5 minute read 23 Jul 2020
Photographer on the black beach

COVID-19: How future investment in cybersecurity will be impacted

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

5 minute read 23 Jul 2020

The COVID-19 crisis is elevating the importance and value of security leaders and teams.

In brief
  • EY research confirms that the COVID-19 crisis caused significant disruption to day-to-day security operations, particularly with enabling remote-working.
  • 79% of respondents say their cybersecurity budgets will be impacted by COVID-19 in the next six months if not sooner.
  • Identity and access management, and data protection and privacy are both considered priority areas for an increase in spending, and outsourcing is being considered.

Global pandemics occur mercifully infrequently, but when they do, the impact they cause is invariably significant, disrupting operations in the short term while also influencing how businesses behave in the months and years that follow.

COVID-19 has been no exception. New EY research reveals that the pandemic has caused widespread disruption in cybersecurity operations and is expected to have significant impact on strategies, investments and future priorities.

Request access to the research report.

Remote-working has been a particular issue, and incidents of phishing and other threats are on the rise. Larger corporations have been able to ride out the storm more comfortably than mid-size companies, especially those in the US, and most CTOs expect budgets to be affected one way or another as the full risk impact is assessed.

Data privacy continues to be a major cause of concern, not only within businesses but also among consumers who distrust governments and major corporations with their personal data.

The friction and occasional disconnect between CTOs and CISOs previously identified in this year’s Global Information Security Survey (February 2020), and the need for much closer collaboration with the Board, is once again highlighted in this latest report. CTOs appear to have been more greatly affected by the COVID-19 outbreak than CISOs, and CISOs appear to have fewer budget concerns moving forward.

It is a mixed picture, but what most leaders seem to be agreed on is that day-to-day security operations have been disrupted, almost a third (29%) saying significantly so. Remote-working support was the biggest challenge (71%), followed by budget restrictions (41%), network overload (40%) and reduced staffing levels (37%). 

COVID-19 disrupted day-to-day security operations

71%

of organizations indicated remote-working support was the biggest security challenge.

The challenge of procuring reliable external support is interesting in the context of a further report by EY and the International Association of Privacy Professionals (IAPP) in May 2020 that showed that almost half (45%) of all organizations have adopted a new technology or contracted with a new vendor to enable remote-working.

Of those who cited an increase in cyber threats, phishing (69%), malware (54%) and ransomware (49%) were the unwelcome front-runners with insider threats, zero-day exploits and denial of service (DOS) also of concern.

To what extent businesses have been affected varies according to size, geography and industry. Mid-sized companies noticed the impact the most, with higher network and staff disruptions, and disproportionally higher number of cyber attacks. Large companies have faced remote-working challenges but, perhaps unsurprisingly, have been more resilient to cyber threats.

Security leaders in the Americas region felt the impact of the COVID-19 pandemic far more acutely than the rest of the world (91% experienced some or significant disruption). Regardless of their location all, however, share in the challenges posed by remote-working. Perhaps ironically, technology firms faced significantly more cyber threats than their counterparts in financial services.

Change is happening, and in respect to budgets, change is expected to happen fast.

Change is happening, and in respect to budgets, change is expected to happen fast. Almost three-quarters (79%) expect cybersecurity budgets to be impacted within the next six months if not sooner (21% believe “immediately”), though not all think budgets will be cut; some – indeed as many as a third (32%) – think investment will go up or at the worst, stay the same (24%).

COVID-19’s impact on cybersecurity budgets

79%

of organizations expect cybersecurity budgets to be impacted within the next six months if not sooner.

Identity and access management, and data protection and privacy are both considered priority areas for an increase in spending, and outsourcing is being considered, notably in respect not only to data protection and privacy but also for risk, compliance and resilience.

Some 55% of businesses surveyed are considering (or would consider) outsourcing security operations as part of their cybersecurity strategy.

The findings tend to be consistent across geographies, sectors and roles, although there is a bias within smaller companies to prioritize security operations and architecture & engineering, and there is a marked difference between CISOs and CTOs in their attitude to outsourcing security operations: 44% versus 81%.

Security leaders rethink their outsourcing strategy

55%

of organizations indicated that they would consider outsourcing security operations post-COVID-19.

So, are there any more longer lasting or even permanent changes in strategy and approach predicted following the COVID-19 pandemic? Certainly, security leaders expect their function to become even more important, with 70% believing there will be an increased focus on cybersecurity at the board/executive level, especially those in small companies, the Americas, and in the finance sector.

This is a notable shift from the pre-COVID-19 Global Information Security Survey 2020 that suggested only 43% of boards saw any value in the cybersecurity team, and that there was a distinct lack of any cybersecurity representation at the boardroom table.

A large majority (72%) – with a particular predominance of CTOs – expect that privacy will increase in value and importance with the introduction of surveillance mechanisms to track and manage the virus. In a related survey by PSB Research of 1,000 US consumers (April 2020), the findings suggest that consumers are especially reluctant to surrender their personal privacy, regardless of the challenges posed by the pandemic, and similarly not convinced that any such engagement will be for their own good. Well over three quarters (81%) are concerned about personal data privacy and more than two-thirds (68%) of respondents in the US believe their government should be able to bring the virus under control without them having to sacrifice their privacy.

Few respondents trust either their employer or their government with their personal data and this presents a significant challenge.

As companies start to address new opportunities in the privacy space, they should urgently prepare to address the tension between privacy and security. While 82% would have no issue with their employer checking their temperature every morning, only 11% would trust them with data concerning their health and only 14% with information about where they lived. It is a gap that will take a well-engineered bridge to cross.

As we emerge slowly into a post-crisis world, and a new normal, it will be interesting to see whether the cybersecurity teams’ predictions of an elevated status come true and are embedded beyond the short term. This is not yet clear. What is clear, however, is that there has never been a better time for CTOs and CISOs to demonstrate their worth and see their deserved place at the top table.

  • Survey methodology

    The survey was conducted between April-May 2020 and is based on 150 respondents from the Americas (66%), Asia-Pacific, Europe, Middle East, India and Africa (34%) regions. Respondents represented a broad range of industries including Technology (45%), Financial Services (18%) and Consumer Products & Retail (15%) among others (22%). The survey captured the views of Chief Information Security Officers (30%), Chief Information Officers (34%), Chief Technology Officers (17%) and other business decision makers (19%) in similar roles.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Explore

Learn more about the impact of COVID-19

Request access to the full survey, “How COVID-19 is impacting future investment in security and privacy.”

 

Request report

Summary

With the COVID-19 pandemic continuing to play out around the world, security leaders are trying to anticipate what will come next. We surveyed Chief Information Security Officers who told us that they are expecting an imminent change to their budgets, which will impact their strategies, investments and future priorities.

About this article

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.