PrivSec Report identifies nine major themes we expect to be talking points in the new year in the world of cybersecurity
1. Remote working will be here to stay
The battle over encryption perhaps symbolises the push-pull between privacy, safety and pragmatism, and nowhere has this been more evident in 2020 than in the battle to track and stop the spread of Covid-19.
The battle has been waged on the security side too, and as huge numbers of employees shifted to home working, gains in health-related safety have met with a dramatic rise in cyber crime. Phishing and ransomware attacks have rocketed as attackers capitalised on a transformed threat landscape, with hastily assembled remote network access, weak home office networks and infrastructure, often on personal, shared, devices. Employees have effectively become third party risk vectors, operating outside the corporate perimeter.
“As it takes organisations an average of 207 days to identify a data breach, I expect many organisations will already have been successfully breached due to the sudden vulnerabilities appearing in their defences, and it will only be later down the line, after the damage has been done, that they are made aware of the attack and its magnitude,”
Camilla Winlo at DQM GRC
With the pandemic not yet on the wane, cyber attacks will persist, and companies will have to continue to evolve their approach to protecting their networks, endpoint visibility and control, shoring up the vulnerabilities created by the need to adapt with speed – for adopting new, less-tested apps – which may have meant security compromises along the way.
If 2020 was about executing the disaster recovery plan, 2021 will be about the next phase: ensuring sustainability and solidifying security for the long term.
2. The threat landscape will get darker, with new forms of ransomware emerging
Phishing and ransomware in particular have been the story of 2020, and these threats are set to continue into 2021 as the modus operandi of hackers evolves to exploit the geopolitical environment and the way we live and do business. Ransomware in particular is dominating the conversation among security specialists, and the stakes are rising, as hackers have shown willingness to exploit the pandemic and turn their sights on healthcare facilities, sometimes with devastating results.
Stuart Reed, UK Director at Orange Cyberdefense predicts that the picture “will get darker”: “The conundrum of ‘to pay or not to pay’ is still rife, and unscrupulous criminals are exploring new revenue opportunities to extort money,” he says.
In October, the US Departent of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning organisations of the risks – potentially including civil penalties – of paying ransomware demands, particularly if the attacker is sanctioned or has a sanctions nexus.
It said: “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
It added: “… ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”
Reed echoes this advisory, predicting that “The question will therefore broaden in 2021 – it’s not just about if the organisation will get their data back if they pay, it is also if they will get exclusive use of their data. Ransomware is a criminal activity and the primary driver is extorting money – there is nothing to stop these criminals using the data any way they can for commercial gain, and this includes selling it more than once.”
He recommends encryption and regular backups for organisations in 2021, alongside education and early detection techniques, in order to render data useless to attackers.
Attacks on healthcare providers and healthcare-related research institutions will likely continue – preying on our greatest fears and concerns at the micro level, and seeking useful or saleable information at the macro level. This has been evident in the recent spate of Covid-19 vaccine-related incursions, like the recent hack of the European medicine regulator, the European Medicines Agency (EMA), which is assessing the Pfizer and BioNTech vaccine for possible use in Europe.
Be they sophisticated nation-state attackers or opportunist criminals, hackers will continue to identify and exploit the soft underbelly of civil, public and corporate life, both in the targets they select and the techniques designed to reel in victims. This only serves to underscore the importance of viewing threats not just through the lens of technical mitigation, but through a behavioural and cultural one also.
Ongoing threats to organisations in 2021 include business email compromise, deep fake campaigns, and 5G-based attacks.
3. There will be growing realisation of the risks posed by the Internet of Things
As many employees remain based in the home, risks to corporate infrastructure in 2021 will come from the most unlikely places – the fridge, a baby monitor, or even the family car. As connected devices increase in popularity around the home, the Internet of Things (IoT) will continue to be a security and privacy weak spot, as poorly protected devices hoover up data.
Nigel Thorpe, Technical Director at SecureAge Technology, argues that IoT devices in the home should be more widely recognised as a back door to the corporate network – but won’t: “The growth of connected devices from smart light bulbs to digital assistants can give cybercriminals access to home networks. From there, the jump to an employee’s laptop and into the corporate network is relatively easy. But IoT security is still woeful and is not going to change anytime soon,” he said.
But despite much pessimism over the likelihood of IoT vulnerabilities being solved any time soon, regulatory moves are afoot. Earlier this year, the UK government completed its consultation for regulating IoT security. In December, President Donald Trump signed into law the “Internet of Things Cybersecurity Improvement Act of 2020,” establishing security standards for Internet of Things (IoT) devices owned or controlled by the Federal government, which could have trickledown implications for the consumer sphere.
“I predict that companies will focus on data security by design to build in the data security protections and the ability to comply with data privacy requirements in their products and services. This will be driven by the new Federal IoT Cybersecurity law which applies to IoT devices purchased by the government and which will de facto set the standard for IoT data security in the US,”
Winston & Strawn’s Sheryl Falk
4. 2021: the year of security by design?
The traditional model of software application security saw security considered separately to the software development process, and a single group given responsibility for the security of all applications built by an organisation.
“Time has shown that this approach results in a slow, frustrating process. Security and development organisations end up at loggerheads, and the end result is applications that are hardly more secure and are slower to market,” says Jonathan Knudsen, Senior Security Strategist at Synopsys.
He argues that this model should buried for good next year, in favour of an “Application Security 2.0” in which security is automated, integrated and “baked into every phase, from design through implementation all the way to maintenance”, although security teams can provide expertise and support. This will result in “safer, more secure, better products,” he says.
A DevSecOps approach, where software development, testing and deployment “compress the release cycle and deliver software continuously”, will also grow in popularity, adds Asma Zubair, Senior Manager of IAST Product Management at Synopsys.
5. Continued acceleration to the cloud
Covid-19 accelerated the digital transformation already underway in many businesses, as necessity caused a widespread move to the cloud in order to support remote working – a trend certain to continue into the new year as remote workers show no signs of returning to the office.
“It forced companies to step outside their comfort zone and become more agile. I predict this will continue for the long term, with more and more companies who have on-site servers — or even hybrid environments — to migrate operations to the cloud,”
Brian Fox, CTO and Co-Founder of Sonatype
The flexibility of cloud is especially appealing, as it “transforms large upfront capital expenditure into relatively digestible operational expenditure on an ongoing basis,” adds Derek Taylor, lead principal security consultant at Trustwave.
But the move to the cloud is not without risk, as configuration issues could result in outages, such as AWS experienced at the end of November. Depending on the cause and nature of any cloud configuration problems, even potentially small issues can create disruption for many businesses and users, impacting productivity and potentially exposing data.
More and more companies could blend on-site servers, hybrid environments, and multi-cloud solutions to help protect against such outages.
More cloud, and the flexibility it offers, doesn’t necessarily equal more security. Organisations must evolve their compliance, regulatory and audit processes from an on-premise model to a cloud model – avoiding the temptation to simply “life and shift”. No longer having direct control of data leaves organisations dependent on service providers, and when issues hit, those service providers could find themselves overwhelmed. In addition, complete dependence on one provider could prove a risk to data integrity, meaning that using different providers for backups, or backing up locally could be wise – as even a small risk can prove catastrophic when replicated across multiple customers.
And organisations should always be mindful of their end of the shared responsibility model, ensuring that they have identified any responsibility gaps and shored them up.
“I predict that in 2021, we’re going to see more and more cloud adoption to facilitate the new ways of working. The problem associated with that is that we see an awful lot of businesses thinking that because they’ve outsourced all of their IT to their cloud provider, they assume they’ll take care of security – however this is not true. Under GDPR and UK law, the business remains accountable and responsible for data privacy and security, irrespective of the use of third parties, including cloud providers,” says Taylor.
“I think a big trend for next year is that we’ll see a lot of companies who are breached, who have adopted cloud, and who then make the excuse that it is the cloud provider that screwed up.”
6. Businesses will increasingly move to Zero Trust and feel compelled to boost their identity verification processes
The issue of trust has never been more paramount, across both the privacy and security landscapes.
“From the rising number of cyberattacks to fake news and wild conspiracy theories, 2020 has made us warier than ever,” says Keith Glancey, Systems Engineering Manager, Western Europe at Infoblox.
For cyber security, specifically, this means a growing attack surface, dependence on third parties, and the lack of a corporate perimeter security net.
“When it comes to cybersecurity in 2021, it’s wise for organisations to plan for the worst and hope for the best,” says Glancey.
“Planning for the worst” could be another way of describing the increasingly popular “Zero Trust” security philosophy, where all network users are treated as potentially hostile until they prove their digital identity.
“This shift will move enterprises away from the basic ideas of persistent permissions and the uncontrolled access of both humans and computers. Privileged access will no longer need to be persistent or permanent, but assigned and access granted on a per-session basis,” says Dan Conrad, field strategist at One Identity.
“Through zero-trust architecture, the coveted privileged accounts, that are commonly targeted, are more effectively ‘managed’, making them simply not valuable to the attack process.”
Adopting this approach will mean that security professionals must use strong identity verification techniques and 2021 will see toughened identity and access management, multi-factor authentication (MFA) and micro-segmentation.
Some even predict that 2021 could see the end of the password as we know it, as biometrics increasingly replace that rusty old steed.
Stuart Sharp, VP of solution engineering at OneLogin, is one such proponent of this method of augmenting MFA : “The more simplistic methods, such as authentication by way of text messages, are better than nothing, but they are too susceptible to the malicious schemes of bad actors who can manipulate telco-based communications for their own benefit. Biometrics, however, is based on ‘who you are’,” he explains.
“In light of Covid-19 and the increased reliance on all things internet, it will be interesting to see is if this trend towards a passwordless world rapidly accelerates.”
7. The march towards automation in cyber security continues – but how fast?
There is an inherent “buzzwordiness” in discussions about the uptake of automation tools such as AI and machine learning in identifying and mitigating cyber threats, and although new technologies are in constant development to detect and respond to threats, some express cynicism about how widespread use of these tools has been in 2020, and the true sophistication of many on the market. Could that be set to change?
Potentially among Managed Service Provders (MSPs), according to Tim Brown, VP of Security at SolarWinds: “2021 must be the year MSPs use automation to their advantage. Automation enables better security predictions, better protection, and better automated defence. Automation allows MSPs to serve more clients while retaining the same number of employees. With more time, it also means employees can focus on growing the MSP’s proposition”.
Any growth in update of automation could be a tool in filling the ongoing cyber skills gap, as security teams seek to do more with less: “In 2021, companies need to train their talent, treat them well, equip them for success and give them interesting problems to solve. Part of automation isn’t eliminating jobs, it is about removing repetitive, boring tasks. Taking the boring stuff off the table still leaves a lot of engaging work for talented cyber folks,” says Chris Hallenbeck, CISO of the Americas at Tanium.
8. We will see an increased focus on training, awareness and upskilling as businesses focus on the “human factor” in an uncertain world
Uncertainty is hated above all else in the corporate and commercial worlds, and that is what 2020 has delivered in abundance. 2021 looks set to continue the limbo between home and office, between the pandemic and the roll out of an effective vaccine, making IT planning decisions difficult. What businesses can do, however, is focus on the part of the machine least likely to change – the human being. For this reason, the cyber security gaze will likely fall on getting the human factor right, embedding training and awareness into a distributed, vulnerable and battle-worn workforce in need of upskilling for this shaken new world.
“As we head into 2021, organisations need to prioritise training schemes that are tailored to remote workers, including how to spot phishing scams and other types of social engineering cyber attacks. With an increase of distractions at home and fatigue around email and virtual meetings, it’s never been more critical that training be engaging, consistent and prioritised by business leaders to ensure it’s embedded into company culture,”
Matt Aldridge, Principal Solutions Architect at Webroot
He particularly highlights potential problems arising from mental health: “Many workers are mentally exhausted and more prone to making dangerous mistakes that can lead to security issues. Without a controlled network and onsite IT support offered by a physical office, businesses need to focus on implementing training that specifically supports workers in the home environment and that accounts for the stressors caused by the semi-permanent shift to WFH.”
An understanding of human behavioural patterns – and incentives – can inform
training strategy and help transform and empower mindsets to enable employees to take responsibility for not only identifying but reporting errors and potential breaches.
9. Back to basics?
Ultimately, as organisation take stock and reflect on the tumult of 2020, changing gears in the process to a longer-term view, the basic tenets of cyber security remain, such as patch management, authentication controls, vulnerability assessment and risk.
“If we don’t close the holes around what’s eating people’s lunch, all the bells and whistles and next gen security products in the world aren’t going to matter. Ninety percent of malware that is successful is so because we’ve simply not dealt with enormous swaths of fundamental security problems,” says Egon Rinderer, Global VP of Technology and CTO at Tanium Federal.
“Mark my words, malware, especially that associated with ransomware, is and will continue to increase precipitously over the coming months unless we focus on the foundation of security and IT hygiene.”
“… complex technical solutions are rarely the answer in and of themselves. This has particular relevance for prevention of ransomware attacks, where board recognition of the threat and preparedness for attack – both in response and in ensuring that backups are functioning and resilient to attack – are vital,” adds James Muir, Threat Intelligence Research Lead at BAE Systems Applied Intelligence.