Coronavirus has increased the infosec workload, but redundancies and recruitment freezes are still widespread, according to a new report
UPDATED Two in three UK-based organizations are likely to increase their cybersecurity spending in 2021 despite the unprecedented financial toll exacted by Covid-19, according to a survey of infosec decision-makers.
A report from information security giant NCC Group reveals that just 7% of respondents from public and private sector organizations anticipate overall budgetary cuts, suggesting a widespread determination to ringfence cybersecurity spending amid an increasingly complex threat landscape.
However, 27% reported cuts to cyber-resilience budgets in 2020, and three in 10 reported delays or cancellations to cyber-resilience projects.
The survey of 290 senior infosec professionals suggested many security teams’ headcounts were being reduced because of a pandemic that simultaneously increased their workload.
With Covid-19 being exploited by cybercriminals and forcing hasty migrations to a remote workforce, 40% of organizations froze infosec recruitment, 29% made redundancies, and one in five furloughed staff.
Two-thirds (66%) of those polled said they planned to plug the gap with outsourcing in 2021, 50% of whom cited recruitment and retention as a key motive amid the global cyber-skills shortage.
“Ideally, organisations should outsource to complement and strengthen their internal resources rather than replace them,” Stephen Bailey, head of cyber and privacy consulting at NCC Group, told The Daily Swig.
“However, with budgets stretched during the pandemic, outsourcing offers decision makers a quick and cost-effective way to improve their security postures until they can afford to recruit dedicated cyber security people.
“It also allows organisations to determine their resource requirements before making firm commitments to recruitment, enabling them to allocate their budgets more effectively,” as well as flexibly address “specific short-term security requirements” that cannot be practically addressed internally.
NCC Group observed that organizations that cut budgets or the size of their teams were more likely to suffer cyber-attacks in general, while many respondents blamed home working for rises in insider threats and phishing and ransomware attacks.
As a result of these challenges, the proportion of those polled who considered their employer ‘very resilient’ fell from nearly half to 38% year on year.
The survey also hints at a patchy record when it comes to detecting and remediating threats.
On the one hand, almost 90% expressed confidence that they could promptly diagnose and remediate the root cause of a potential data breach and alert authorities within 72 hours – as per GDPR regulations.
On the other, just 49% of organizations scanned their network perimeter frequently.
And despite zero-day vulnerabilities now being exploited in the wild within just three days of public disclosure, 49% confessed to taking a week or more to patch vulnerabilities, while only 21% said all network-connected devices were regularly patched.
Effective patch management is contingent on “continuous monitoring”, according to Tim Rawlins, director and senior adviser at NCC Group.
“It is more valuable to consider the accuracy of the estate inventory and the time it takes to reduce the vulnerabilities, than the total number of vulnerabilities itself,” he said.
Understanding the threat landscape (70%) and securing funding (68%) were seen as the two biggest challenges currently facing organizations.
Decision-makers were far from bullish about surmounting these hurdles, however: 71% admitted to being ‘not confident’ about improving their organization’s cybersecurity preparedness.
While more than 90% admitted to struggling to evaluate the costs and benefits of cybersecurity measures, only 31% agreed that benchmarking security activities was an effective solution.
Dominic Carroll, product manager and service architect at NCC Group, disagreed with the benchmarking dissenters.
“Whether you’re establishing how far you’ve come since your last assessment or building a business case for targeted investment, benchmarking your resilience against recognised frameworks such as NIST should be factored into your cyber strategy,” he said.
This article was updated on March 9 with the addition of comments from Stephen Bailey of the NCC Group.