It’s been almost a year since the COVID-19 pandemic forced many businesses to shift to remote work or even shutdown. In the months since, unemployment numbers around the globe have skyrocketed. Like many sectors, the cybersecurity sector has seen increased layoffs and the industrial control system security sector has been hit as well.
“As a result of the pandemic, what we’ve seen across the industry is sweeping layoffs and management changeover,” says Cherise Esparza, Co-Founder & Chief Product Officer & CISO at SecurityGate.io. “Resources are dispersed.”
In April, the International Information System Security Certification Consortium released the results of a survey of 256 cybersecurity professionals looking at their current work situations during the first several weeks of the COVID-19 pandemic. According to the report, 81 percent of respondents, all responsible for securing their organizations’ digital assets, indicated that their job function had changed during the pandemic.
“The goal of the survey was to take the pulse of the cybersecurity community as many of their organizations began to shift their employee bases and operations to remote work setups in March and April,” Wesley Simpson, COO of (ISC)², said in a press release. “While this was certainly not an in-depth study of the situation, it does provide a current snapshot of the issues and challenges our members may be facing during this unprecedented time. Sharing this information helps our members and other professionals in the field understand the challenges their peers are facing, and hopefully realize they are not alone, even if many of them are feeling isolated as they adjust to working from home.”
The report also indicates that 47 percent of respondents said they have been taken off some or all of their typical security duties to assist with other IT-related tasks, such as equipping a mobile workforce.
“There are now management changes that have no concept of the OT environment because oftentimes it gets consolidated under an IT leader,” Esparza says. “That’s what we’ve been seeing in the market. IT leaders are now responsible for OT security due to a changeover or restructuring of an organization. That was prolific this year. Name any of the oil and gas companies and I can tell you it happened there.”
Another 15 percent of respondents indicated their information security teams do not have the resources they need to support a remote workforce. Thirty-four percent said they do, but only for the time being. Additionally, 41 percent said their organizations are utilizing best practices to secure their remote workforce, while another 50 percent agreed, but admitted they could be doing more.
In addition to restructuring responsibilities, many organizations in the industrial control system security sector have laid off workers, putting further strain on security efforts.
“Many companies have scaled back on resources across the board, which is very problematic when it comes to efforts to protect critical infrastructure and industrial enterprises” comments Jonathon Gordon, Directing Analyst, Takepoint Research. “Many of the teams securing industrial operations were already stretched beyond capacity. You can bet various well-funded threat actors are not going on unpaid leave. Perhaps the biggest concern, beyond the personal impact, is that the professionals being laid off and their inimitable knowledge will not be passed on and may be lost to the industry forever.”
In June 2020, security management provider Exabeam released a report looking at the effectiveness of modern security operations centers. The Exabeam “2020 State of the SOC Report” surveyed CISOs, CIOs, and security managers from around the world and covered topics including basic SOC operations, operational processes, technology, finance, and budget.
According to the report, three in four companies experienced security team furloughs and 68 percent laid off team members. Additionally, 70 percent of U.S. companies and 42 percent of U.K. businesses in the study enacted hiring freezes during March through June 2020.
Among those who have been impacted in the industrial control system security sector is ICS cybersecurity professional Isiah Jones.
“COVID-19 basically crushed most of the private sector ICS opportunities because companies started scaling down or closing operations and some even started laying folks off,” says Jones.
Prior to the pandemic Jones had been working as an ICS cybersecurity engineer. Right before COVID-19 forced many businesses to shut down, his team was pushed out and the subsequent hiring freezes and furloughs left many of them unemployed.
“Normally most of us would have landed many other places fast but [because of] COVID-19 I was unemployed and independent freelancing from March to July,” Jones says. “Then in July I got sucked back into classified government contracts that I didn’t want to get on but had to pay the bills.
“In that respect COVID-19 was more devastating than any cyber attack on ICS.”
As organizations continue to be understaffed, cyber attacks are increasing. According to the Exabeam report, 80 percent of companies overall experienced an increased number of cyber attack attempts. Additionally, one third of respondent companies were victimized by a successful cyber attack during the first half of 2020.
The Exabeam report indicates successful cyber attacks resulted in network downtime for 38 percent of U.S. companies and 40 percent of U.K. companies. Thirty-five percent of U.S. companies lost between $38,000 to $63,000 and 14 percent took losses up to $95,000. Additionally, in the U.K., 40 percent lost between £30,000 to £50,000.
Exabeam also found that in theU.S., 38 percent of respondents reported between $38,000 to $63,000 in brand reputation-related losses. In the U.K., 43 percent lost between £30,000 to £50,000. Additionally, in the U.S., approximately 30 percent of respondents reported spending between $38,000 to $63,000 and 11 percent spent up to $95,000. In the U.K., 33 percent spent between £20,000 to £40,000.
“Companies are grappling with the security fallout from an unexpected shift to remote work, but it’s business as usual for cyber criminals and foreign adversaries with unprecedented opportunity,” said Steve Moore, Exabeam chief security strategist. “The rise in attempted cyber attacks while companies experience staff reductions is a harsh reminder of the security and financial challenges created by the pandemic.”