Amid the extreme challenges cybersecurity teams experienced in the second quarter of 2020, a newly released business-activity index shows that companies with 500 or more employees in North America and Europe emphasized proactive security measures to protect assets and detect breaches during the period. Such measures outpaced more reactive activities, such as identifying, responding or recovering from breaches. The index also showed security professionals who took such active measures were significantly more satisfied with the impact of their efforts than those who did not.
For most organizations, second quarter 2020 activities were heavily influenced by fallout from the pandemic itself and the related far-reaching economic downturn. Their approach to these conditions suggests confidence in the cybersecurity strategies they had in place as they entered the crisis period. The Cybersecurity Resource Allocation and Efficacy (CRAE) Index is a quarterly tracker of momentum in cybersecurity investment and sentiment about the impact of cybersecurity programs, developed by CyberRisk Alliance (CRA) Business Intelligence and underwritten by Pulse Secure. The inaugural index compared the momentum of spending and sentiment in the second quarter of 2020 to that of the first quarter.
The need to rapidly accommodate a surge in work-from-home arrangements outside corporate firewalls and related cybersecurity infrastructure accounted for at least part of the increased investment of time, money, and resources shown by the index. On a scale of 100, where a score of 50 indicates a steady state of investment, the average composite score for Resource Allocation and Spending was 66.5. The average composite score for Efficacy was 75.8, indicating that organizations are confident their actions had the desired effect. These composite scores provide insight into staffing and spending across categories as well as organizations’ sentiment or confidence in how effective their cybersecurity measures and spending really are. What they add up to is a sense that during the challenging pandemic period, participants felt they were investing more, but also getting more for their efforts and money.
CRA found the same general pattern of increased investment and confidence across the five major categories of the NIST Cybersecurity Framework — detecting, protecting, identifying, responding, and recovering from security incidents. The category of “Protecting systems, assets, data, or capabilities from cybersecurity events or threats” got the highest score for Resource Allocation and Spending (68.1) and one of the highest for Efficacy (76.5).
Looking deeper into the numbers within the “protecting” category, one of the biggest drivers was “purchasing, building, upgrading, or implementing technology to protect against or limit the impact of cybersecurity events and threats,” with a score of 71.2 for resource investment and 69.7 for spending, compared with the average combined Resources/Spending score of 68.1.
Within the “detecting” category, where the overall resource and spending score was 67.3, the strongest driver was “purchasing, building, upgrading, or implementing ‘secure access’ technology to prevent cyber incidents and threats regarding unauthorized or insecure application and data access by users, endpoints, and IoT devices.” There, the sub-indices were 68.4 for resources and effort, and 68.3 for spending.
Fully half of all respondents said they faced increased threats during the quarter.
When asked an open-ended question about their concerns, many mentioned the disappearing network perimeter due to work-at-home arrangements. Attacks such as phishing surged as a result. “With increasing complexity of social engineering, we have had to increase our threat intelligence as well as our phishing education program to meet the new challenges,” one U.S. respondent explained. Phishing attacks “are not only carried out by email but also by messenger and SMS,” another participant from France noted.
Concern about phishing and identity theft was particularly high in Canada, cited by 68 percent of participants there — significantly more than reported by Europeans and slightly more than those from the U.S. While we can only speculate about the reasons, studies from several cybersecurity software vendors confirmed that Canadians are among the top targets for phishing and related scams.
While the pandemic and remote work were often cited as a reason for increased focus on information security, it was not the only one. One Canadian worried about increased dependence on commercial and open source systems that come with their own vulnerabilities. A U.S. respondent bemoaned “lack of understanding of the importance of cyber security and its implications.”
There were notes of optimism. “My company has become more mindful and careful at protecting our systems against cyber threat, and if any are suspected they are reported immediately,” one U.S. respondent said. “The team is more spread out and communication is more difficult. However, the automation and systems continue to work as they should. We have more people at home and more VPN connections to monitor, but that's reasonable scaling,” said another.
The CRAE Index comprises two composite indices — Resource/Spending and Efficacy — to monitor the state of organizations’ allocations and spending on cybersecurity activities and their perceptions about the efficacy of these measures.
The CRAE Index uses the National Institute of Standards and Technology (NIST) Cybersecurity Framework which includes five components: Identify, Protect, Detect, Respond, and Recover. Index data is derived from quarterly surveys among 300 business, IT, and cybersecurity professionals at organizations with at least 500 employees in manufacturing, IT/Tech, financial services, and healthcare industries in North America and Europe.
This index was developed by CyberRisk Alliance Business Intelligence, an affiliate of SC Media. The index was underwritten by Pulse Secure.
For more information on how you can partner with CRA Business Intelligence, please contact Dave Kaye, Chief Revenue Officer.