According to the 2021 Industrial Security Benchmark Study, which was released earlier this year from ThreatSwitch, a provider of Software-as-a-Service (SaaS) solutions, phishing and social engineering remained the biggest threats facing industrial security professionals this year. The survey respondents further indicated that remote employee security practices were the second leading expected threat for 2021 as many workers still haven’t made the transition back to the corporate office.
The survey focused on the membership of two top organizations: the National Classification Management Society (NCMS) and the Intelligence and National Security Alliance (INSA).
“Last year was a very challenging year for the defense industrial base, highlighted by unexpected risks related to the pandemic, aggressive attacks by state actors, and increasing regulatory scrutiny,” said John Dillard, CEO of ThreatSwitch via a statement. “As evident in our survey findings, industrial security leaders expect increased budgets for 2021 and are allocating the resources necessary to address these new challenges.”
Top Risks Remain
The study found that many of the same risks that were issues last year have largely remained. Just 7% of respondents said that the supply chain security posed the most risk, yet the data also found that larger companies remained far more concerned about supply chain security, suggesting a gap in the understanding between supply chain tiers.
Intellectual property theft, which is typically the consequence of insider threats, also remained top of mind for security professionals in 2021.
However, across all respondents from small to large organizations, phishing and social engineering have remained serious issues and employees remain the weakest link even when efforts have been made to harden the internal networks. Many security professionals have warned over the past year that phishing attacks, which can come via text messages, emails and even via phone calls, have been on the rise, and the ThreatSwitch findings seem in line with those concerns.
Remote employee security practices had remained the second leading threat for 2021 as indicated by the survey’s respondents. Remote work – also known as telework – increased last year due to the pandemic, and even as workers have returned to the office the threat of connecting via non-secure networks has continued.
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC), which was introduced in January of 2020, was the new regulation that aimed to measure a company’s capabilities, readiness, and sophistication in the area of cybersecurity. While the framework included existing processes and protocols from standards such as NIST 800-171, it will require certification from Third Party Assessment Organizations (3PAOs).
The ThreatSwitch survey found that companies have remained very concerned about CMMC, with 74% believing that it will require more time and resources in 2021. CMMC has been the subject of high profile promotion by the Department of Defense (DoD) over the last year, and it will require third-party certification. The SaaS-firm said that given that non-compliance could prevent federal contractors from bidding on new contracts, 74% of respondents also indicated that they are allocating more time and resources to CMMC compliance in 2021.
Moreover, given the ever-increasing volume and complexity of the CMMC regulations, 49% of companies surveyed also indicated they were increasing their 2021 budget for software to better manage their security compliance program. Additionally, 60% of all respondents indicated the pandemic’s impact resulted in new policies and procedures, and nearly half of respondents said they were devoting more resources to training in 2021.
As CMMC requires third-party certification, 42% of respondents also indicated that they would be increasing the budget for training and third party audits are 49% and 42% respectively. A total of 60% of respondents indicated that the pandemic’s impact resulted in new policies and procedures, and nearly half the respondents said they would devote more resources to training this year – and 42% of respondents indicated that they would increase budgets for training and third party audits.
Back to Normal – or a New Normal?
As the survey was conducted before many Covid-19 restrictions were lifted, the researchers warned that security teams should still consider ongoing threat assessment, continue to re-evaluate existing policies related to remote work.
Moreover, even as workers are now returning to the office, many may continue to work remotely. According to the study’s authors, “permanent changes in the work dynamics, and the associated effects on security practices, are here to stay,” and added “manual processes and legacy technology won’t cut it.”
The new normal could see further blurred lines between traditional security and information security.
“Just like every job is becoming a tech job, every security issue is becoming a cybersecurity issue,” the study authors added. “That means that technology specialists need to become better versed in policy, personnel, and physical security issues and traditional security professionals need to focus more on cybersecurity.”