolerance. On the flip side, however, 36 percent consider that their current level of risk is well below their risk tolerance. Slightly more than one-third of decision-makers believe that their risk and risk tolerance are about equally matched.
However, the level of risk now is much higher than it was before the pandemic. The data shown in Figure 13 comes from the question, “How would you have answered the question on risk vs. risk tolerance before the COVID-19 pandemic, the lockdowns, etc.” As shown in the figure above, 28 percent of organizations are facing a level of risk higher than their risk tolerance, but this was only 16 percent prior to the pandemic. In other words, nearly twice as many organizations are living with more than tolerable risk today than they were prior to the pandemic. Similarly, while 36 percent of organizations are currently facing risk levels below their level of tolerance, that figure was much higher – 59 percent – prior to the pandemic.
Deception Technology and the visibility gap
Deception technology is a newer genre of security that will automatically create a number of decoys and lures that are designed to trick attackers. Decoys may include a variety of assets like SaaS applications, VPNs, user workstations, servers, routers, and OT devices. The lures typically consist of fake files, links, and cached credentials that reside on endpoints. Because of the large number of decoys and lures that can be generated using deception technology, the chance of an attacker finding and attempting to infiltrate these devices or exfiltrate data is high. When bad actors interact with one of these decoys, an alarm is generated that enables real-time
analysis of the attack, enabling automated responses and integration with a variety of other security solutions to thwart the attack quickly.
Growth in Work From Home will result in higher security budgets
The massive migration of workers from an office environment to an in-home environment has placed enormous strains on security teams on a number of levels.
The result is that security teams need adequate resources to be able to address these increased security requirements, which is reflected in the fact that one-half of those surveyed anticipate that their cybersecurity budgets will increase. In contrast, only seven percent believe that these budgets will decrease, while more than one-quarter believe they will hold steady.
Summary and Conclusions
The pandemic has created a number of problems for organizations on a number of fronts, not least of which is their cybersecurity posture. Most organizations were caught completely off-guard and were ill-prepared to deal with a huge migration of their in-house workforce to one that is now mostly working from home. The result is that risk is now substantially higher for many organizations than it was before and security teams are still scrambling not only to protect their organizations from cyberthreats but also to accelerate their organizations’ digital transformation initiatives.
[1] ABOUT THE SURVEY
Osterman Research undertook a survey on behalf of TrapX Security during August
and September 2020. A total of 319 surveys were completed across nine countries in
North America, Europe, Latin America and South America. In order to qualify for the
survey, respondents had to satisfy two conditions:
- They manage, or are part of the team that manages, cybersecurity in their
organization.
- The organization for which they work has a minimum of 1,000 employees.