Confidence levels in securing the election are low, and declining, according to an ISACA survey of more than 3,000 IT governance, risk, security and audit professionals in the US.
While federal, state and local governments continue to harden election infrastructure technical controls and security procedures, 56 percent of respondents are less confident in election security since the pandemic started—signaling the need for greater education of the electorate and training of election personnel to drive awareness and trust.
Respondents say they believe that funding, legislation, technical controls and election infrastructure are all inadequate, including 63 percent who are not confident in the resilience of election infrastructure, and 57 percent who believe that funding is not sufficient to prevent hacking of elections.
Top threats to election security
Respondents identified the following as the top threats to election security:
- Misinformation/disinformation campaigns (73%)
- Tampering with tabulation of voter results (64%)
- Hacking or tampering with voter registration rolls
- Hacking or tampering with voting machines (both 62%)
The combination of low confidence and high perception of threats requires a call to action, according to retired Brigadier General Greg Touhill, ISACA board director and president of the AppGate Federal Group. “The overwhelming majority of localities have sound election security procedures in place, but the public’s perception does not match the reality.”
“This means that governments, from the county level on up, need to clearly and robustly communicate about what they are doing to secure their election infrastructure. As the study indicates, the most real threat to the election—impacting all candidates from all parties—is misinformation and disinformation campaigns.”
How to ensure voter confidence and accountability
The survey found that respondents believed the following actions could help ensure voter confidence and accountability:
- Educating the electorate about misinformation (65%)
- Using electronic voting machines with paper audit trails (64%)
- Increased training for election and election security personnel (62%)
The cybersecurity landscape is constantly evolving, and even more so during this time of disruption. According to ISACA’s survey, most respondents believe that their enterprise will be hit by a cyberattack soon – with 53 percent believing it is likely they will experience one in the next 12 months.
Cyberattacks continuing to increase
The survey found cyberattacks are also continuing to increase, with 32 percent of respondents reporting an increase in the number of attacks relative to a year ago. However, there is a glimmer of hope—the rate at which the attacks increase is continuing to decline over time; last year, just over 39 percent of respondents answered in the same way.
Though while attacks are going up—with the top attack types reported as social engineering (15 percent), advanced persistent threat (10 percent) and ransomware and unpatched systems (9 percent each)—respondents believe that cybercrime remains underreported.
Sixty-two percent of professionals believe that enterprises are failing to report cybercrime, even when they have a legal or contractual obligation to do so.
“These survey results confirm what many cybersecurity professionals have known from for some time and in particular during this health crisis—that attacks have been increasing and are likely to impact their enterprise in the near term,” says Ed Moyle, founding partner, SecurityCurve.
“It also reveals some hard truths our profession needs to face around the need for greater transparency and communication around these attacks.”
Security programs tools
Among the tools used in security programs for fighting these attacks are AI and machine learning solutions, and the survey asked about these for the first time this year. While these options are available to incorporate into security solutions, only 30 percent of those surveyed use these tools as a direct part of their operations capability.
The survey also found that while the number of respondents indicating they are significantly understaffed fell by seven percentage points from last year, a majority of organizations (62 percent) remain understaffed. Understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats.
Only 21 percent of “significantly understaffed” respondents report that they are completely or very confident in their organization’s ability to respond to threats, whereas those who indicated their enterprise was “appropriately staffed” have a 50 percent confidence level.
Cybersecurity hiring and retention
The impact goes even further, with the research finding that enterprises struggling to fill roles experience more attacks, with the length of time it takes to hire being a factor. For example, 35 percent of respondents in enterprises taking three months to hire reported an increase in attacks and 38 percent from those taking six months or more.
Additionally, 42 percent of organizations that are unable to fill open security positions are experiencing more attacks this year.
“Security controls come down to three things—people, process and technology—and this research spotlights just how essential people are to a cybersecurity team,” says Sandy Silk, Director of IT Security Education & Consulting, Harvard University, and ISACA cybersecurity expert.
“It is evident that cybersecurity hiring and retention can have a very real impact on the security of enterprises. Cybersecurity teams need to think differently about talent, including seeking non-traditional candidates with diverse educational levels and experience.”
A surprising 51 percent of technology professionals and leaders are highly confident that their cybersecurity teams are ready to detect and respond to rising cybersecurity attacks during COVID-19, according to ISACA. Additionally, 59 percent say their cybersecurity team has the necessary tools and resources at home to perform their job effectively.
This presents a problem, as 58 percent of respondents say threat actors are taking advantage of the pandemic to disrupt organizations, and 92 percent say cyberattacks on individuals are increasing.
Remote work increasing data protection and privacy risk
While 80 percent of organizations shared cyber risk best practices for working at home as shelter in place orders began, 87 percent of respondents still say the rapid transition to remote work has increased data protection and privacy risk.
“Organizations are rapidly and aggressively moving toward new ways of doing business during this time, which is a very positive thing, but it can also lead to making compromises that can leave them vulnerable to threats,” says ISACA CEO David Samuelson.
“A surge in the number of remote workers means there is a greater attack surface. Remote work is critically important right now, so security has to be at the forefront along with employee education.”
More than 3,700 IT audit, risk, governance and cybersecurity professionals from 123 countries have been surveyed in mid-April to assess the impact of COVID-19 on their organizations and their own jobs.
Concerns about the wider impact
Most of these professionals believe their jobs are safe. Ten percent think a job loss is likely and 1 percent has been furloughed. However, while their own positions are stable, respondents are still extremely concerned about these wider impacts of the novel coronavirus:
- Economic impact on my national economy (49 percent)
- Health of family and friends (44 percent)
- Personal health (30 percent)
- Economic impact on my organization (24 percent)
The negative effects
While respondents report being highly satisfied with their organization’s internal communications, business continuity plans and executive leadership related to COVID-19, their organizations have not been able to avoid the negative effects, including:
- Decreased revenues/sales (46 percent)
- Reduced overall productivity (37 percent—more executives than practitioners think this is the case)
- Reduced budgets (32 percent)
- Supply chain problems (22 percent)
- Closed business operations (19 percent)
The majority of respondents expect normal business operations to resume by Q3 2020.
“It’s hard to predict what ‘normal’ will look like in the short term,” said ISACA CTO Simona Rollinson. “What we do know is that tech professionals, including the IT audit, risk, governance and security professionals in our community, are more necessary than ever to their enterprises, and they are well-positioned to adapt and even thrive, regardless of what changes may be in store.”
Security incidents are only growing in number—according to ISACA’s 2019 State of Cybersecurity survey report, part 2, 46 percent of respondents believe that their enterprises are experiencing an increase in attacks relative to last year.
In light of this, incident management programs are more important than ever, and with ISACA’s newly launched Security Incident Management Audit Program, audit professionals now have the tools to more effectively evaluate incident management programs and achieve greater assurance.
The audit program covers process areas of security incident management programs and clearly outlines process sub-areas—like detection and analysis, forensics, and change management during program implementation as well as control objectives, controls and testing steps in a customizable spreadsheet. The audit program examines assurance across areas such as:
- Program design and implementation—Exploring processes including risk analysis; awareness and training; detection and analysis; and containment, eradication and recovery
- Tools and technologies—Covering areas such as software, vulnerability assessments, and configurations of workstations and servers
- Reporting best practices—Including reports and escalation documents, as well as a formal process for root cause analysis
- Lessons learned—Factoring in steps such as a protocol for post-incident reflection
“Security incidents not only result in added expenses, but can damage a company’s reputation—so enterprises need to ensure that security incident management programs are effective,” said Beverly Thomas, CISA, expert reviewer for the audit program, and Senior Manager, Internal Audit, UMWA Health & Retirement Funds.
“Having an organized audit program to assess these programs is an important part of driving their success.”
Cybersecurity teams continue to struggle with hiring and retention, and very little improvement has been achieved in these areas since last year, according to ISACA.
Understaffed and lacking diversity
ISACA’s 2020 State of Cybersecurity survey report, unveiled at RSA Conference 2020, finds that enterprises are short-staffed, have difficulty identifying enough qualified talent and don’t believe their HR teams adequately understand their hiring needs.
Additionally, while slight progress is reported in increasing the number of women in cybersecurity roles and in establishing diversity programs, most cybersecurity teams still indicate they have significantly more men than women, and most report that progress is minimal.
“Cybersecurity jobs are in huge demand but, as many organizations are all too aware, it continues to be a real struggle to find the right candidates with the right skills and experience to meet the demands of these roles,” says retired Brigadier General Greg Touhill, ISACA board director, and President of the AppGate Federal Group.
“Better understanding these skills gaps and issues with hiring and retention can help the industry more effectively drive innovative strategies and tactics to address and overcome them.”
Cybersecurity hiring and retention problems: Key findings
- 62% say their organization’s cybersecurity team is understaffed; 57% say they currently have unfilled cybersecurity positions on their team.
- 72% of cybersecurity professionals believe their HR departments do not regularly understand their needs.
- 58% of respondents anticipate an increase in cybersecurity budgets, an increase of three percentage points from last year, but less than the 64 % reported two years ago, signaling that spending may be leveling out.
Finding cybersecurity staff with the right skillsets continues to be difficult. Only 27% say that recent graduates in cybersecurity are well-prepared. They also noted the top five skills gaps as being soft skills (32%), IT knowledge and skills gaps (30%), insufficient business insight (16%), cybersecurity technical experience (13%) and insufficient hands-on training (10%).
Once teams achieve the difficult task of finding the right professionals, they then struggle to retain them, with 66% saying it’s difficult to retain cybersecurity talent. They cite the main reasons for staff leaving as recruitment by other companies (59%), limited promotion and development opportunities (50%), poor financial incentives (50%), high work stress levels (40%, a 10-percentage point increase from the year prior) and a lack of management support (39%).
Organizations have been making slight progress in putting diversity programs in place, with 49% of respondents indicating that they have these programs—an increase of five percentage points from last year. Sixty-four percent indicate some progress toward increasing the number of women in cybersecurity roles, though only 13% say that progress is significant.
“Diversity in this field is crucial—not only in order to bring in qualified, skilled talent, but also to ensure that different viewpoints are reflected in cybersecurity teams,” says Brennan P. Baybeck, ISACA board chair; vice president and CISO, customer services, Oracle.
“Even with slight advances being made, it is clear that more significant progress is needed to increase diversity in cybersecurity, including representation of women in these roles.”
Today, technology fits into the palm of our hand. We have become accustomed to turning to it to find all sorts of answers to everyday challenges such as where to eat, where to shop, what to watch on our favorite streaming service, or even when to sleep. Technology has weaved itself into the very fabric of our lives, and many of us would be lost without it. Just as new apps get replaced by old … More
The post Women in cybersecurity can benefit from taking inventory of their personal apps appeared first on Help Net Security.