(ISC)2 has published the results of a survey that shows the impact of Work From Home (WFH) on cybersecurity teams. It surveyed 256 cybersecurity professionals about what was happening in their work environment during COVID-19. It claims that 47% of respondents were taken off security duties to work on other IT-related issues.
The findings paint a picture of unprepared organisations that, if they had a disaster recovery plan, didn’t foresee the complete closure of offices. Taking people off of security to use them elsewhere rarely makes any sense. Even before WFH, the number of attacks using coronavirus and COVID-19 as hooks was on the rise. Weakening defences shows how much disconnect there is between different parts of IT and company management teams.
Wesley Simpson, COO of (ISC)2 said: “The goal of the survey was to take the pulse of the cybersecurity community as many of their organisations began to shift their employee bases and operations to remote work setups in March and April.
“While this was certainly not an in-depth study of the situation, it does provide a current snapshot of the issues and challenges our members may be facing during this unprecedented time. Sharing this information helps our members and other professionals in the field understand the challenges their peers are facing, and hopefully realise they are not alone, even if many of them are feeling isolated as they adjust to working from home.”
Key takeaways from the (ISC)2 COVID-19 survey
In its press release, (ISC)2 shared what it says are key takeaways from the (ISC)2 COVID-19 Cybersecurity Pulse Survey. Enterprise Times has not been able to get a copy of the survey from the (ISC)2 PR team to verify these.
- 96% of respondents’ organisations have closed their physical work environments and moved to remote work-from-home policies for employees; nearly half (47%) said this was the case for all employees, while 49% indicated that at least some employees are working remotely
- 23% said cybersecurity incidents experienced by their organisation have increased since transitioning to remote work – with some tracking as many as double the number of incidents
- 81% of respondents said their organisations view security as an essential function at this time
- 47% of respondents said they have been taken off some or all of their typical security duties to assist with other IT-related tasks, such as equipping a mobile workforce
- 15% of respondents indicated their information security teams do not have the resources they need to support a remote workforce, while another 34% said they do, but only for the time being
- 41% said their organisations are utilising best practices to secure their remote workforce, while another 50% agreed, but admitted they could be doing more
- Almost one-third (32%) of respondents were aware of someone in their organisation who has contracted COVID-19
To get a wider view of the survey findings, Enterprise Times asked one question across several cybersecurity communities: “Have you been taken off cybersecurity to support IT?” The vast majority of the 68 responses said no with just 8 saying that they had been re-tasked. Those 8 said it was temporary and they were only helping out with setting up VPNs or configuring laptops. Given the small sample size, it doesn’t really give any more insight into the situation.
Is this a lack of disaster planning?
There is another view of this situation, one that questions what business continuity and disaster planning means to many organisations. It is common to see people conflate business continuity with disaster recovery. They are not the same thing. The first is about maintaining essential functions during an event, and the latter is about how you respond and recover.
It is easy to see how both of these play into the current situation, and how far outside of the normal we are now. How many businesses practice having all its key employees having to work from home? For those that do, how many would have contingency plans for it lasting for an extended period? Most but not all of those people will have company-issued technology. How many organisations regularly check the security and apps on all those devices? The remainder will be relying on personal technology.
Now scale that up and take away all the other people in the business that cover for key staff. Imagine you have to provide technology for all those people? This is where a lot of companies found themselves. Orders for containers full of laptops meant they needed staff to set up, configure, secure and then distribute them to staff. No IT department could have planned for that, and many would not have automated processes anymore to do this.
How bad is it?
One source contacted me to say his company has seen all sides of this situation. “When the pandemic started and the stay at home orders kicked in, almost all of those customers security teams were pushed to assist IT teams in deploying WFH.” This bears out some of the (ISC)2 survey findings.
He went on to say: “Customer size didn’t dictate the usage of security for IT work, it was the maturity of their infrastructure and IT/Security teams itself. One company had the entire security team deploying laptops, tablets, creating accounts and doing help desk work. It relied heavily on an outsourced provider for general IT, and it couldn’t keep up.”
This is not unusual. A lot of organisations run lean IT shops and rely on outside IT support companies. What makes those IT support companies profitable is having a lot of customers to keep their staff fully employed. When all those customers hit you with the same manpower-intensive workload, things fall apart.
Using security staff should mean that technology is secured correctly. This is essential not just to prevent attacks but where staff will have sensitive data on local machines.
We are now weeks into WFH. However, the source said: “There is still a portion of Security teams assisting IT to do mundane tasks. IT staff are overwhelmed and having to do things with social distancing.” Some of the challenges it seems they are facing include: “How to get laptops into hands of those who need it? And how to deal with people who have never done WFH ever in their life.”
The key is organisations maturity
Not every organisation, however, is drowning under the problem. The source said: “It all comes down to the maturity of the technology, policies, and the plans they created.” He went on to talk about one company with thousands of workers who continued as if nothing had happened.
“Over a year ago, they had already started telling all of their corporate workers to start working from home with company-provided tablets and computers. When this hit, it was no big deal. They had spent a year training people how to do this.”
It also turns out that another part of their process had been moving infrastructure into the cloud. This meant that IT teams could manage the company infrastructure from anywhere. It also allows the security and IT teams to login and deal with issues quickly.
Companies who had contracts with security companies for SOC and MSSP were in a better place. They were able to offload their security services for a period. While this moved the problem upstream, MSSPs have highly automated and scalable environments.
When this is over, it will be interesting to hear from those companies what they saw, how it impacted them and what this means for the future of security going forward.
Enterprise Times: What does this mean
(ISC)2 has opened a whole can of worms around how organisations see cybersecurity. While these are uncharted times, the all hands on deck panic is no solution. Many organisations won’t have been able to pull security support from a partner. Instead, they will have been running with little to no security at a time when attacks are hammering at all their staff.
How many companies will discover a breach that can be attributed to this type of response? How will regulators deal with it when they come to deal with these situations? Apart from ICO’s, other regulators will want to know more about the business continuity and disaster planning companies had in place.
That some companies can continue because they had planned and practised for all eventualities, shows this could have been handled better. It is time that planners stopped relying on tabletop games and did proper security and disaster planning.
When companies employ security workers, they want many of them to be based in a SOC. There is no requirement for that or for making many relocate which can reduce the number of available people. Perhaps the one highlight of the (ISC)2 survey is that security teams were able to WFH. The question is, how many will be allowed to continue doing so, when the pandemic is over?