Image: CROCOTHERY/Getty Images/iStockphoto

An international survey of tech professionals from the Thales Group finds some bleak news for the current state of data security: the COVID-19 pandemic has upended cybersecurity norms, and security teams are struggling to keep up. The problems appear to be snowballing; lack of preparation has led to a scramble resulting in poor data protection practices, outdated security infrastructure not receiving needed overhauls, a jumble of new systems that only make matters worse and priority misalignment between security teams and leadership.

“Survey results indicate that there is reasonable awareness of the risks present in today’s environments, but they also show that most organizations need to improve their security posture,” the report said.

SEE: Security incident response policy (TechRepublic Premium)

There’s a lot to unpack in the 28-page report, and not all of it is bad either. One bright spot is found in the growth of zero trust security, which 76% of respondents indicated is a part of their cloud security strategy. Those with a formal zero trust strategy, Thales said, are less likely to have been breached.

That single bright spot is surrounded by bad news driven by pandemic-induced changers that largely pushed infrastructure into the cloud—only 20% said that their security infrastructure was ready for the challenge. Eighty-two percent said they were concerned about the security risks that come with a remote workforce, and 44% were worried that their security systems couldn’t meet the task of effectively securing remote work.

Despite knowledge of the risks, Thales said, necessary changes that would mitigate potential threats haven’t happened. “Technologies such as encryption and multi-factor authentication (MFA) have not reached saturation levels such that the majority of applications and data are fully protected … just 55% have implemented MFA in any form,” the report stated.

Remote workforces also haven’t been given the tools they need to work securely and have largely been left using VPN connections (60%) and/or virtual desktop infrastructure (56%). The problem when these solutions are applied to entire organizations, Thales said, is that they lack the granular control needed to enforce access for multiple employee roles. “Most traditional approaches were designed for tactical use in special cases and may not have received the comprehensive reviews needed to secure a much larger user population,” Thales said.

Data security is alarmingly lacking as well, the report found: only 17% said more than 50% of sensitive cloud-hosted data has been encrypted. Only 24% of respondents said they have complete knowledge of where their data is stored, and only 45% said they have centrally-defined cloud policies.

Piling on and making matters worse is tension between security teams and leadership. Thales said that its results point to a disconnect between the C-suite, management and practitioners. “If executives don’t perceive security issues to be as severe as managers believe, there is likely to be a lack of urgency in driving security improvements.”

Staff largely consider cyberattacks to be increasing, while most managers (54%) believe they aren’t, and 60% of senior executives believing there hasn’t been an increase in scope, severity or volume of cyberattacks in the past 12 months.

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

“One of the overarching takeaways that was driven by lessons learned from the pandemic is that security strategists need to increase the agility of their security controls,” Thales concluded, adding that it isn’t just security teams that need to be responsible for making necessary changes.

“Senior executives need to ensure that they obtain a more complete understanding of the levels of risk and attack activity that their front-line staff are experiencing. They can’t make effective strategy and security investment decisions when perspectives across the organization aren’t aligned.”