With the imposition of social and work restrictions imposed by governments and businesses in response to the novel coronavirus COVID-19, organizations around the U.S. are coming face-to-face with the new “normal”, and it’s turning out to be anything but. From the beginning it’s been clear that the rules we have operated under for decades are changing…and the impact on businesses’ approach to risk management, will be altered for years to come. To get a better lay of the land, CSO surveyed 150 security leaders at some of the nation’s largest organizations. Here’s what we found:

We’re In This For a While
Security leaders were asked to estimate how long they believe social and work restrictions will remain in place. Their responses averaged 7.7 weeks, with those in retail/ wholesale/ distribution being more hopeful at 6.5 weeks and healthcare, as one might expect them to be, coming in the longest at 9.1 weeks. Essentially, we’re looking at a range that would see social and work restrictions remaining in place until somewhere between May 7th and Memorial Day (May 25th).

Work from Home (WFH) Has Exploded
Not surprisingly the survey found significant changes in employee work from home levels. Three months ago, 16.5% of their employees worked from home at least 60% of the time. As of March 23rd, that number had climbed to 77.7%, an increase of 4.7-fold. Notable was high tech firms grew which grew from 31.9%, to 90.2%.

While 81% expressed confidence that their existing security infrastructure could handle their employees working from home, 61% were more concerned about security risks targeting WFH employees today than they were three months ago.

How Prepared Were Businesses?
Only 54% of respondents indicated that their pandemic/resiliency plans had them prepared for the current situation. But that being said, 67% indicated that their security infrastructure was fully prepared for the range of risks associated with the new operating environment.

Time To Go Shopping?
Despite the high levels of confidence that their security infrastructures are up to the task at hand, 22% of organizations have found themselves out shopping for new security solutions/services to address the new work dynamic. Businesses least likely to be investing in new technology or services came from the same industries that identified as most prepared: financial services (12%) and healthcare (14%). Only 7% of SMB organizations (fewer than 1,000 employees) indicated that they had to make security purchases in response to the current conditions, which may indicate either a lack of visibility into their risk environments, a lack of available budget to support new investments, or a combination of both.

Attacks Are Up
As predicted by many, businesses are seeing increased attacks designed to take advantage of the uncertainty caused by the pandemic and its impact on work structure, as well as holes that might open-up with the transitioning workforce. More than 26% of organizations have seen an increase in the volume, severity, and/or scope of cyber-attacks since March 12th. Financial services have been especially impacted with 37% seeing an increase. The increase in attacks has been fairly consistent regardless of company size, with SMBs seeing numbers only slightly higher than enterprise businesses.

The Impact Will Be Felt for Years
73% of respondents believe that the impact of this pandemic will alter the way their business evaluates risk for at least the next five years. In some vertical industries, like retail, that number jumped as high as 83%. This is an issue that will radiate from financial regulators to boards of directors and so on, down the institutional food chain. Risks that were thought to have a low likelihood of occurring, will now be getting a second look and most likely some level of funding to address. Likelihood will be the number focused on when considering risk, and resiliency will be the mantra.


  • Businesses security postures will continue to be significantly impacted for the next several months as the economy continues under work and social restrictions.
  • Higher numbers of employees working from home will continue to present tempting targets for attackers, despite high level of confidence that security environments are up for the challenge.
  • Many businesses that may have been less prepared to address the current situation are finding themselves in need of security solutions/services to fill the gaps and are already moving to make those purchases.
  • The impact from the current crisis will impact how businesses evaluate and address risks for years to come.