Security Strategy, Plan, Budget, Threat Management, Threat Management

The people problem: Large businesses shift resources to address risks tied to new and disgruntled employees

Organizations move on plans to strengthen security policies, increase training, and invest in technology

The lasting impact of 2020 on cybersecurity has come more clearly into relief, as security professionals reported more mature, effective strategies and approaches spanning threat prevention, detection and response – with many businesses reallocating resources to address risks tied to the workforce.

The findings emerged from a survey of more than 300 North American and European organizations conducted in January and February, which was the basis of the third wave of the Cybersecurity Resource Allocation and Efficacy (CRAE) Index developed by CyberRisk Alliance Business Intelligence and underwritten by Ivanti.

Results show a clear transition for security teams from assessing and responding to increased threats, to setting in motion plans to harden their infrastructure. These efforts focused squarely on the people problem: addressing increased risk tied to employees working from home and workforce tensions amid societal pressures from the pandemic. To address those issues, businesses put in place stricter security processes, increased training, and bolstered investment in both technology and system monitoring.

“We have set up specific teams and [are] allocat[ing] more of our IT budget to better enhance our cybersecurity capabilities and effectiveness,” said one respondent, describing the internal factors that impacted their organization's activities during the quarter.

The Index examines the five major components of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — identify, protect, detect, respond and recover — to analyze organizations’ engagement with proactive and reactive security efforts.

Cumulatively, the survey suggests, last year’s cybersecurity efforts paid off for many organizations, resulting in experienced teams who possess the hard-won knowledge to be less reactive and more proactive. Between Q3 and Q4, 62% of respondents said their organizations became more effective at protecting systems, assets, data or capabilities from cybersecurity events or threats.

The cyber liability of new and ‘disgruntled’ employees

Vulnerabilities associated with remote work continue to drive security training and management. Threats increased between Q3 and Q4 at more than half (54%) of the organizations surveyed, with financial services (61%) and high-tech/business services (57%) reporting the highest rate of increase. Phishing remained the most frequent threat.

After nearly a year of managing risk under these conditions, staff have a better understanding of potential weaknesses. In Q4, 62% of respondents said their organizations became more effective at identifying security risks.

For example, respondents reported a more granular view of employee-related issues. Amid overall concerns about remote workers, respondents said they paid special attention to employees onboarded in 2020, “being vigilant about new hires and their online activities.”

Disaffected staff members were also on respondents’ radar as the pandemic and social and economic conditions contributed to workforce tensions. “Disgruntled employees have been our largest issue,” said one U.S. respondent in financial services.

Indeed, recognition of the threat posed by the internal workforce drove investment between Q3 and Q4. Most (55%) organizations increased resources to develop or modify cybersecurity policy or governance programs addressing users, roles, privileges, applications and/or data. Forty-one percent maintained the same level of support. A majority of organizations (56%) also increased resources for employee cybersecurity training, while 37% maintained their level of support.

Internal and external breaches inform security strategies

The months-long SolarWinds hack, first reported in December 2020, was especially resonant among respondents, who described learning from this event and others to fine-tune defenses.

“Given the data breaches that have happened recently, we thought it was better to be able to anticipate more effectively when we would possibly have issues,” said a U.S. respondent working in the telecommunications industry.

Respondents reported specific sources and threats that informed their security strategies, such as attacks from Russia and other nation-states, attacks on supply chains and attacks focused on specific sectors, particularly health care.

“We took significant notice at the SolarWinds hack and continue to watch the increased sophistication of malicious government actors,” said one health care respondent from the U.S. “With a higher payout for HIPAA and PII information with ransomware, we worry about these types of attacks as well.”

Internally, respondents leveraged actual or near breaches to raise awareness of risks and to achieve or solidify management buy-in for security reinforcements.

“We had a minor phishing breach through hosted email,” said another U.S. respondent working in health care. While the incident had minimal impact on operations, “management and IT as a whole were much more aware of what some of our priorities should be to protect the company name and assets.”

Organizations maintain or increase investment in security solutions

Many respondents doubled down on solutions and strategies to improve threat detection capabilities. For example, the discovery of attacks using artificial intelligence-based automation may have led organizations to increase spending on security technologies capable of mitigating these risks.

According to the survey, in Q4:

  • 56% of organizations increased resource allocation and 54% increased spending on technologies to prevent or mitigate the effects of a cybersecurity breach — including purchasing, building, upgrading or implementation
  • Health care organizations were more likely than most industries (63%) to increase spending on these technologies

Organizations also cited internal and third-party resources, including managed security service providers (MSSPs), as an area of investment.

“Additional cybersecurity employees have been assigned to our headquarters,” according to a respondent from Germany working at a manufacturing company. “With the help of external specialists, dangers were recognized and eliminated.”

Others engaged MSSPs to provide 24/7 monitoring and improve the overall security posture.

Download the full index report for a detailed breakdown 

Defensive measures included efforts to identify risks by developing or modifying asset management programs or identifying physical or software assets:

  • Virtually all (92%) maintained or increased resources
  • Financial services and manufacturing sectors were most likely to maintain the same level of resources, with 60% and 62%, respectively, allocating the same resources to risk identification in Q4

These results may suggest that earlier in the year, security teams at many organizations completed much of the initial work required to identify risks in the changed IT environment. By Q4, those processes helped organizations fine-tune security plans and produced readiness to invest in technology solutions in the final part of the year and into 2021.

Organizations maintain focus on processes to secure assets

In addition to focusing on the people and the technologies that are essential to cybersecurity, respondents reported an ongoing commitment to processes. In Q4, 53% of organizations increased resources dedicated to development or modification of processes to secure digital or physical assets.

Similarly, nearly all organizations either maintained (47%) or increased (48%) resources to develop or modify a risk management strategy.


For more information on how you can partner with CRA Business Intelligence, please contact Dave Kaye, Chief Revenue Officer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.