In the wake of COVID-19, many businesses have been forced to pivot to a working style that they were not able to properly accommodate for. The new ways of working have naturally also come with their own growing pains, as employees slowly adapt - although surely, everyone is a Zoom expert by now!
Now comes new research from global cybersecurity company Bitdefender, which says it has been protecting "over 500 million systems for more than 18 years", which has "revealed the growing concerns and frustrations of Australia’s IT professionals".
These findings have been revealed in Bitdefender’s annual ‘Hacked Off!’ 10 in 10 Research Report (PDF link).
However, this new research has found that "CSIOs and IT support workers are becoming fed up with the ongoing errors that employees and business leaders continue to make".
Bitdefender says its team have "conducted comprehensive global research that provides insight around businesses failed attempts to prepare for a remote working situation, and the frustration that CSIOs and IT support workers are forced to deal with", surveying 6,700 Infosec professionals globally including 300+ ANZ professionals, underscores some sobering security trends including;
- 38% of IT staff feel that leaders fail to grasp the concept of cyber-attacks, while 34% of IT workers believe employees suffer the same issue
- 28% of CSIOs believe leaders don’t understand the scale at which security needs to grow
- 33% of IT workers felt that business leaders failed to understand that cybersecurity is everyone’s responsibility – not just IT’s
- 29% of IT support workers believe employees don’t understand that cybersecurity solutions are not entirely fool proof.
The figures point to a disconnect internally, one where IT teams are being viewed as a band aid solution across the workplace, with the stats obviously alarming, clearly highlighting an issue at top-level that bleeds to bottom. The issue is ultimately made worse when factoring in the ongoing threats of cyberwarfare, pertaining to issues around China after an alleged attempted attack just a few short months ago.
Indeed, in the face of increasingly complex attacks as well as the marked increase sophisticated state-sponsored cyberwarfare, Infosec professionals are demanding are overwhelmed, outmatched and demanding more from their business.
What are some local stats?
Well, of the 300+ Australian security professionals surveyed, 66% believed that cyberwarfare is growing threat to their organisation, with more than half (56%) determining that the threat is ‘significant’ and warrants the appropriate training and investment to fight.
We're told this "comes as Australian businesses and their employees struggle to navigate the dangers and complexities of workplace cybersecurity amidst COVID-19."
Bitdefender ANZ Chief Demetrio Georgiou said: “The weakest link in organisational cybersecurity continues to be human error. In the last few years we’ve seen the complexity of attack grow tenfold, and businesses start to invest in the appropriate training for employees.
“Culturally, we’re all still suffering from this outdated mindset that ‘cybersecurity is an IT problem’. It’s a sentiment reflected year over year in the Hacked Off Research.
The figures point to a disconnect internally, one where IT teams are being viewed as a band aid solution across the workplace.
Cyberwarfare on the Rise
In the current climate, and in association with a poor understanding of cybersecurity risks, Bitdefender reminds us that "cyberwarfare has sparked significantly in 2020 and poses a new and considerable threat to Australian businesses.
"With many businesses shifting to a remote working environments, 53 per cent of CSIOs believe that devices will be compromised by instances of cyberwarfare, and that state sponsored attacks will increase in the next 12 months, to the detriment of the economy. The data is timely, given Australia’s ongoing threats of being on the receiving end of a state-based cyberattack, fuelled by geopolitical tensions with China".
We're also told that "the Morrison Government’s expansion to the Cybersecurity Package is a direct response to this, but action across the workplace is required to truly protect businesses from cybersecurity dangers."
“2020 has been a year of change — not only for the world at large — but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare. It’s of great concern to businesses and the economy — and yet not everyone is prepared for it,” continued Demetrios.
“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business. In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors," Demetrios concluded.
About the research
The Bitdefender 10 in 10 Study was conducted among 6,724 IT workers in May 2020 across the UK, US, Australia, New Zealand, Germany, France, Italy, Spain, Denmark, and Sweden. Representing a broad cross-section of organisations and industries, from companies with 100 or more employees, through to publicly listed 10,000+ person enterprises. 23% of the audience were made up of CISOs and CIOs, while other respondents ranged from IT security analysts to directors — all of whom have control over budget and decision making as it relates to cybersecurity within their organisations.
Here are some more of the key stats from the report, with the report able to be read here.
What, in the last ten years, are the top three cybersecurity trends/shifts that you didn’t see coming, until it had an impact on your business? Select up to three
- The shift from device to cloud: 26%
- 3-way tie - The frequency of attacks, Rise of the Internet of Things, The lack of general cybersecurity awareness within business leadership: 22%
- The rise of machine learning based technologies: 21%
Note: The highest trend being the move from device to cloud is quite telling. Couple that with the fact that two-out-of-three trends that placed second are directly tied with what we’ve seen during COVID makes for some interesting info.
In your opinion, what have been the most challenging issues / topics / threats / subjects for your business leaders to understand over the last few years? Select all that apply
- Cyber attacks/ hacks: 38%
- That cybersecurity is everyone’s responsibility - not just IT’s: 33%
- Tie - Migrating to cloud and securing hybrid environments, The scale at which infrastructure, and therefore security, needs to grow: 29%
In your opinion, what have been the most challenging issues / topics / threats / subjects for your employees to understand over the last few years? Select all that apply
- That cybersecurity is everyone’s responsibility - not just IT’s: 34%
- Tie - Cyber attacks/ hacks, Malware 30%
- Tie – Phishing, Understanding that no cybersecurity solution is foolproof
- 31% of those surveyed believe it has been difficult for CISOs/security & IT leaders to keep pace with new security features/products over the last 10 years?
- 28% of those surveyed believe it has been difficult for CISOs/security & IT leaders to keep pace with jargon terms over the last 10 years?
2015 vs. 2020
- Cyber security training is of the utmost importance for all staff members
- 61% vs. 72%
- There is lack of diversity in cybersecurity — and it’s of concern
- 54% vs. 59%
- Threat analytics, and the ability to quickly understand the data, is critical to both risk mitigation and business continuity in my organisation
- 67% vs. 71%
- The business understands the value of cybersecurity
- 70% vs. 72%
Which type of cyber attack / cyber risk, in your opinion, poses the biggest threat to your organisation in the next 12-18 months? Select up to three
- Tie - Vulnerable system misconfigurations (e.g. default passwords, open ports), Cyberwarfare: 24%
- Phishing or whaling attack: 23%
- Tie – Ransomware, Software vulnerabilities (Eternal Blue, Bluekeep): 21%
With increasing numbers of people working from home, my main cybersecurity concern is the business suffering a large-scale ransomware attack
- 51% Agree
I believe ransomware attacks are wholly being driven by the cybercrime economy, and are no longer about seeking attention
- 55% Agree
Instances of cyberwarfare will increase in the next 12 months, and it will be to the detriment of the economy
- 53% Agree
The way we communicate cyber risk to the business needs to change dramatically if we want increased investment
- 53% Agree
Do you believe that state cyberwarfare is a threat to your organisation?
- 66% Believe
To what extent do you believe there is a threat? Select one
- 56% Believe there is a significant threat
Which of the following sectors, if any, do you believe would have seen the biggest increase in cyber attacks during COVID-19? Select all that apply
- Financial services: 49%
- Healthcare (including telemedicine): 37%
- Public sector: 31%
Do you believe healthcare would have seen the biggest increase because this sector was not adequately prepared due to budget constraints?
- Yes: 74%
What are the learnings that you intend to keep in your cybersecurity policy long term following COVID-19?
- 24/7 IT support: 37%
- Better visibility of weak spots within infrastructure: 31%
- Increase the number of trainings in IT security for employees: 30%
What are the security risks for your organisation when employees are working remotely?
- Using personal messaging services for both business and personal reasons: 43%
- Tie - Randomly switching from business to personal devices, Using untrusted networks: 42%
- Another person having access to an employee company device: 41%
In your opinion, which of the following attacks, if any, increased within your company during COVID-19?
- Phishing or whaling attacks (31.59): 30%31.59
- Social media threats/Chatbots (42.97): 25%
- Tie – Cyberwarfare (33.96), Trojans (33.68): 23%
What security risks are you most concerned about when employees work from home? (Not just in the context of COVID-19 but in general)
- Employees not sticking to protocol, especially in terms of identifying and flagging suspicious activity (40%)
- Employees falling prey to phishing and/or whaling attacks (38%)
- Employees feeling more relaxed about security issues because of their surroundings (37%)
Do you believe the COVID-19 pandemic will change the way your business operates long-term?
- Yes 82%
In what way do you believe your business will change?
- We will have to provide additional cybersecurity measures for employees: 43%
- We will have an increased number of employees working from home: 41%
- Tie - We will have to permanently increase our capability to monitor and protect devices outside of the office, We will increase the amount of cybersecurity training we provide to employees as it relates to working from home: 37%
In your opinion, which of the following security issues / topics / threats / subjects will it be most important for your business leaders to understand or come to grips in the next 12-18 months?
- Cyber attacks/hacks: 24%
- Ransomware: 22%
- That cybersecurity is everyone’s responsibility, not just IT’s: 21%
In your opinion, which of the following security issues / topics / threats / subjects will it be most important for your employees to understand or come to grips in the next 12-18 months?
- That cybersecurity is everyone’s responsibility, not just IT’s: 25%
- Cyber attacks/hacks: 21%
- The risks to the business and themselves associated with poor security: 19%
What do you think needs to change most in terms of how the security industry communicates in the future?
- Improved knowledge sharing between security pros to ensure risks are eliminated quicker: 49%
- More communication with the wider public and customers, so everyone both in an organisation and outside understand risks better: 46%
- The use of less technical language so that the whole organisation understands the risks and how to stay protected: 44%
What do you believe the effects will be on the industry as a whole if the skills deficit continues for another 5 years?
- 43% Seriously Disruptive