Amid all of the 2020 horror stories of Zoom meetings gone awry (Jeffrey Toobin, we’re trying not to look at you), hastily-rearranged home offices, and parents frantically juggling child care, work, and household management, it’s easy to overlook the sometimes heroic efforts IT and cybersecurity shops have undertaken to support a massive shift in how we work. So, against that backdrop, we are happy to report that when it comes to the Cybersecurity Report Cards that DomainTools has been asking security pros to fill out for the last four years, there are some encouraging trends.
Once the seriousness of Covid-19 symptoms and the spread of the disease began to be widely understood, organizations realized that they had to rapidly mobilize to make profound changes to how they do business, with far-reaching effects on every part of the operation. Depending on the nature of the organization, IT and security departments may have been the hardest-hit of all. But on top of that, cybercriminals did what they always do: capitalize on the zeitgeist to roll out new attacks. Some of these preyed on the public’s hunger for information about Covid-19; others leveraged vulnerabilities in video conferencing and other remote-access-related systems. All of them added to the already greatly increased burdens on IT and security folks.
Looking back on it, it’s hard not to be pretty proud of IT in general, and security in specific, for what it accomplished. Having to roll out new technologies, expand and contract the use of existing ones, totally recalculate capacities, risk profiles, threat models, and user needs, to change network topologies, and deal with countless other changes was hard enough; but to do so under immense time pressure, and amid the general anxiety and uncertainty about the virus was downright heroic. I suspect that if you’d told IT shops that they had to support full (or nearly full) remote workforces and gave them a 12-month timeline to do it, they would rightly have balked. Even though remote work certainly was not foreign to most organizations, the scale of the change, along with the other shifts mentioned above, was still a heavy lift. Unfortunately, that’s not all that the security community was facing.
Breach prevention success rate
Cybercriminals waste no time in capitalizing on whatever’s in the news, and the greater the thirst for fresh information, the greater the valence of the various kinds of lures they deploy. DomainTools tracked registrations of Covid-themed domains (many of them malicious), and in March, security researchers Tarik Saleh and Chad Anderson discovered a malicious Android Covid-19 tracker app which was, in fact, a ransomware application they dubbed CovidLock. This and other Covid-related ransomware and phishing campaigns couldn’t have come at a worse time, which of course was just fine with the criminals.
DomainTools has been asking organizations to grade themselves on their security chops since 2017, and the results have been illuminating. Among other things, we have admired the rigorous self-inventory that the respondents took when providing their responses. In a way, that shouldn’t be surprising, because any company division that isn’t honestly, comprehensively introspective, isn’t doing it right. Still, the rates of participation, as well as the scores given and the reasoning behind them, give real credibility to the answers that teams gave on the 2020 Report Card and the impacts of the pandemic on security operations.
Given everything that security staff was contending with, it would have been entirely reasonable for this year’s grades on the Cybersecurity Report Card to be substantially lower. And yet, they weren’t. There were some decreases—fewer organizations gave themselves A’s—but there were also some gains: the grades in the middle of the pack were collectively higher than in previous years. The breach prevention success rate also rose: the percentage of respondents reporting successful breaches held steady, rather than falling as it had in previous years; but the number of detected attacks increased, so the overall prevention rate was higher. Security teams seem to be better, then, at both detecting and preventing breaches; they just had a lot more of them to detect and prevent in 2020. As the opera folks say, bravi tutti.
Two other areas of evaluation are worth mentioning: leadership and training. One of the things that stood out about the organizations giving themselves A’s is that ~84 percent of them replied in the affirmative to “we have a companywide program to keep our IT staff up to date on the latest threats and trends,” vs ~60 percent for the group as a whole. Getting more specific, we asked “Did the training offered by your organization prepare you to handle an event like the pandemic?” Among the A-grade group, ~73 percent answered with “Our team was well prepared,” versus ~45 percent for the overall group. Good training programs are clearly held in high regard by the respondents.
As for leadership, there was a strong correlation between the grades respondents gave their groups as a whole, and the grades they gave their leadership. The survey asked respondents to grade their CISOs/security managers, and their CEOs. Among the A’s, ~93 percent gave their CISO/manager a grade of A (versus 44 percent for the overall group), and ~92 percent gave their CEO an A, versus ~48 percent. We’ll give the benefit of the doubt that respondents didn’t have their leadership looking over their shoulders when they filled out the survey, and thus conclude that support at the leadership level really matters.
Whether you’re new to the profession or have many years under your belt, you know that most of us are in this for far more than just a paycheck. There is a deep commitment to making the Internet a safer place to work, learn, and play every day, shared by tens of thousands of professionals worldwide. This Report Card paints the picture of an IT and security community that is not perfect, but which has risen to an enormous challenge in ways that everyone involved can be proud of. Let’s hope that 2021 settles down, but if it doesn’t, we can rest assured that information security is going to hold its own.
Tim Helming, Security Evangelist, DomainTools