A clear majority – 83% - of C-level executives say the many operational shifts made during the pandemic will remain in place even after the COVID-19 pandemic ends.
Michael O’Malley, global vice president of marketing and strategy at Radware, says during the pandemic companies had to focus on making the network resilient, adjust to the remote contactless economy (home food shopping, restaurant deliveries), and future-proof their organizations for any disruptions in the years ahead.
"All of these activities will continue after the pandemic," O'Malley says. "The survey showed that the pandemic was a big shock to the system and it accelerated many trends. Companies will also be focusing on IT capacity such as product development and spending on IT security."
The research, conducted by Enterprise Management Associates on behalf of Radware, points heavily to companies across vertical sectors focusing on resiliency – the ability to keep the business going, the network up, human errors down, and grow the business during the pandemic.
More than any other sector, 83% of the retail/ecommerce respondents were making their IT infrastructures more resilient via hybrid or multi-cloud adoption and 80% via automation. For telco/service providers, 74% were focused on resiliency, with 76% by automation; and 69% of financial services companies keyed-in on resiliency, with 79% via automation.
"The focus on automation shows that as a part of resiliency, companies were trying to reduce human errors," O’Malley says.
The survey also found that roughly half of the respondents say changes made regarding headcount, processes/applications, real estate assets, and budgets are now permanent. Some 95% of respondents say their physical locations were affected by the lockdown to some degree, and by 2022 more than 50% of employees will continue working remotely.
IDC reports similar numbers on the work-from-home front. According to the research firm, 6% of staffs worked from home pre-COVID, 53% worked from home during the height of the pandemic, and roughly 30% will work from home by 2021.
"Companies made a tremendous push to roll out VPNs and remote desktops once the pandemic first hit," says Frank Dickson, a program vice president who covers security at IDC. "I think now we've gotten to a point where most companies can focus on security. They realize that for people who only use Office 365, they may not need to give them full VPN access; they can have them authenticate through a passwordless option."
Creating Security Gaps
The Radware survey also shows some significant security gaps that resulted from the rapid move to work-from-home.
"Companies were never set up for this level of work-from-home activity," says Raghu Thummisi, cybersecurity market strategist at Radware. "Many were racing against time to build in security controls. We found that there were clear winners and losers. The move to the cloud was a much easier lift for the companies that had already made the migration. The companies that were mostly brick-and-mortar had a much harder time."
O'Malley says the data shows that companies were really stressed. Some 50% of companies were not confident in the organization's ability to protect against unknown threats, and 30% reported an increase in attacks at the start of the pandemic. In addition, 35% of the attacks experienced by the respondents required an incident response process, and 69% spent more than half of their time on network security-related discussions of issues.
The pandemic also accelerated migration to the cloud, Thummisi says, which exposed companies to some unforeseen security issues. Some 76% of survey respondents say the pandemic accelerated their cloud migration and while nearly one-third say attacks have increased, another 32% also say they are relying on third-party providers (both public cloud providers and MSSPs) to secure their digital assets.
"We found that companies don't always have a full understanding of the shared responsibility model with public cloud providers," he says.
When they roll out a development environment, for example, they don't always realize that they are responsible for taking down that test environment. "While the cloud makes it easier to spin up test environments, companies still have to validate and take down the environment," he says. "Companies need to be careful not to leave these environments open to attack."
IDC's Dickson, meanwhile, says he thinks companies understand the shared responsibility model, but that developers in many enterprises are not incentivized to build in security.
"App developers are focused on getting the application up, functional, then operational, there's usually not a security metric built in there," Dickson says. "Security has to be a priority and companies need to set up the systems, processes and incentives to make that happen."