Thanks to the COVID-19 crisis, security professionals are more concerned than ever about potential breaches, according to a survey released by Black Hat this week.
Respondents – 273 top security professionals – registered record levels of concern about near-term compromises of their own IT environments, as well as US critical infrastructure. Ninety-four percent said they believe the COVID-19 crisis increases the cyberthreat to enterprise systems and data, according to the "2020 Black Hat Attendee Survey." Twenty-four percent said the increased threat is critical and imminent. Vulnerabilities in enterprise remote access systems that support home workers were the chief concern (57%). Increased phishing and social engineering threats also ranked highly (51%).
In addition, nearly 90 of respondents (87%) said they believe a successful cyberattack on US critical infrastructure will occur in the next two years, up from 77% in 2019 and 69% in 2018. Only 16% believe government and private industry are prepared to respond to such an attack, down from 21% in 2019.
Seventy percent of cybersecurity pros said they believe they will have to respond to a major security breach in their own organizations in the coming year, up from 59% in 2018. Thirteen percent of 2020 respondents said such a breach is a certainty. When asked whether they have sufficient security staff to defend their enterprises against current cyberthreats, 59% said no. When asked whether they had enough budget to defend their data against current threats, a majority (56%) also said no.
While breach concerns have been high for the past several years, COVID-19 has heightened them.
"Greater dependence on cloud computing and employee-controlled/owned devices and networks will lessen the visibility and control IT and security functions rely upon to manage risk," said one survey respondent. "This is a fundamental paradigm shift that will necessitate a change in the way we manage risk, allocate already scarce resources, and deploy controls."
While resources are a major concern for security pros, many also raised concerns about current security technologies. In the survey, only 10 of 21 categories of security products were rated as "effective" by respondents. Multifactor authentication (84%), encryption (74%), and endpoint security tools (63%) received the highest "effectiveness" rating.
The security technologies rated least effective were passwords (25%), deception/honeypots (27%), and antivirus tools (31%). Cloud security providers (41%) and cloud security tools (46%) were rated ineffective by the majority of respondents.
The Black Hat survey also revealed frustration about some technologies that have been repeatedly promoted as "game changers" in security technology. When asked about artificial intelligence (AI) and machine learning (ML), for example, only 23% of survey respondents said they believe AI and ML will be game-changing technologies. Eighty-three percent said they believe the impact of AI and ML on security will be limited. Thirty percent said they believe AI and ML are discussed too much or overhyped; only 33 percent ranked them as effective.
Attitudes toward blockchain technology were even more cynical: Only 12 percent of Black Hat survey respondents rated the technology as game-changing, while 24% said they believe the technology is overhyped and unlikely to be of much use to their organizations.
Many security experts also expressed serious questions about the ability of corporations and consumers to protect the data and identity of individual users. In the survey, nearly half of respondents (45%) said they believe the consumer data stored by most corporations is highly vulnerable to attack, and that consumers should assume that their personal data has been breached.
Eighty-seven percent of cybersecurity pros said they believe that no matter how careful consumers are with their personal information, it's likely that their data and/or credentials are available to criminals online right now. Only 38% of respondents believe it will be possible for individuals to protect their online identity and privacy in the future.
Many of the survey responses also indicated that, thanks to the COVID-19 crisis, cybersecurity professionals are under more pressure than ever before. And this pressure is taking its toll – not only on enterprise networks, but on IT security pros themselves.
When asked about their current level of "burnout," in which professionals lose effectiveness because they are overstressed and oversubscribed, a majority of security professionals (53%) said they consider themselves "burned out" by their work. This figure is up significantly from 40% in 2019, suggesting that burnout is now prevalent across the industry.