Sizing Up COVID-19's Impact on Security Professionals and Their Organizations

Sizing Up COVID-19's Impact on Security Professionals and Their Organizations
Author: ISACA Now
Date Published: 29 May 2020

ISACA’s recent COVID-19 study provided insights from professionals throughout ISACA’s global community on how the pandemic is affecting them and the security professional more broadly.

Below are four key data points from the study with corresponding analysis of each:

92% say threat actors will increase cyberattacks on individuals
“The global COVID-19 pandemic has created a perfect atmosphere for threat actors, while we are witnessing dramatic changes in working practices and using technologies, and even change in personal habits. Most certainly, these changes are causing significant increase in the attack surface. Clearly, threat actors will always keep seeking to benefit from the latest trends and crises. This raises security and privacy concerns and alarms over the growing threats from threat actors during the COVID-19 pandemic, such as phishing, ransomware, the online grey market, targeting of health organizations or financial institutions, and other malicious activities that threaten organizations and individuals significantly worldwide.

“In the wake of the COVID-19 pandemic, as new ways of doing business, many organizations are utilizing or adopting some types of emerging technologies applications, subsequently creating fundamental change that will create new risks. Therefore, organizations need to protect themselves holistically, by involving end-to-end information security architecture, and focusing on rapid risk assessment to the information assets and individuals to minimize the potential attack surface and to be well-prepared for the new normal of doing business.”

 – Adham Etoom, PMP, GCIH, CRISC, FAIR, CISM

87% say the rapid shift to work from home increased risk of data privacy and protection issues
“Many organizations sent their workforce home knowing they made the choice of assuming higher risk over the alternative of bringing the organization to a complete halt. As we move past the COVID-19 pandemic we will collectively define the new normal. We will need to prioritize change management and educating the workforce to recalibrate security and privacy to the new reality of collaborative tools and work from home.”

 – Michael Lambert, CISA, CISM, CGEIT, CRISC, Information and Cybersecurity Topic Leader, ISACA, Past President and Strategic Advisor to ISACA Quebec Chapter

58% say threat actors will take advantage of the pandemic to disrupt organizations
“In the past, cyberattacks were often regionally focused following disasters such as Hurricane Katrina. So, while those attacks were incredibly damaging to a particular area, their overall impact beyond that region was minimal. The difference now is that these malicious actors now have seven billion people to potentially target worldwide, an exponentially larger attack surface. More people are working virtually, as well as glued to the news, so these malicious actors have a huge number of ripe targets online to exploit, leveraging fear, uncertainty and doubt. … This means that the skills and expertise of cybersecurity professionals are even more valuable during this time to protect their organizations.”

 – Brennan P. Baybeck, ISACA Board Chair and Vice President and CISO for Customer Services at Oracle Corporation

Only 51% are highly confident in their security team’s ability to detect and respond to cyberthreats during the pandemic
“The rapid shift to work from home took focus and attention from cybersecurity and privacy from the operations teams. The good news is that most organizations excelled in standing up remote environments within four to six weeks. This shows technical professionals’ enormous capacity to adapt and achieve when focus is there. However, there is a huge difference between a sprint and a marathon. Cybersecurity is the equivalent of a marathon and now it has exploded as the traditional perimeter is no longer meaningful. Remote employees have opened widely the attack surfaces by using unsecured home internet connections, USBs, etc. Now that there is a semblance of stability in remote environments, it is not the time to be complacent, but instead, it is time to double down to address risk-based security, as this period of remote work will be extended for many organizations. Don’t let the foot off the gas pedal.”

 – Simona Rollinson, Chief Technology Officer, ISACA

 

Information Security and Privacy in the Times of COVID-19