In early March, as I prepared to fly home from a business trip to Seattle, we began hearing stories of U.S. businesses sending their workers home with the expectation that they may be working from home for weeks, if not months. CISOs started to share stories of employees exiting their offices with monitors under one arm and desktop computer systems under the other. With social and work restrictions imposed by governments and businesses in response to the novel coronavirus COVID-19, organizations around the U.S. were about to come face-to-face with "the new normal," and it was going to be anything but normal. From the beginning it was clear that the rules we have operated under for decades were about to change.

Click image to view infographic

In order to get a better understanding of the situation at hand, CSO surveyed 150 security leaders at some of the nation’s largest organizations. Some of what we learned was expected (e.g., vastly increased numbers of employees working from home); some was disturbing (26% are seeing increased attacks in the wake of the pandemic); and some was profound (our perception and understanding of risk will be changed for years to come).

A situation that would have been incomprehensible six months ago is reality today. Businesses of all descriptions across the U.S. are temporarily shuttered. Governors in California, New York and elsewhere have advised, if not ordered, their citizens to stay indoors. Billions upon billions of dollars in economic value were erased in a matter of days.

How long will this go on? How prepared were businesses? How is security impacted? These were all questions we explored in the survey in hopes of gaining a greater understanding of where we came from, where we are, and where we may be going.

This survey was conducted March 19-23, 2020 among 150 U.S.-based security & technology leaders. Eighty-seven percent of respondents were senior security executives representing an average company size of 23,825. Top represented industries were: financial services, including banking, insurance, and brokerage (27%); healthcare, including providers and pharmaceuticals  (17%); high tech (14%); and retail, wholesale & distribution (8%).

We asked security and IT leaders to estimate how long they expect social and work restrictions, resulting from the pandemic, to remain in place. In general, responses averaged 7.7 weeks, with respondents in the retail industry being more hopeful (6.5 weeks) and healthcare respondents, as one might expect them to be, coming in the longest at 9.1 weeks. Essentially, we’re looking at a range that would see social and work restrictions remaining in place until somewhere between May 7th and Memorial Day (May 25th).

Not surprisingly, the survey found significant changes in employee work from home (WFH) levels. Three months ago, 16.5% of survey respondent’s employees worked from home at least 60% of the time. As of March 23rd, that number had climbed to 77.7%, an increase of 4.7-fold. High tech firms had the highest level of WFH prior to the pandemic’s impact at 31.9%, and continue to have the highest today at 90.2%. Retail/wholesale/distribution organizations have experienced the most drastic change in WFH levels, increasing from 3.7% prior to the pandemic to 66.4% today, a nearly 18-fold increase.

While 81% of respondents expressed confidence that their existing security infrastructure could handle their employees working from home, 61% were more concerned about security risks targeting WFH employees today than they were three months ago. Surprisingly, small & medium-sized businesses (SMB) — those with fewer than 1,000 employees — expressed the least concern (29%) about attacks focusing on their WFH workforce.

In 2006/7 CSO magazine dedicated extensive coverage to pandemic planning around Avian Flu. While, thankfully, that pandemic never materialized, and despite SARS, MERS, and the outbreaks of other infectious diseases, we didn’t hear the same amount of “pandemic buzz” in the years that followed.

It seems that businesses learned their lesson, and many kept their resiliency plans fresh in the intervening years. While only 54% of survey respondents indicated that their pandemic/ resiliency plans had them prepared for the current situation, 67% indicated that their security infrastructure was fully prepared for the range of risks associated with the new operating environment.

Despite the high levels of confidence that their security infrastructures are up to the task at hand, 22% of organizations have found themselves out shopping for new security solutions/services to address the new work dynamic.

As one might expect, the businesses least likely to be investing in new technology or services are in industries that identified as most prepared: financial services (12%) and healthcare (14%).

Surprisingly, only 7% of SMB organizations indicated that they had to make security purchases in response to the current conditions, which may indicate either a lack of visibility into their risk environments, a lack of available budget to support new investments, or a combination of both.

When the shift to a pandemic-defined work environment began, it was widely speculated that there would be an increase in attacks designed to take advantage of the uncertainly caused by the pandemic and its impact on work structure, as well as holes that might open up with the transitioning workforce.

Unfortunately, this speculation has proven to be accurate:  More than 26% of survey respondents say their organizations have seen an increase in the volume, severity, and/or scope of cyber attacks since March 12th. While the increase in attacks has been fairly consistent across company size, with SMBs seeing numbers only slightly higher than enterprise businesses, the financial services industry has been especially impacted, with 37% seeing an increase.

Across all vertical industries and company sizes, 73% of survey respondents say they believe that the impact of this pandemic will alter the way their business evaluates risk for at least the next five years. In some industries, like retail, that number was as high as 83%. This is an issue that will radiate from financial regulators to boards of directors and so on, down the institutional food chain. Risks that were thought to have a low likelihood of occurring will now be getting a second look. Likelihood will be the number focused on when considering risk, and resiliency will be the mantra. 

For years now we’ve been talking about the importance of corporate resiliency — the ability of the business to take a punch and continue to operate. Security's role in resiliency got more broadly noticed when ransomware hit in full force, crippling some major businesses, albeit temporarily. But now that ability to take a punch will echo across board rooms around the world. 

It’s clear that whatever the new normal will be is yet to be determined, and security is going to have to adapt to meet the risks it will bring. It’s also clear that these unfortunate circumstances will shine an even brighter light on the security organization, as risk management will no longer be considered a nice to have, but will instead be seen as a must have.

This story, "Pandemic impact report: Security leaders weigh in" was originally published by CSO.