When asked about changes experienced due to COVID-19, almost half (47%) of cybersecurity professionals polled by (ISC)² said they have been reassigned to IT tasks. These findings are part of the (ISC)² Cybersecurity Pulse Survey , in which 256 cybersecurity professionals shared insights on their current work situations during the first several weeks of their organizations’ response to the COVID-19 pandemic.

Reassigning cybersecurity workers appears to be one of the ways companies were, at least initially, trying to cope with the increase of employees working from home. The move comes as threat actors seek to exploit organizations’ broader attack surfaces, as many shifted to work-from-home practices. 23% of respondents say they have seen a rise in security incidents at their organizations since work from home policies started taking effect.

According to respondents, 96% said their organizations have moved at least some of their staff to remote work, and about half of them (47%) have done so for all employees. Nearly a third of respondents (32%) report that someone in their organization has contracted COVID-19.

The vast majority of cybersecurity workers (90%) responding to the survey say they are also working from home. At least some of those who still have to go into an office “would love to stay home but duty calls,” one survey respondent commented. Several respondents cited being unable to work from home because of the sensitive nature of their organization or the technical inability to fully operate remotely from home.

Staffing Changes

Cybersecurity workers who are still focused on security find themselves in extraordinary circumstances as they try to secure a distributed, remote workforce, and some worry their organizations are taking risky shortcuts.

Although fewer than one quarter of respondents (23%) say security incidents have increased, some say incidents have surged by as much as 100% – a clear indication threat actors are trying to exploit the new work practices necessitated by the pandemic.

The number of incidents reported is higher at companies where respondents say cybersecurity professionals have been reassigned. Among the 47% of respondents that have been reassigned to IT tasks, nearly one third (30%) say security incidents have increased, compared to 17% where resources have not been shifted and security professionals remain focused on their core responsibilities.

In addition, of the respondents who were reassigned to fill IT duties, 22% say their organizations lack adequate resources to support a remote workforce, compared to just 10% where reassignment has not happened. In organizations with reassignments, 30% of respondents feel their organizations are using best practices to secure their remote workforce, compared to 51% at organizations without reassignment.

Where no reassignments have taken place, 87% of respondents say their organizations view security as essential, compared to 74% at companies with reassignments. This finding suggests that cybersecurity workers who have not been pulled away from their normal duties are more confident in their organizations’ commitment to security.

Best Practices vs. Expediency

Overall, 81% of respondents indicate their organizations view security as an essential function, and an even greater number (92%) say their organizations are using best practices in securing their remote workforce. Still, the survey found that half of respondents believe their companies could do more to secure remote workers.

In response to an open-ended survey question about the challenges their organizations are facing, poll participants articulated a number of concerns. The main theme emerging from those concerns boils down to this: Some are concerned that expediency in setting up the connectivity for remote workers may be overriding security concerns.

“Security at this point is a best-effort scenario,” said one respondent. “Speed has become the primary decision-making factor. This has led to more than a few conversations about how doing it insecurely will result in a worse situation than not doing it at all.”

Another respondent says companies are rushing to implement VPN, remote access and collaboration tools without due diligence or taking security into account. Yet another said: “IT wants to relax security controls without due process and analysis, and the times we are in are exactly the WORST time to do that.”  

Other challenges expressed by respondents include management prioritizing other parts of the business over security and the lack of equipment to support remote workers. One respondent summed up the situation grimly: “COVID-19 hit us with all the necessary ingredients to fuel cybercrime: 100% work from home before most organizations were really ready, chaos caused by technical issues plaguing workers not used to WFH (work from home)… temptation to visit unverified websites in search of up-to-the-minute information, (and) remote-workforce technology supported by vendors driven by ‘new feature time to market’ and NOT security.”

The results of the survey will be discussed at 1:00 p.m. EDT today (April 28) on an (ISC)² webinar with cybersecurity experts offering their own insights on how the situation has affected their teams. Please register and join us for the discussion.

Results presented are from an online survey conducted by (ISC)² in April 2020. The total respondent base of 256 global cybersecurity professionals are responsible for securing their organizations’ digital assets. This survey response sample should not be viewed as statistically representative of the entire cybersecurity workforce. It is intended to share insight with the profession and facilitate sharing best practice and lessons learned during these unprecedented times.