It feels strange to predict anything that might happen in 2021 given how little anyone could have predicted what happened in 2020. A pandemic? Remote work? Remote school? What other dystopic possibilities should we be ready for?
If we needed an end of the year reminder about being ready for major cybersecurity breaches, we awoke to news reports on Monday December 14, 2020 that multiple US Federal government agencies – including the Treasury and Commerce Department – were hacked in a months-long global cyberespionage campaign. The Boston Globe reports that the apparent conduit is a popular piece of network management software called SolarWinds Orion that is used by hundreds of thousands of organizations globally. One person close to the investigation was quoted as saying the campaign was a “10” on a scale of one to 10, in terms of its likely severity and national-security implications.
While private security companies and government agencies battle those fires, here are five cybersecurity trends that experts are urging us to pay attention to – and prepare for – in 2021:
At the end of November, a ransomware attack closed Baltimore County Public Schools, forcing the district to cancel remote classes for its 115,000 students. Azi Paybarah writes in The New York Times, “The digital infrastructure that makes remote learning possible is now increasingly seen as a target for cyberattacks. Schools are storing more data online without sophisticated plans for safeguarding it.”
The same goes for remote workers – increasingly referred to as “personal islands.” According to David Puner in CTech, employees working from home are “regularly accessing corporate systems and resources through insecure home networks and personal devices.” This renders every user “their own island where legacy security controls are ineffective.” Individual actions threaten corporate security at a greater level than ever before. The attack cycle will move away from broad attacks toward “more hyper-personalized attacks” that target “users with privileged access to sensitive systems, data and infrastructure.”
In Security Magazine, Anurag Kahol reports that “a failure to figure out how to support remote work without exposing sensitive information has led to nearly 25% of organizations paying unexpected costs to address cybersecurity breaches and malware infections.” It’s imperative that organizations, businesses, and schools rethink their approaches to security in the year to come.
Like all of us, businesses have had to adapt to the pandemic. Quickly. Without guidebooks. To transform their workforce into a remote workforce, “many organizations looked to legacy security architectures like VPNs as a silver bullet solution.” But as Kahol writes in Security Magazine, “this is not a sufficient long-term solution as VPNs introduce latency, hamper productivity, can be difficult to scale, and can grant employees excessive access to internal resources.”
What’s more, cybercriminals can exploit unpatched VPNs with ransomware. For example, in a July Twitter hack, attackers used stolen employee VPN credentials to access high-profile accounts and promote a Bitcoin scam. With 400 million businesses and consumers using VPNs across the globe (according to GlobalWebIndex), 2021 will see more VPNs targeted by bad actors.
But don’t despair: “34% of IT security teams across the globe have shared that they are in the process of implementing a zero-trust security model which can ease many of the challenges presented by a traditional network approach,” according to Kahol in Security Magazine, and “60% of enterprises will be phased out of VPNs in favor of zero trust network access by 2023.” Kahol notes that we should expect the trend toward zero trust network access to accelerate in the new year.
Due to the adoption of multiple cloud environments, many corporate assets are outside the traditional security perimeter, according to Security Boulevard’s Muralidharan Palanisamy. While businesses used to be able to depend on “castle and moat” security practices, they will no longer work. Instead of building a security perimeter around a place of business, that protection needs to be based on the person or on the device requesting access. Rather than being “a set of technologies,” zero trust security is more like a “culture” – and it’s one that needs to change and grow to meet the current situation and needs.
Global events lead to new technologies that help us meet our circumstances. As we adapt to events like the pandemic, attackers adapt too. Online crimes reported to the FBI’s Internet Crime Complaint Center (IC3) have nearly quadrupled since the beginning of the COVID-19 pandemic. More people using the internet and more people working remotely (a trend that will continue even when stay at home orders end) means more people vulnerable to security breaches.
The pandemic “caused a dramatic acceleration in digital initiatives across industries,” David Puner writes. “Many drove what felt like five years of transformation in five months – as they quickly adopted technologies to help productivity and business continuity.” 5G is an example of something new that has gone through rapid development and adoption – and even as it helps workflow, it also makes it possible for bad actors to attack more quickly. This isn’t to say that businesses should not implement new technologies to support their employees who are now remote. But it is to say that identifying security gaps and closing them are more important than ever. The risks and vulnerabilities are high. Cyber security must meet that challenge.
Deepfakes are “synthetic or manipulated media in which a person in a video or image is replaced with someone else’s likeness.” Deepfakes often show up in the news cycle as a way to lie to the public, influence opinion, threaten, and damage someone’s reputation. But deepfakes will also be used in cyberattacks, “not to sow mass confusion or chaos necessarily,” Puner writes, “but more to amplify social engineering attacks.”
Deepfakes will help attackers personalize their phishing attempts, making dangerous and manipulated communications feel more “authentic.” As all of us depend more on videos – to teach, to talk to each other, to share information – attackers can alter those videos, stealing people’s likenesses and using them for their own purposes. Puner offers an example: phishing emails pretending to be IT and asking for passwords are common, but what if they followed those emails with a video message from the CEO?
It seems like we will never return to “normal,” but we can prepare for the version of the world in which we find ourselves – and the version of the world we anticipate. Dedicated software solutions, best cybersecurity practices, zero-trust security, malware protection – all of these tools can help. But the best protection is a well-trained, well-practiced cybersecurity team. The best defense is a good offense: prepare for potential threats and protect your company’s assets.
At CYRIN, we’ve been developing answers for our changing world for years with our advanced online simulated training. We can help your cybersecurity team prepare for whatever is on the horizon. Your team can practice on a real-world system, as often as they like. CYRIN’s next generation cyber-range allows you to use real tools, respond to real attacks, and use real scenarios to hone your skills in a virtual environment. CYRIN plays out real-life scenarios to help your team and your company be prepared and protected – for whatever comes next. Remember, hindsight is good, foresight is better.