Coronavirus: 50% of security pros had no pandemic contingency plan

Organisations across Europe have been left dangerously exposed to increased cyber criminal activity coalescing around the Covid-19 coronavirus pandemic, with 50% of cyber security professionals saying their organisation either had no contingency plan for such an event in place, or that they did not know if they did, according to a study conducted on behalf of Romanian security firm Bitdefender by Sapio Research.

This lack of planning appears to have come at great risk, with 86% of respondents to the survey saying they had seen a pronounced upswing in threat activity in the past three months – and with 2020 not quite half over, it looks like it will be a bumper year for breaches.

While nobody could have foreseen the exact parameters of the Covid-19 pandemic – making it a possible example of a Black Swan event, which characterises major events as a surprise, with a major effect, and able to be rationalised with the benefit of hindsight – Bitdefender found that the rapid changes to businesses had left security pros feeling exposed, particularly in relation to their largely remote working charges, who have tended to behave worse since being sent home.

One in three of the survey respondents said they were worried that employees were becoming more relaxed about security issues thanks to their surroundings, and around the same number fretted that employees were not sticking to protocol, particularly when it came to reporting suspicious activity.

Security pros also identified a number of well-documente, risks related to home working, including the use of untrusted networks, unvetted personal messaging and comms services, as well as family members or housemates accessing company devices.

“At least half of organisations admitted they were not prepared for a scenario such as this, whereas the attackers are seizing the opportunity. But within the current situation there is a great opportunity for positive change in cyber security,” said Liviu Arsene, global cyber security researcher at Bitdefender.

Arsene said that with the stakes around monetary and reputational loss ever increasing, the ability to react and adapt rapidly without increasing risk levels was now becoming critical, with Covid-19 providing the perfect example of how easy it is to be caught napping.

The good news, he said, was that the majority of security pros now recognised the need for rapid adaptability. The bad news was that not many were putting that lesson into practice just yet – only one in five said they had taken proactive adaptive steps such as changing VPN session lengths, compiling remote working guides, or conducting more training, and in areas such as buying better security insurance, or implementing zero-trust policies, the figures were lower still.

“Change is an undeniable threat to cyber security, as is being unprepared. The stakes are high in terms of loss of customer loyalty and trust, not to mention to the bottom line,” said Arsene.

“Covid-19 has, however, presented infosec professionals with the opportunity to reassess their infrastructure and refocus on what end users/employees really need and want in terms of cyber security support. The … study reveals that unprecedented change does pose risks, but that it also provides an opportunity to reassess strategy.

“It is also evident that, despite identifying risks, there is still a need for further investigation into what investments need to be made to ensure that corporate data and employees are both safe from bad actors. While it’s a challenge to make changes now, it will shore up business for the future and many more unknown scenarios,” he said.