Employees don’t want to come back. At least not to pre-pandemic levels, before school campuses and corporate cubicles were shuttered and half the world locked down to slow the spread of COVID-19.
Since then, enterprises and government agencies entered a state of seemingly perpetual chaos, with uneven reopenings, evolving public health messages, civil unrest, and ongoing staffing and supply chain shortages.
Two years into the pandemic, the lack of adequate resources has become more than an inconvenience: it’s an open challenge to bad threat actors in search of weakened organizations. But security pros say the chaotic moves made amid the COVID response also opened the door to new opportunities for more robust security and business continuity.
The data and insights in this report by CRA Business Intelligence, and sponsored by Infoblox, are based on an online survey conducted in late 2021 and early 2022 with 1,100 IT and cybersecurity decision-makers and influencers in some 11 countries.
Here are some of the leading findings.
The surge in remote workers and customers has changed the corporate landscape significantly — and permanently
Some companies shuttered physical offices for good, and even those still holding on to commercial properties understand they must contend with remote staffs or hybrid workplaces for the time being. As a result, some moved more applications into the cloud and rely on traditional network security like VPNs and firewalls placed on corporate mobile devices. For employees using their own equipment, many companies are deploying solutions to monitor and manage DNS, DHCP, and IP traffic moving in and out of servers.
The new hybrid workforce has caused greater concerns with data leakage, ransomware and attacks through remote access tools and cloud services
Respondents indicate concerns about their abilities to counter increasingly sophisticated cyberattacks with limited control over employees and vulnerable third-party partners. The sophistication of state-sponsored malware has also become a source of worry for many.
Organizations have good reason to worry: Most participants experienced up to five security incidents that led to at least one breach
Attacks tended to originate with Wi-Fi access points, employee-owned endpoints or the cloud. Phishing was a common conduit to gain illegal entry to hijack credentials and steal or lock down data files. These weren’t minor events, either; the CRA study showed 43% of all organizations surveyed suffered at least $1 million (U.S. dollars) in direct and indirect losses.
Interest in secure access service edge (SASE) frameworks accelerated
As assets, access and security move out of the network core to the edge with the push for virtualization, 54% have already partially or fully implemented SASE, and another 28% intend to do so.
Organizations do apply controls for on-premises, cloud and hybrid environments, but there’s plenty of room for improvement
Some two-thirds of all participants were “less than very satisfied” with their organization’s ability to respond to an actual attack, such as ransomware, using existing solutions. They also are eyeing solutions for hybrid environments more often than on-prem or cloud only versions.
IT security budgets and spending increased for many in 2021, with even more security teams expecting a bump in budgets in 2022
Many are considering primarily hybrid-oriented solutions that protect assets both on premises and in the cloud. And they are trying a wide variety of solutions — everything from end point and network security to cloud access security brokers, DNS security and threat intelligence services.
Overall, survey respondents said data leakage was their biggest concern last year, given the loosening control over what flowed into and out of corporate or personal devices over remote connections and/or cloud services. Respondents also indicated a growing reliance on cloud-based applications that come with third-party risks should cloud service providers fall short on security controls or fall victim to attacks of their own.
Geopolitical tensions also had a big impact, as companies worried if they had the systems in place to withstand nation-state attacks.
“Currently, we don’t have the internal systems to protect or restore our IT systems if state-sponsored attacks were to take place,” said a chief executive for an Australian retailer.
Insider threats — whether rooted in malicious attacks or misuse — also remained a concern.
“It’s practically impossible to control how internal employees handle their information about our systems," said a chief security officer for a mid-sized German firm.
On the bright side, most CRA study participants expected greater financial support for cybersecurity programs. Fifty-nine say their IT security budgets increased in 2021, and almost three out of four respondents expect 2022 IT security budgets to increase. The most popular security and data protection technologies are intended for hybrid environments. The leading products deployed will be the following: encryption tools, network firewalls, VPNs, and network traffic monitoring, detection, and response tools.