It’s been just over five years since the start of the COVID-19 pandemic – it feels both like yesterday and a lifetime ago. Although the pandemic became a catalyst for rapid change across every industry, its impact and teachings on cybersecurity in particular marked a clear point of no return.
COVID was a sea change for the security profession. Overnight, the traditional network perimeter vanished. Security models built around physical infrastructure and predictable user behaviour no longer applied, as organisations shifted from centralised office environments to dispersed home setups.
This decentralisation introduced major challenges in enforcing consistent security policies, and it dramatically increased the attack surface, both technically and behaviourally, sparking a global wave of opportunistic and targeted attacks.
In the early days of the shift to remote work, attackers were quick to exploit low-hanging fruit. Critical institutions like the NHS and universities were hit hard by attackers whilst already managing operational upheaval. The NHS was under unprecedented strain managing increasing patient numbers and logistical demands, while universities faced disruption to virtual teaching, admissions processes and online exams.
The private sector was not immune either. Major retailers like Boots and Superdrug were targeted by widespread credential stuffing attacks that compromised customer accounts. EasyJet also experienced the largest data breach in its history, with the personal information of nine million customers exposed. Attackers leveraged this data, including addresses and credit card details, to launch sophisticated phishing campaigns, a tactic that persisted throughout the pandemic.
Recruitment practices also changed dramatically. In-person interviews disappeared almost overnight, as remote hiring became the standard – something that has largely remained. Attitudes towards work evolved as well: while many embraced the benefits of flexibility, others struggled with isolation and disconnection. These human factors introduced fresh risks, from insider threats to lapses in cyber hygiene, highlighting that resilience isn’t just a technical problem, it’s a people one too. In many ways, COVID served as a wake-up call not only about threats, but about how well (or poorly) organisations were able to adapt to sudden, large-scale change.
Black swan events like COVID may be few and far between, but the need for resilience is constant, especially when we know attackers will prey on our most vulnerable, critical institutions. Simply put, the cybersecurity profession can’t afford to remain reactive. We must be proactive, strategic, and better prepared for the next disruption of this magnitude – whether that be a global health crisis or a revolutionary technology like quantum computing. This means continuing to build the skills and adaptability of our profession. Not just through technical ability, but broader competencies that allow us to become resilient to systemic disruption, as much as individual cyber attacks.
To achieve this and protect against future threats, establishing common standards of cyber competence is crucial. Cybersecurity professionals across all industries must share a common understanding of the skills, knowledge, and frameworks needed to defend against increasingly sophisticated threats. Without consistent models, the industry risks creating gaps in knowledge and expertise that attackers can exploit, particularly during times of crisis.
By defining clear competencies, from governance and risk management to security leadership and strategy, organisations can build a workforce that is agile, resilient, and equipped to face whatever challenges the future may bring. Laying this foundation now ensures that, no matter what comes next, we’ll be prepared.
As the leading professional body for cybersecurity, CIISec plays a pivotal role in advocating for these standards. Through our Skills Framework, CIISec provides a structured approach to ensure cybersecurity expertise is universally understood and consistently applied, supporting the development of a more secure and adaptable future for everyone.
