08 July 2021

Cybersecurity Lessons from the Pandemic

Synack

Renewed Focus on Vendor Security

In our previous blog post Cybersecurity Trends & Insights from the Pandemic, the operational chaos of last year, not only accelerated a number of cybersecurity trends but elevated the importance of vetting secure vendors and the trust that goes hand in hand with each partnership.

We also found that training employees in cybersecurity best practices and integrating security more tightly into the development cycle stalled in 2020 as companies shifted priorities to adapt to the new norm and conduct business as usual, according to the 2021 Signals in Security report.

The urgency around many of these critical security efforts, unfortunately, slowed down last year as the pandemic and remote work took precedence, according to the vast majority of security professionals who responded to the survey. During that period, compliance issues and shifting security became less of a priority than in previous years.

But the pandemic didn’t upend every security priority. Finding and fixing vulnerabilities is still the No. 1 concern with 75% of respondents saying that was an “extremely urgent” or “very urgent” priority.

And being perceived as a secure vendor became the 2nd most urgent priority in 2021. Pre-pandemic, a greater portion of respondents considered fixing vulnerabilities (48%) and maintaining status as a secure vendor (43%) are extremely urgent, compared to 37% and 31% in 2021. The decline is yet another indication of the shifting security priorities during the pandemic. Remote workers may also have focused more on securing their own devices in 2020 rather than considering the company as a whole.

When it comes to security testing, the Signals in Security Report showed that despite a drop in urgency, it remained a top priority. When ranking the importance of testing, 88% said it was extremely or very important in 2021 compared with 97% last year. At the same time, however, attack surfaces have grown and hacking activities have increased.

Recent hacks have shown that testing should remain a top priority, especially in tumultuous economic periods such as the pandemic. This is especially true after the supply-chain attacks, such as Colonial Pipeline and JBS, that have led to widespread business disruptions. Furthermore, in December 2020, companies and the US government warned of a supply-chain attack using SolarWinds’ Orion remote management software that compromised more than 18,000 businesses and government agencies. Early in 2021, a zero-day attack on Microsoft Exchange servers, which reportedly impacted 30,000 organizations, led to additional compromises. 

With the recent supply chain attacks, security teams should renew efforts to integrate cybersecurity throughout the entire business process. Security should be incorporated into the due diligence of third-party relationships, and security testing should be part of the onboarding of third-party applications.

Read more about these insights in the 2021 Signals in Security Report. Click here to download the full report.