Global pandemic was an inflection point that put cybersecurity teams’ grades to the test

The report finds that confidence in cybersecurity programs continues to remain steadfast despite the challenges brought on by COVID-19. Twenty-four percent of respondents gave their program an “A” rating, a decrease from the 30 percent rating in 2019. However, this was offset by increases to both grade “B” and “C” categories. The “D” grades stayed the same and grade “F” was reduced to zero. 

Security breaches among those surveyed remained essentially unchanged from last year’s report at 16 percent. Given that nearly 60 percent of organizations detected a moderate to a dramatic increase in cyber attacks during and following the pandemic, it points to a rise in the overall breach prevention success rate. The report also provides insights into how successful organizations were able to adapt to the changing threat landscape. 

“The global pandemic put the confidence of security teams in their programs to the test. Organizations faced concurrent challenges in managing the sudden, large-scale shift to remote work and the increase in COVID-related cyberattacks. Reports from previous years have shown organizations making gains in their security posture, and this was reflected in the responses of those able to rise and meet the challenges of COVID-19,” said Tim Heming, Security Evangelist. Added Helming, “This was a wakeup call for many, as almost a quarter of organizations plan to increase their security budgets as a result of COVID-19 to better prepare themselves for the future. Unfortunately, fifteen percent of organizations plan to cut budgets. While budget constraints are understandable, these cuts may well add to the stress already present.”

More than 520 security professionals from companies ranging in size, industry, and geography were surveyed about their security posture. They were asked to grade the overall health of their programs and give insights into their experiences navigating the COVID-19 pandemic. Almost 60 percent of respondents are on the cyber frontlines as security researchers, analysts, or threat hunters. Prominent findings include:

• An inflection point: Twelve percent of respondents would have given their organization a lower grade before the pandemic, showing surprise in how well they were able to cope. A near equal number, 14 percent, would have given their organization a higher grade before the pandemic, illustrating the toll COVID-19 took on security operations.
• A threat-inducing crisis: On average, 36 percent of organizations detect cyberattacks several times per day. On top of that, 14 percent of survey respondents reported also detecting COVID-specific attacks several times per day. Thirty-five percent of survey respondents said that the shift to remote working has increased their detection and response time.
• Remote work got up-close: Forty-four percent of organizations were either not prepared or unsure if they were prepared to enable a fully remote workforce before COVID-19. Over half (60 percent) of respondents state that working from home has made their organization more vulnerable to cyber threats. Three-quarters (76 percent) of respondents and the overwhelming majority (86 percent) of Grade “A” organizations agreed that automation improved their ability to transition to a secure remote workforce during the pandemic.
• Leadership and training set the groundwork for success: Forty-six percent of respondents and 74 percent of Grade “A” organizations said the training offered by their organization well-prepared them to handle an event like the pandemic. Forty-five percent of respondents gave their CISO an “A” and forty-eight percent gave their CEO an “A” on their handling of the pandemic. 

The report also looked at the most common threat vectors that organizations detect. Spearphishing (85 percent), malware (46 percent), and business email compromise (38 percent) are the three most predominant forms of attack, with spearfishing taking the lead, up 24 percent, and malware down 28 percent from last year.