A recent study commissioned by Tenable and conducted by Forrester Consulting shows the investments companies are looking to make in cybersecurity over the next 12 to 24 months. More than 1,300 security officers, executives and remote employees, including 156 respondents in Germany, took part in the study, entitled “Beyond Boundaries: The Future of Cybersecurity in the New World of Work”. There are five key findings:
- Remote work will always exist. Within the first few months of the pandemic, nearly six out of 10 companies switched to a 100 percent work from home model. More than a year after the pandemic, 78% always work from home.
- The home network is now the company network. More than half of employees who work on the go access it through a personal device, while 77% say they have six or more devices connected to their home network. This fact poses a major challenge for security teams: 43% of security officers say they have no visibility into home networks and connected devices, and only 33% feel that they have enough staff to monitor the attack surfaces. There is some good news for those security teams that are lacking staff: 64% plan to add staff over the next 12 to 24 months.
- Cyber attacks are multiplying as corporate attack surfaces continue to expand far beyond the boundaries of the office to include home networks, personal devices, the cloud and third-party providers. Ninety-two percent of executives report that their organization has experienced a business-related cyber attack or compromise in the past 12 months resulting in loss of customer, employee or other confidential data, business interruption, ransomware payout, financial loss and / or Intellectual property theft. 70% were victims of three or more attacks. Sixty-seven percent said these attacks were targeted against external employees, and 74% said at least one attack was due to vulnerabilities in systems that were put in place in response to the COVID-19 pandemic.
- The pandemic opened the door to a variety of forms of attack. With the move to teleworking, where employees are no longer confined to the network with a static set of managed devices, security policies and technologies that focus on attacks from the edge of the network will no longer be sufficient. Forty-three percent of respondents said their organizations have suffered from COVID-19 related malware or phishing attacks. This makes it the most common type of compromise. Other common types of attack included fraud, data breaches, ransomware, software vulnerabilities, malicious insider attacks, and intellectual property theft.
- Fundamental cybersecurity investments will be a priority in this new world of work. Organizations will step up their defenses to support the next phase of their work model and increase investment across all areas. Eight out of 10 security executives say they will spend more on network and data security, while around three-quarters will spend more on vulnerability management and cloud security. Endpoint security and credential / identity access management are also in demand, with 66% and 65% respectively increasing their budgets.
When asked about the ability to assess cyber risks, 53 percent of security officers and executives said that their companies performed at best average here. 53 percent of companies confirmed that they lack confidence in their ability to precisely analyze and measure their cyber risks. This prevents them from making better business and technological decisions due to a lack of technology, processes and / or data.
However, many confirmed that they plan to invest in the next 12 to 24 months to support their people strategy:
- 80 percent said they plan to increase their network security spending.
- 71 percent want to invest in cloud infrastructures and platforms.
- 78 percent plan to invest in cloud-based collaboration tools and software.
- 80 percent plan to spend more on vulnerability management.
But it’s not just about technology, because 93 percent of companies want to increase their security staff in the next 12 to 24 months.
“In the last few months, companies have drastically adapted their working methods and introduced a model of the decentralized workforce. To do this, they had to move business-critical functions to the cloud, ”explains David Cummins, VP EMEA at Tenable. “Security had to take second place to functionality. Since these changes are now being introduced permanently, companies must be careful to secure their new normal. While the investments planned for the coming years are reassuring, it is imperative that security teams find the right solutions. With a heterogeneous workforce, it is important to invest in adaptive user and data risk profiles that can interrupt attack routes by taking into account misconfigurations in Active Directory and the cloud. “