Through a glass darkly

We asked several industry commentators for their views on where 2021 will lead us, as we continue to grapple with COVID19 and a multitude of other challenges. Here's what they had to say

According to Verizon's Data Breach Investigations Report for 2020, social engineering has become a top attack vector for hackers. DigiCert, for its part, expects threat actors to leverage current events to unprecedented levels in the current year.

Dean Coclin, DigiCert's senior director of business development, points to various influencing factors. "With unemployment fraud at an all-time high, we will see an even larger increase in 2021, as pandemic-focused unemployment programmes from governments have lowered the barriers to collecting benefits and security methods have not been able to keep up. Should we see additional stimulus funding from governments to provide relief for the effects of the pandemic, this will only make this a richer channel for fraudsters."

Coclin, along with Avesta Hojjati, head of R&D, and Mike Nelson, VP of IoT security at DigiCert, have come up with some joint predictions for 2021, as life starts to return to a semblance of how it was pre-COVID-19. "We predict that individuals and businesses alike will adjust to a new normal sometime in 2021. As workers return to the office, there will be a steady crescendo of applications offered by threat actors, with the promise of increased productivity tools to ease the transition. Tools such as apps that provide ambient sounds will be leveraged in these attacks," they state.

They warn of new attack vectors emerging not only for social engineering, but also attacks targeting common home devices, used at home for workers splitting time working at home and the office that can be used to compromise an individual and allow for lateral movement into a business. "Workers splitting time between the home and the office will only exasperate this transition period, causing confusion and an increase in security risk for business."

Hojjati also sees 2021 bringing increased focus on automation and efficiency solutions in the security market. "As organisations work to keep the lights on and scrutinise the bottom line, there will be a resulting push for efficiency in security technologies. 2021 will bring an emphasis on technologies that allow organisations to do more with less and automation will play a significant role, in terms of security innovation in the New Year."

Worryingly, according to a 2020 SANS Automation and Integration Survey, 12% of respondents had no security automation in 2019. In 2020, that dropped to 5%. "We predict the level of automation in 2021 will increase exponentially," he advises.

Meanwhile, as security investments focus on immediate value, quantum computing will continue to move forward. "We will see the effect of Moore's law on quantum computing," says Tim Hollebeek, industry and standards technical strategist at DigiCert. "As quantum computing allows for tasks to be more efficient, organisations will prioritise its continued development. Improvements and efficiency are recession resistant."

Coclin has views, too, on the challenge of staying safe online, stating that identity and consumer accountability of an organisation's permissions and controls over its data will lead to a new interest in how to stay safe online and with connected devices. "Concerns over contact tracing and other government invasions of personal privacy will lead to a new desire by the public for ways to identify organisations with which they connect online," he states, "and for better assurances of the security of the connected devices in their everyday lives, including connected cars, homes, buildings, websites and emails."

With the disruptions and restrictions the pandemic brought to our lives in 2020, it seems like 2021 will look similar with regards to our new working reality, cautions Robert Allen, director of marketing & technical services at Kingston Technology Europe. "This will bring new data security challenges for IT managers, as cybersecurity threats have increased massively during the Covid-19 lockdown . Artificial Intelligence will have a positive impact on security, while businesses will be more reliant on AI processes to implement cybersecurity and data privacy measures.

"Working from home or a hybrid working environment will continue to stay and, even though the pandemic might gradually step out of our lives, employees will be looking to continue with the flexibility they now have." A better work-life balance for employees and savings on costs for businesses will be the main motivators for this, but it will come with additional challenges," he adds, "an important one being how to improve employees' equipment to increase efficiency. This may be a memory or storage improvement that will help all systems operate better, or being able to make the many video calls that are now part of our lives".

Avesta Hojjati, Digicert: increased focus on automation and efficiency solutions in the security market.

Equally important is the need to improve data security in this new working environment. "IT managers might well consider upgrading employees' laptops by using encrypted drives to mitigate cybersecurity attacks," adds Allen. "The use of encrypted USBs would also add a layer of security to mobile corporate data, as we anticipate the shift from home working to more mobile working. "

As the number of employees and businesses that are operating remotely has increased significantly, the need for companies to provide specific training and cybersecurity awareness programmes to employees will be paramount. "AI will play an important role in 2021, in order to support the implementation of further data security measures," he states. "With teams physically spread out and with a need to access corporate networks, businesses will rely more on automation and machine learning to prevent cyber-attacks. Businesses are still adapting to this paradigm shift. The impact caused by Covid-19 has completely changed the landscape in organisations worldwide and the tools that need to be used will also need to continue to adapt to this. Whatever happens in 2021 and beyond, we will continue supporting businesses as their needs evolve."

Kelvin Murray, senior threat research analyst at Webroot, sees cyber-attackers increasingly targeting home routers, insecure IoS devices and VPN systems to infect corporate machines connected to that network. "The goal of this tactic is to take advantage of low security home set-ups, so admins and users need to factor these risks into account when securing the growing number of work-from-home environments.

"MSPs and channel partners need to adapt their businesses to respond to the evolving threats that remote work presents. Some MSPs, particularly those who were more sophisticated before the pandemic, will be better equipped to protect against these types of threats. However, others will have to adapt and change their services very rapidly to keep up with these ongoing challenges," he adds.

"The amount of disruption and cost to businesses and important services like healthcare by ransomware groups has grown too big to escape addressing by world leaders," Murray concludes. "Expect some major discussion and statements about the threat by politicians in 2021."

For his part, Matt Aldridge, Webroot's principal solutions architect, believes there is still not enough security training being implemented across businesses, specifically to address the increasingly remote workforce. "In 2021, organisations need to prioritise training schemes that are tailored to remote workers, including how to spot phishing scams and other types of social engineering cyberattacks. With an increase of distractions at home and fatigue around email and virtual meetings, it's never been more critical that training be engaging, consistent and prioritised by business leaders to ensure it's embedded into company culture."

A key consideration for businesses this year should be to monitor challenges around employee's mental health and the security issues that they can pose, he adds. "Many workers are mentally exhausted and more prone to making dangerous mistakes that can lead to security issues. Without a controlled network and onsite IT support offered by a physical office, businesses need to focus on implementing training that specifically supports workers in the home environment and that accounts for the stressors caused by the semi-permanent shift to WFH."

Dean Coclin, Digicert: even greater interest will be shown in how to stay safe online and with connected devices.

Aldridge also points out that any training programme needs to have a feedback loop "and phishing simulations can help to form an important component of this, allowing organisations to track improvement in click-through rates from timely, realistic simulated phishing emails as the training programme progresses. Lessons can then be learned from this, helping organisations to provide just the right amount of regular training, without overburdening their users and without leaving it too long between sessions to allow bad behaviours to slip back in".

The company's Nick Emanuel, senior director of product, also warns of new forms of exploitation, as we seek to emerge from the ravages of COVID-19. "As 2021 brings the first vaccines to fight Covid-19, cyber criminals will exploit the lack of trusted information and the widespread use of phone-based medical appointments [telemedicine] to target businesses and consumers in phishing attacks and BEC [Business Email Compromise] scams."

Lisa Ventura, CEO & founder, UK Cyber Security Association (UKCSA), has been highlighting some other areas she believes will continue to be a challenge in 2021. "Ransomware attacks can be devastating. Demands can run into millions of pounds. The number of such attacks has jumped by 350% since 2018, as well as the average ransom payment increasing by more than 100% in 2020. Downtime has also increased to up to 200% and the average cost per incident is rising exponentially.

Lisa Ventura, UK Cyber Security Association: cloud computing and security will be central to the post-pandemic world.

Cloud computing and security will be central to the post-pandemic world, she adds. "Organisations that have migrated to the cloud will need to focus on their cloud security and understand the relationships they have with their providers. Cloud services were essential in 2020 for keeping the economy and our lives from grinding to a total halt and, in 2021 and beyond, there will be much more of a reliance on clouds, along with smart sensors, remote collaboration and streaming, even after we emerge from the pandemic."

There will also be a greater reliance on automation, artificial intelligence and machine learning," Ventura states. "This reliance may drive a trend of hyper automation. This is a process in which organisations automate as many business and IT processes as possible, using AI, machine learning and robotic process automation. With the sheer number of potential threats and security alerts rising daily, it is often too much for humans to handle alone."

As the pandemic hit, many companies were, as we all now recall, forced to react really quickly to keep themselves going and meet customer needs. This move to digital opened up a gateway for hackers, who have since been seeking to take advantage of a great attacker surface. "2021 will start to see the trend towards efficiency over resilience reversed, as companies realise the damage that can be done, if these key services go down," says Dr Alex Tarter, chief cyber consultant and CTO at Thales UK. "This could result in the security budget overtaking the R&D budget next year."

Jon Fielding, Apricorn: rise in endpoint controls will enable employees to use their own devices safely.

The business-hacker relationship has largely always been one way, with cyber criminals attempting to break in and businesses reacting to this. "However, 2021 will see that relationship change, as businesses go on the offensive and attempt to throw hackers off their game. Companies will start using deceptive techniques, such as deploying fake high-attraction systems to divert attackers or leave fake credentials [breadcrumbs] that lead to a fake high-value target," he adds.

If 2020 is to be defined by the Coronavirus, then 2021 will, hopefully, be the year of the vaccine. "Scientists and the medical professionals have been working against the clock to produce a vaccine that will mitigate the virus, but within that unfortunately are threat actors looking to upset the process and steal data. With medical and logistical information at such a premium, the UK still faces a cybersecurity talent shortage that could leave its health industry exposed. In 2021, expect to see a greater effort from the healthcare industry to access cybersecurity expertise," concludes Tarter, "both from a recruitment perspective and a partnership viewpoint, in order to protect their systems and against misinformation about the vaccine process."

It's security culture that will 'make or break' hybrid working - not the technology, argues Jon Fielding, Apricorn's managing director EMEA. "Combined home and office working will set in as a long-term model and doing this safely will demand a major culture shift. Lack of employee education was singled out as the biggest cybersecurity weakness during the first lockdown in a recent Apricorn poll. Companies must make urgent changes to improve awareness of the different security risks associated with hybrid working and the knowledge of how to control them."

Training employees in the 'practical stuff' won't be sufficient, he adds. "Everyone is accountable for protecting data in the new working environment, which requires a culture of information security best practice across the entire dispersed workforce. This isn't something that can be enforced; employees need to buy in to it. This will require IT teams to build deeper engagement with staff and devolve greater responsibility for security onto the individual. Education programmes must therefore explain the 'why', as well as the 'what' and 'how': the reasons data protection is important, and the specific risks and consequences to their company of a breach."

"Ultimately, businesses will want complete confidence that employees are working safely when they're out of the office," adds Fielding. "Secure, encrypted storage devices can be used to protect company data offline or quickly deploy a secure desktop environment to an entire workforce by pre-loading them with the with the standard corporate apps and security settings. Employees can then boot this up on whatever device they're using."

Mike Campfield, ExtraHop: new ransomware gangs will enter the picture and continue development of attack tactics.

He also sees organisations moving beyond the mindset of 'complete security', to focus on strengthening their cyber resilience. "Cyber resilience is an organisation's ability to prepare for, respond to and recover quickly from any digital disruption. We anticipate a marked rise in criminal attacks in 2021, as hackers take advantage of people continuing to work remotely - in particular, ransomware, malware and phishing. Recognising that no business is immune, IT teams will shift focus to ensuring they have all their ducks in a row, in the event of a breach. They'll also prioritise planning to mitigate the impact of any future crisis that drives the workforce out of the office!"

Apricorn also expects to see an increase in encryption, to protect data as it's moved from office to home - mitigating risks, such as targeting in the cloud - and keep information secure whatever's happening around it. "There will also be a rise in endpoint controls that enable employees to use their own devices safely. These measures give organisations the ability to demonstrate transparency and due diligence, should a breach occur. The use of secure, encrypted storage devices as a straightforward way of backing up data locally is likely to increase, supporting the ability to get up and running again fast."

According to Mike Campfield, VP, GM International and Global Security Programs at ExtraHop, this year will see new strains of ransomware as attackers continue to profit. "We will also find new gangs entering the picture and continued development of attack tactics. Following the trend of recent years, ransomware will set its sights on ever higher value targets in healthcare, institutions of education and financial services. The more things change, the more they stay the same - the essential threat of ransomware is no different. Enterprises will develop workarounds to resist paying the ransom; ransomware continues to be the greatest threat to enterprises. We expect 2021 to produce new victories in the long ransom war," he states.

As for remote work, he believes that more and more employees are going to demand it from their employers. "In 2021, remote work will cement its place as a standard part of working life and create a new raft of considerations for enterprise security. How will an enterprise protect its network, if endpoints are employee-owned constantly on and off the corporate network, either from home or in the office? How are enterprises going to protect themselves, without the benefit of enterprise security controls? In 2021, the fact of long-term remote work is going to force us to rethink how we secure enterprise data and infrastructure," he adds.

2021 will be a year for organisations to reset and to fortify their cybersecurity resilience, according to Infosecurity Europe's community of security leaders. Europe's leading information security event asked its network of CISOs and analysts to comment on the major trends and changes they foresee shaping the next 12 months. Overall, they expect companies to focus on consolidating and reinforcing their security posture, as the full consequences of last year's rapid changes become apparent. This is a world that Maxine Holt, senior research director at Omdia, calls "the reset normal".

She says: "From a security perspective, it's been difficult to maintain pace with the speed of change. COVID-19 accelerated cloud journeys, for instance, and security was at best an afterthought. Security functions applied temporary measures, and they will now peel back the sticking plaster and build more sustainable security for new ways of working. This should include upskilling staff in cloud security expertise, and looking at technology that can prevent, detect and respond to security incidents in these evolved environments."

Maxine Holt, Omdia: COVID-19 accelerated cloud journeys and security was at best an afterthought.

The threat landscape will continue to evolve at a speed that outpaces the cybersecurity industry, according to Becky Pinkard, CISO of Aldemore Bank. "I'd like to see companies buckle down on the 'foundations of security', moving into an era of never-before-seen strength on the frontline fight against cyber threats," she comments. "However, I predict we'll see more of the same when it comes to security awareness, patching and risk prioritisation. The industry is maturing, but at a glacial pace. Until we pick up that pace, the current overall defensive posture will persist."

When it comes to the threats that will come to the fore in 2021, Heidi Shey, principal analyst serving security and risk professionals with Forrester Research, believes insider incidents will be an area of increased concern. "Pandemic-related uncertainty and remote work environments have collided to create the ideal conditions," she explains. "We expect one-third of security breaches will be caused by insider threats in the coming year, up from 25% today. These may be due to accidental or inadvertent data misuse, or malicious intent. As part of their defence, firms should add capabilities for detecting insider threats and improve the employee experience."

Part 2 of our predictions for cybersecurity in 2021 will appear in the next issue.