Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Black Hat Survey: Breach Concerns Hit Record Levels Due to COVID-19

Annual "Black Hat USA Attendee Survey" indicates unprecedented concern over possible compromises of enterprise networks and US critical infrastructure.

Thanks to the COVID-19 crisis, security professionals are more concerned than ever about potential breaches, according to a survey released by Black Hat this week.

Respondents – 273 top security professionals – registered record levels of concern about near-term compromises of their own IT environments, as well as US critical infrastructure. Ninety-four percent said they believe the COVID-19 crisis increases the cyberthreat to enterprise systems and data, according to the "2020 Black Hat Attendee Survey." Twenty-four percent said the increased threat is critical and imminent. Vulnerabilities in enterprise remote access systems that support home workers were the chief concern (57%). Increased phishing and social engineering threats also ranked highly (51%).

In addition, nearly 90 of respondents (87%) said they believe a successful cyberattack on US critical infrastructure will occur in the next two years, up from 77% in 2019 and 69% in 2018. Only 16% believe government and private industry are prepared to respond to such an attack, down from 21% in 2019.

Seventy percent of cybersecurity pros said they believe they will have to respond to a major security breach in their own organizations in the coming year, up from 59% in 2018. Thirteen percent of 2020 respondents said such a breach is a certainty. When asked whether they have sufficient security staff to defend their enterprises against current cyberthreats, 59% said no. When asked whether they had enough budget to defend their data against current threats, a majority (56%) also said no.

While breach concerns have been high for the past several years, COVID-19 has heightened them.

"Greater dependence on cloud computing and employee-controlled/owned devices and networks will lessen the visibility and control IT and security functions rely upon to manage risk," said one survey respondent. "This is a fundamental paradigm shift that will necessitate a change in the way we manage risk, allocate already scarce resources, and deploy controls."

While resources are a major concern for security pros, many also raised concerns about current security technologies. In the survey, only 10 of 21 categories of security products were rated as "effective" by respondents. Multifactor authentication (84%), encryption (74%), and endpoint security tools (63%) received the highest "effectiveness" rating.

The security technologies rated least effective were passwords (25%), deception/honeypots (27%), and antivirus tools (31%). Cloud security providers (41%) and cloud security tools (46%) were rated ineffective by the majority of respondents.

The Black Hat survey also revealed frustration about some technologies that have been repeatedly promoted as "game changers" in security technology. When asked about artificial intelligence (AI) and machine learning (ML), for example, only 23% of survey respondents said they believe AI and ML will be game-changing technologies. Eighty-three percent said they believe the impact of AI and ML on security will be limited. Thirty percent said they believe AI and ML are discussed too much or overhyped; only 33 percent ranked them as effective.

Attitudes toward blockchain technology were even more cynical: Only 12 percent of Black Hat survey respondents rated the technology as game-changing, while 24% said they believe the technology is overhyped and unlikely to be of much use to their organizations.

Many security experts also expressed serious questions about the ability of corporations and consumers to protect the data and identity of individual users. In the survey, nearly half of respondents (45%) said they believe the consumer data stored by most corporations is highly vulnerable to attack, and that consumers should assume that their personal data has been breached.

Eighty-seven percent of cybersecurity pros said they believe that no matter how careful consumers are with their personal information, it's likely that their data and/or credentials are available to criminals online right now. Only 38% of respondents believe it will be possible for individuals to protect their online identity and privacy in the future.

Many of the survey responses also indicated that, thanks to the COVID-19 crisis, cybersecurity professionals are under more pressure than ever before. And this pressure is taking its toll – not only on enterprise networks, but on IT security pros themselves.

When asked about their current level of "burnout," in which professionals lose effectiveness because they are overstressed and oversubscribed, a majority of security professionals (53%) said they consider themselves "burned out" by their work. This figure is up significantly from 40% in 2019, suggesting that burnout is now prevalent across the industry.

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.