Every year, usually around December, companies and experts like to predict what the year ahead will have in store for their industry. Information security is no different and you only have to Google 'cybersecurity predictions 2021,' to find a whole host of top 10 lists, articles on upcoming security trends and the emerging threats to watch out for.

These predictions often focus on new and exciting technologies, increases in certain attack techniques, the continuation of key trends from the previous years and potential shifts in the approaches taken by organisations to ensure they are protected.

Paul Harris, CEO, Pentest Ltd.

But when it comes to information security ,it seems things don't change too much. Next year always seems to be the year infosec gets taken more seriously within organisations: 2021 is predicted to be a 'big' year for ransomware (so was 2019 & 2016), phishing attacks will become more sophisticated (they always do), remote working concerns will continue to be important (like they were last year), attacks on IoT devices look set to intensify (more devices = more attacks), cloud security will become more of a concern (see last year and the year before that) and, of course, there's the continued 'rise' of AI, machine learning, quantum computing etc.

THE WRONG PATH?
Trying to predict the future has its place, and every business should be considering the potential opportunities and threats that the future could present, but when it comes to security improvements, predictions and hype can often send us off down the wrong path, focusing our efforts on threats, approaches or technologies that may never come to fruition.

No matter what the predictions, one thing will always be for certain: organisations will continue to be compromised using known and sometimes basic attack techniques. The OWASP Top 10 (Web Application Security Risks) is a perfect example of how little security risks have truly changed over time and the top two web app vulnerabilities identified in 2010 are still the top two web app vulnerabilities in 2021 (Injection & broken authentication). But it's not just these top two; many of the issues identified in 2010's top 10 list are still around today.

Sensitive data exposure, broken access controls, security misconfiguration, cross-site scripting flaws, the use of components with known vulnerabilities, people using 'Password123!'. These aren't new or upcoming issues, they've been highlighted as critical security risks year after year, yet they still show up in our testing time and time again.

Yes, thinking about new tech, new solutions and new approaches is exciting and, yes, these may help improve your security posture, but there will never be a single silver bullet solution. AI and machine learning are exciting prospects, but they won't solve all our security issues; attacks will change and adapt, like they have always done.

So, if you're looking to maximise your security improvement efforts, it's often more effective to look at the here and now, rather than look to the future. Getting the basics right is still the fastest route to raising the defensive bar, ensuring your current set-up is protected against existing and known threats before moving on to consider what may, or may not, happen in the future.