Businesses to spend more on security as the number, size of cyberattacks grow

Dive Brief:

Nearly 70% of organizations expect an increase in the "the number and size" of cyberattacks in the next 12 months, according to Deloitte's Cyber risk in the wake of COVID-19: Building Greater Resilience survey of more than 880 C-suite members and executives on June 1. The "cyber events" they expect to increase target their organization.
More than half of respondents, 56%, are increasing their security spending in response to COVID-19-related "disruption," according to the survey. Less than one-third of respondents, 29%, don't anticipate a change in spending.
The greatest security hurdles related to COVID-19's disruption are insider threats and identifying the location of malicious activity. Executives are also concerned about upholding 24/7 security coverage and maintaining privacy and security regulations.

Dive Insight:

COVID-19 changed how businesses run. Consequently, security had to adapt.

The traditional methods of working on-premise "broke down" in March and for security, a business component reliant on a security-centric culture, it changed drastically, Chris Kennedy, CISO and VP Customer Success at AttackIQ, told CIO Dive.

Gartner adjusted its expected spending on information security for 2020 with cloud security leading the charge. Cloud security is expected to increase 33.3% year-over-year, reaching $585 million in 2020. On-premise security, including network security equipment had the steepest decline, projected to drop 12.6% year-over-year.

"Frankly, the reason why many organizations require brick and mortar working, is either because there is a lack of security or because of legacy processes," said Kennedy.

IT will likely spend the next three to five years reckoning with legacy systems that tie them to an office as a result of COVID-19's disruption, according to Kennedy. "These security investments are, well, the new architecture," he said. "It used to be concentrations and localities," but there is no locality anymore with a remote workforce.

Without a central location, endpoint visibility is at the forefront of security, behind employee behavior and training. But the breakdown of an in-office security mindset and physical deterrence, such as cameras, challenges organizations' ability to track insider threats. Businesses had to reevaluate their insider threat program's capacity for perceiving threats outside the office.

Adjusting to a security perimeter that reaches every employee's home created a minefield of potential misconfiguration because tools were deployed too quickly. "Attackers prey on entropy, as in, when you move fast, you likely screw stuff up," such as VPNs, said Kennedy.

Annual business impact assessments will likely look different by the end of 2020, said Kennedy. How long would it take for an organization to recover from a cyber event — a day, a month, a year?

Before COVID-19, building a resiliency model for an entire workforce working from home for a year was unlikely, said Kennedy. "There was always just more important stuff to do, but here we are."