logo

Enduring from home COVID-19’s impact on business security

In March, for companies across the United States, “business as usual” became business uncharted, as the novel coronavirus spread throughout the nation at an unchecked pace.

  • Published: 25-04-2022

  • Related Category: Threat Intelligence

  • Type of Content: White Papers

  • Owner: Malwarebytes


1 | Executive summary

In March, for companies across the United States, “business as usual” became business uncharted, as the novel coronavirus spread throughout the nation at an unchecked pace.

Faced with shelter-in-place orders in their home counties and states, countless companies transitioned to entirely remote workforces.

Predictably, these near-immediate transitions carried with them some setbacks. A remote workforce can become a workforce stretched thin: Communication must adapt to online models of email, chat messaging, and video conferencing; collaboration must move to

cloud-based storage platforms; and keeping business afloat must take into account the unique cybersecurity needs of now-remote workers who are connecting to potentially unsecured home networks while accessing company resources from personal devices—all without the direct support found within the office.

It’s enough to scare any IT director.

Keeping business afloat must take into account the unique cybersecurity needs of now-remote workers who are connecting to potentially unsecured home networks while accessing company resources from personal devices.

Methodology

At Malwarebytes, we wanted to dig deeper into today’s new, work-from-home (WFH) normal, measuring not just the immediate reaction to the pandemic, but also businesses’ planned cybersecurity strategy for the future.

We surveyed more than 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the US.

We surveyed more than 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the US. These roles include IT Manager, IT Director, and IT Executive/C-Suite, along with IT/Cybersecurity Manager, IT/ Cybersecurity Director, and IT/Cybersecurity Executive/C-Suite. Our respondents covered the gamut of company sizes, with some working at small- and medium- sized businesses and others at large enterprise organizations. We grouped participants into the following company sizes: 100 – 349 employees; 350 – 699 employees; 700 – 1,249 employees; 1,250 – 4,999 employees; and 5,000 employees and over. Our survey of roughly one dozen questions tracked respondents’ concerns about transitioning to WFH, the impacts suffered due to the pandemic, and their plans to implement long-term security changes moving ahead.

2 | Key takeaways

Our research revealed some concerning trends. We found more devices spread across more locations connecting to more software tools, coupled with an uneven increase in deploying antivirus software. These actions have predictably resulted in serious setbacks for some companies.

Said they paid unexpected expenses specifically to address a cybersecurity breach or malware attack following shelter-in- place orders.

Said they faced a security breach as a result of a remote worker.

Admitted that, for their employees, cybersecurity was not a priority, while 5 percent admitted their employees were a security risk and oblivious to security best practices.

Admitted they’re using personal devices for work- related activities more than their work-issued devices, which could create new opportunities for cyberattacks.

Our survey also found that, despite some of the above setbacks, a majority of respondents scored their organizations rather high when evaluating their readiness to transition to WFH. This may be an example of an often difficult-to-measure phenomenon that we call “security hubris,” aka over- confidence in limited security measures deployed. For example:

Amidst the cybersecurity vulnerabilities, companies were also hit by several financial losses caused by the pandemic itself. At least a quarter of respondents said their organizations froze all or nearly all promotions and pay raises, laid off employees, or lost clients or contracts.

Amongst the worrying trends, however, we found a silver lining.

While some of the numbers above may present the picture of an insecure, vulnerable workforce, there is a flipside to the data. For example, while nearly half of our respondents may not have provided cybersecurity training to their employees, the other half did. The same is true for the 55 percent of respondents that performed security and online privacy analyses of software tools.

These trends are not only encouraging, they may soon become necessary. The fact is that the transition to WFH has not happened in a vacuum. Staying cyber secure is not just an exercise in good company governance. Mercilessly, in the midst of all this, threat actors have pounced. Malwarebytes’ internal telemetry showed that, following the issuance of multiple shelter-in-place orders this year in various states across the US, several malware threats shot up in popularity. Like we said then, we have no strong evidence that any of these threats will fade back into obscurity any time soon.

So, it’s up to companies and their employees to start planning for the future today. With our full report, you’ll see which steps are effective, and what you and your organization can do today to best support your remote workforce to endure tomorrow.

In the midst of all this, threat actors have pounced...following the issuance of multiple shelter-in-place orders this year in various states across the US, several malware threats shot up in popularity.

3 | How prepared were companies transitioning to WFH?

COVID-19 caught every company, large or small, off-guard. Organizations’ security budgets may have increased year-over-year and their defensive measures may have become more proactive—but few survey participants could admit they were fully prepared for an immediate transition to work-from-home en masse.

Less than 16 percent of survey participants gave their organization a perfect score on WFH readiness. Still, a significant percentage of respondents expressed high levels of confidence in how prepared their company was for the move to remote work.

To understand the volume of work IT teams would need to tackle in the transition to WFH, we asked survey participants to tell us the percentage of employees that were moved to a WFH model. About one- third of respondents (33.2 percent) moved 81–100 percent—if not all—of their employees home. And 142 respondents, or a little more than 70 percent, moved 61 percent or more of their workforce to a WFH model.

For companies with fewer than 700 employees, 42.9 percent moved 61- 80 percent of their workforce home. On the other hand, for companies with 700 employees or more, 37.9 percent moved 81-100 percent of their workforce home .

Among our respondents from the four major regions of the United States—the Northeast, South, Midwest, and West—organizations from the South moved more employees to WFH (33.2 percent) than any other region. The Northeast trails behind in a distant second (21.3 percent), with the West following closely on its heels at 20.3 percent.

moved 81–100% of their employees home.

moved 61%+ of their workforce to a WFH model

of Companies with 100–700 employees moved 61-80% of their workforce home

of companies with 700+ employees moved 81-100% of their employees home.

Ranking WFH preparedness

To measure participants’ confidence in their WFH readiness, we asked managers, directors, and executives across business sizes, US regions, and industries to rate how prepared their organization was to transition to working from home on a scale from 1–10, with 1 representing the least prepared and 10 representing the most. Of the 202 respondents, the average ranking was 7.23. In fact, roughly three quarters (73.2 percent) of those we surveyed gave their organizations a score of 7 or above on preparedness for the transition to WFH. On the flip side, only 14 percent scored their company a 4 out of 10 or less.

Among IT leaders surveyed, directors of companies with more than 5,000 employees were the most confident group when rating their company’s cybersecurity posture, giving it an average of 8.2 out of 10. In fact, following close behind were directors from organizations with 350–699 employees, with an average of 8.16. However, the pattern stops there, as not all directors felt as confident about their WFH preparedness.

In contrast, directors and those in executive/C-suite positions of companies with 700–1,249 employees were the least confident, giving their organizations an average rating of 6.11 and 6.5 out of 10, respectively. Managers belonging to these companies, however, did not share this view. Their ratings bucked the trend hard, with an average of 8 out of 10.

Regional preparedness

When we sliced our data according to the four major regions of the United States—the Northeast, Midwest, South, and West—we saw that confidence in WFH preparedness was generally higher in the Northeast and South than it was in the Midwest and West. Regional ratings didn’t stray far from participants’ overall average, with scores falling into a narrow band between 6.9 and 7.3. Companies in the Northeast, however, were the most confident about their cybersecurity posture, boasting an average of 7.33 out of 10. The Midwest was least sure about its WFH preparedness, ranking its organizations at a 6.91.

>> Download White Paper to continue reading.



Related White Papers: