Impact of Covid-19 on the UK Information and Cyber Security Market
The pandemic has been a key catalyst for companies to embrace remote working and accelerate their digital transformations. As a result, organisations have increased investment in technology infrastructure, the cloud and digital services to facilitate better communication amongst their scattered workforces.
This report provides clarity on the rapidly changing security landscape. We offer insight into how seismic changes in remote working have impacted organisations and their security functions, including the ways in which they allocate budgets and adapt to cybercrime increases. We also identify the technologies and trends that will affect the particular skillsets required as businesses evolve.
How Has the Pandemic Affected Information and Cyber Security Across Industries?
As a result of lockdown, business operations have transformed, becoming more interconnected and mobile than ever. To avoid being exposed to greater security threats, most industries adapted quickly to widespread remote set-ups.
However, despite valiant efforts to adapt and improve security measures, cybercrime has been increasingly prevalent across industries.
A recent phishing activity trends report for Q1 2020, compiled by the Anti-Phishing Working Group, breaks down the most targeted industries as follows:
Furthermore, ransomware proliferation continues to threaten networks. According to PwC, over 150 organisations globally saw their data published on leak sites by May 2020.
Covid-19 clearly provided fertile ground for cybercrime; 60% of the organisations privy to these attacks state they occurred after 11 March 2020, when the World Health Organization first declared the novel coronavirus outbreak to be a pandemic. Significantly, 80% of these leaks occurred after 23 March, once the lockdown had commenced in the UK. Principal issues that cause the fabric of cybersecurity to become compromised include:
- A lack of cyber awareness training in-house
- Inadequate equipment
- Weak Wi-Fi with poorly secure connections
- Businesses in a state of flux prioritising restructuring
- A lack of cybersecurity expertise in-house
- Neglecting regulatory framework
Changes in Information and Cyber Security Recruitment Since Lockdown
Methodology for recruiting in the security sector
As business requirements change, the recruitment process has adapted simultaneously. During the lockdown, the recruitment and onboarding process was fulfilled virtually. One of the benefits of hiring using a virtual recruitment process is the increased availability of both candidates and hiring managers to attend interviews.
Recruiting in a challenging market is no easy task. Time spent recruiting in-house amid a hectic work schedule often proves time-consuming for hiring managers and HR alike, particularly when cyber security talent is not easy to identify, attract and retain.
During the lockdown period, any roles that were approved to hire were typically business and time critical. Using specialist information and cyber security recruitment agencies was often advantageous in these circumstances, as they are able to screen and deliver the best candidates in a shorter timeframe.
There has been a noticeable increase in the number of organisations deciding to make their first full-time information security hire, which further supports the view that businesses are more willing to invest in an internal security function. There are many benefits to this versus completely outsourcing security; however, many of these organisations are unrealistic in their expectations of what an information/cyber security role will cover and the salary budget they should allocate.
Unfortunately, this results in these roles not being filled and a much more painful recruitment process for all parties involved. Common problems include unrealistic expectations, candidates not being motivated by the job description, a mismatch between the breadth and depth of expertise required for the package offered and clients becoming disillusioned as they are not able to make the hire in the desired timeframes.
Barclay Simpson offers the following pieces of advice for hiring cybersecurity professionals during this period:
- Consider that information and cyber security spans all aspects of your business.
- If it’s your first security hire, responsibilities can be vast, be careful not to make the required specification three roles in one, with an impossible ‘wishlist’.
- Decide in advance where the role sits and reporting lines
- Clarification on the role specification, and core competencies will enable you to recognize top talent for your business.
- Spend time at the beginning of the process aligning all stakeholders to the job specification, process and hire.
- Now more than ever, every hire is scrutinized at all levels – it is important to get it right first time.
Security and staffing budgets
In response to the pandemic, there has been a visible increase in information security budgets and expenditure. According to a recent Microsoft report, 58% of business leaders increased their budget spend. Meanwhile, 22% of companies decreased their annual budgets by over 25%, and 19% saw no change. Source: Microsoft Security blog
While worldwide spending on Information Security and Risk Management technology and services will not contract, the growth in sectoral spending will be incremental at best, with overall spending rising from $120.9 billion in 2019 to $123.8 billion in 2020. This cost is far lower than the total cost of data breaches, reaffirming that cyber security budgets are likely to continue to increase. Taking risks and investing in transformational innovations is paramount to a business’s success, particularly during times of crisis. The spike in remote working during lockdown has widened organisations’ attack surfaces, which has resulted in a slow upturn in demand for roles within cyber security. According to a government report released in March, high proportions of UK businesses lack staff with the skills needed to manage their cyber security.
In regard to the geographical scope for these skills shortages, demand for information and cyber security professionals has been maintained within central London but has significantly increased across regional areas. Vacanysoft data, released in June, shows that regions such as Yorkshire and the North East have become the second largest region for vacancies in the country so far, with YoY volumes increasing by a whopping 138%.
Which Key Security Skills are in Demand?
Cyber-attacks are now occurring at a faster rate than ever before due to a marked rise in virtual activities since the Covid crisis began. As workers and shoppers move online in larger numbers, companies and brands’ systems become increasingly attractive to cyber criminals. Source: Gartner Research
The daily running of a business requires comprehensive protection of a tremendous amount of information, so despite a slump in the UK’s economic growth, cyber security specialists remain in high demand. Source: Gartner Research
Job postings declined overall from February to April 2020, but demand for information and cyber security roles continued across both the US and UK during this period. Big banks, technology giants and niche information security firms helped drive postings up 65% in the US and more than 5% in the UK.
Fluctuations in demand for information security roles in 2020
The following roles have increased in demand during and after the lockdown:
- Security Architects
- Security Engineers
- SOC Analysts
- Incident Response and Forensics Specialists
The following roles/skills will experience an increase in demand over the course of the next 12 months as a result of the changing threat landscape as more companies move to a more agile working model:
- Security Awareness Specialists
- Controls and Assurance Specialists
- Data Privacy
The boomerang demand for information security
- An influx of roles in January, prior to the pandemic announcement in March.
- January saw an unusually high demand in recruiting for information security roles across the UK, while February’s figures represent a more ‘normalised’ demand.
- A decline followed for the duration of lockdown, dropping to its lowest point in May
There was a significant dip in roles in May which was largely due to uncertainty surrounding whether a remote or hybrid working model would continue to prevail once measures were lifted. Businesses were also operating under budget constraints; the pandemic disrupted global supply chains and production, forcing businesses of all sizes to limit spending to survive. Naturally, clients also tried to utilise in-house talents to plug key skills gaps.
For the duration of lockdown, some businesses took stock and assessed client activities, projecting demand, profit and loss, revenue forecast and product offerings.
From June, the data illustrates acceleration in the demand as the lockdown measures relaxed and businesses prepared strategies for the future. With confidence in the virtual hybrid working model, we expect to see a continuation in demand for information security roles.
The industries with stringent compliance regulations, such as the financial services sector, ‘weathering the storm’ more effectively due to the resilient security measures they already required.
Information Security Governance, Risk & Compliance
- The financial services sector’s security demand is less volatile (likely due to the inherent nature of the regulations it is bound by and the maturity of its risk posture.)
- May was the lowest point, notably the upswing in July saw just under double the amount of roles advertised than in May
- In August, there was an inevitable slump due to seasonality. However, in September, these types of roles rebounded as expected, most notably in the commerce sector which saw a significant increase in demand as companies accepted the longer term changes to the risks they face
- Most significant growth areas are Controls Assurance and Third-Party Risk Management.
Security Operations/Incident Response
- Since May, the demand for Security Operations and Incident Response roles has steadily increased
- The number of direct roles advertised has now bounced back above pre-Covid levels in the commerce market, reflecting increased investment as companies accept breaches are a matter of ‘when’ not ‘if’
Many organisations have historically outsourced this activity - and continue to do so. However, the rise in demand indicates businesses may now also have more of an appetite to build their own capabilities in-house.
Security Engineering and Architecture
- Financial services hiring trends over past 6 months, show limited fluctuations throughout.
- The financial services industry is well known for its investment in security, whether it be the teams or the technologies they use. Most have been working flexibly for some time now, with cloud migration and digitisation programmes having been rolled out for several years already.
- In general terms within the commerce sector, security has not had the same level of buy-in at board level over the years, and therefore has not had comparative investment. This left several organisations in a difficult situation when the pandemic hit.
YOY comparative data from January to September 2019 and 2020.
Despite the pandemic striking this year SOC and Incident Response functions experienced stronger YOY demand across both financial services and commerce.
Security in an Accelerated Digital World
An overwhelming majority (96%) of decision-makers at UK businesses say the Covid crisis has sped up their digital transformation plans. Of these, two-thirds claim it has done so ‘a great deal’, although the impact varies between industries. Source: Twilio Report
While many organisations started their digital transformation journey pre-pandemic, Covid has created far greater urgency to move away from legacy systems. Robust information and cyber security can and should play an important role as an enabler during these transitions.
How has security enabled digital transformation?
The digitisation of business processes is a double-edged sword. Organisations across all sectors are leveraging technology to benefit from reduced costs, streamlined efficiencies and optimised services. However, they must work hard to stay ahead of shrewd cybercriminals who are skilled at exploiting security weaknesses.
Fortunately, there are tools and software that can help close these gaps and facilitate digital transformation.
- Encryption: Protects data both at rest and during transit.
- Authentication: Ensures that access controls are robustly applied. Dual factor and multi-factor authentication (MFA) offer the strongest protection. According to Forbes, the top security investment made during the pandemic was MFA.
- Identity and access management: A well-established framework of policies and technologies should underpin how organisations control who has appropriate access to data and IT resources.
- User and entity behaviour analytics (UEBA): These platforms use machine learning and algorithms to establish when users deviate from their normal work patterns, helping to identify malicious behaviour.
- Endpoint detection and response (EDR): EDR tools continually monitor and collect data from endpoint devices so that threats can be automatically identified and contained.
Moving to the cloud
The shift to flexible working arrangements has resulted in more businesses transitioning to cloud platforms.
As worldwide lockdowns commenced, cloud infrastructure spending surged throughout the second quarter of 2020, figures from Canalys show. Total expenditure climbed $3.5 billion, a 31% increase from the previous three-month period.
Azure, Google Cloud, Amazon Web Services (AWS) and Alibaba Cloud remain the key players in the market, collectively receiving nearly two-thirds (63%) of all cloud spending during Q2. AWS is currently the most dominant force, with a sizeable 31% market share. Source: Canalys report
Inevitably, homeworking trends have also reinforced the need to strengthen cloud security measures. Cloud access security brokers, cloud workload protection platforms and cloud security posture management are now expected to account for 39% of all cyber security investments by the end of 2020, according to a recent poll of security leaders by Microsoft.
Preparing the workforce for digital transformation
Alongside adopting new technologies, security leaders are rolling out security awareness campaigns and training in-house to educate employees on best practice to curb the greater number of data breaches and attacks that will undoubtedly come with more digitised environments. Security training increases vigilance and raises awareness of potential threats, embedding a security-first culture that will permeate as a company matures.
Whilst this is by no means a new concept, it is one which, until now, many security leaders had struggled to implement effectively due to a lack of support and backing from the board. According to Infosec Magazine, 90% of UK data breaches in 2019 were due to human error. This emphasises the importance of security awareness and getting the basics right first and foremost, as technology alone will not resolve this challenge.
The New Normal: The Impact of Remote Working on Security
Two-thirds of businesses believe the technologies they implement now to help navigate Covid-19 will go on to form the essential foundations for permanent remote working opportunities. Source: Twilio report
Some industries are more optimistic than others; while 80% of technology leaders see remote working as pivotal to their future, fewer financial services professionals are convinced (60%). Nevertheless, security is going to play a critical role in establishing the long-term possibilities of remote working.
Security and risk management leaders have invested in technology that removes the business network location. This type of network eliminates implicit trust, taking precautions on security every step of the way. There is identity-based trust criteria, rather than assuming everything behind the firewall is safe. Most organisations are transitioning from an existing network infrastructure into a Zero Trust security framework. With this model, every data access request is fully verified, authorised, and encrypted before it is accepted.
The image below illustrates how all of these components work together in a Zero Trust model
Different Zero Trust technologies include MFA, single sign-on, campus network segmentation, software-defined perimeter access, and micro-segmentation. According to TechRepublic research, based on IT leaders’ reports, MFA and single sign-on are the most popular technologies used today. Source: Tech Republic
Although working with Zero Trust Network Access is deemed one of the most secure ways of working, there are alternatives, including exposing web applications through a reverse-proxy-based web application firewall (WAF).
Leaving legacy systems behind
The pandemic has re-emphasised to companies that outdated computer systems, aside from posing inherent security risks, are cumbersome and can impede business progress. The general consensus is that budgets are being squeezed, but more organisations are realising the true importance of retiring their legacy systems and investing in new software.
It is of paramount importance when phasing out a legacy system that companies follow a strategic approach. Data migration has to be planned correctly to comply with data protection legislation, meaning legacy systems must be handled as part of a security protocol to ensure no regulations are breached. However, successful workforces cannot rely solely on implementing a remote working model with resilient security. There is also an urgent need to reskill workforces and continue the journey of building a culture of security awareness.
As the way we work has changed, so too has the way we communicate. Uptake in the new communication and collaboration tools that are driving the digital economy can also put companies at risk. Messaging apps are being used more frequently, and how we interact with customers and colleagues has changed considerably.
It’s important to stay close to employees and customers and understand which channels they are using, as this will provide insight into what platforms people are adopting. With a multitude of different channels becoming popular, businesses need to be mindful and secure; they should raise awareness and stay ahead of potential risks as they emerge.
Many operations have repurposed during the pandemic, meaning the roadmaps organisations create now are likely to be followed for years to come. Humans like familiarity and the working patterns developed in the formative stages of remote working are likely to continue.