Cyber security experts make their predictions for 2021 and stress the importance of agility, board involvement and good communication.
As we close the door on 2020 with an exhausted sigh of relief, attention immediately turns to the new year and the fresh challenges that await us. Many industries have found the last 12 months eventful to say the least, and this was particularly true of cybersecurity.
With the overnight transition to remote working that significantly broadened almost every organisation’s attack surface, and the countless high-profile data breaches that we seemed to read about every other day, security certainly shot up the priority list for many businesses.
As we turn to 2021, we start to question what the security landscape will look like. How will we handle the long-term switch to hybrid or remote working? What can security teams do to prove their value to a scrutinous C-suite? And what kind of attacks can we expect post pandemic? teiss spoke to seven cybersecurity experts to find out.
2020 taught us to be prepared for anything, and Terry Storrar, Managing Director at Leaseweb UK, explains why organisations need to be ready:
“We will all need to look at the best ways to balance our appetite for risk whilst ensuring we are agile enough to adapt to instant changes of circumstance.
"Over the next 12 months, I strongly believe that disaster recovery and likewise business continuity will play a huge part in how organisations prepare their IT systems going forward. Never has data been more vital for survival than it is today and its importance will only continue to increase, especially with more organisations turning to the remote working set up on a more permanent basis.“
Prepare for long term remote working
When the pandemic struck, many turned to legacy security architecture like Virtual Private Networks (VPNs) to keep attackers out. However, Anurag Kahol, CTO and co-founder of Bitglass, argues that a more secure approach is required in the form of zero trust:
"VPNs introduce latency, hamper productivity, can be difficult to scale, and can grant employees excessive access to internal resources. VPNs also represent significant liabilities as cybercriminals can easily exploit unpatched VPNs with ransomware.
“With 400 million businesses and consumers using VPNs across the globe (according to GlobalWebIndex), it’s likely that we will continue to see VPNs targeted by cybercriminals in successful attacks.
“60% of enterprises will be phased out of VPNs in favor of zero trust network access by 2023. With a zero-trust implementation, users only have access to the smallest set of permissions necessary to perform their work duties. This trend toward zero trust network access is likely to accelerate in 2021 as organisations realise the gaps that legacy architectures like VPNs pose to their security postures."
Increased board involvement
2020 was tough, and the unfortunate reality for some organisations is that their long-term viability is in question as a result. As such, we’re now seeing more board involvement in different business areas, and security is not exempt.
Stephen Roostan, VP EMEA for Kenna Security discusses how any resulting pressures from the board can be alleviated:
“Executives see what’s happened to other firms. They’re questioning their own cybersecurity posture. Could a breach like that happen to us? How much at risk are we? What is our own impact tolerance? Three simple questions. But for the resource-strapped and under-invested cybersecurity and IT teams it’s rarely possible to give a definitive answer. Drowning under the weight of threat data, tickets and patches, they have no hope of quantifying the risk to their business in a meaningful way.
“In 2021 executives must understand their organisation’s individual risk posture relative to the enormous pool of vulnerability and threat data that exists. But they must also equip their cybersecurity and IT teams with the necessary tools to cut through that noise, and to calculate the risks metrics that are right for their own business.
“It is all about accurately pinpointing the actions that will be most effective. For example applying less patches, but knowing that you are focusing on fixing the riskiest first – before it’s too late.”
The key is in communication
Steve Moore, chief security strategist at Exabeam, echoes Roostan’s note about board-level involvement, and encourages CISOs to streamline communication between C-Suite and the SOC:
“Analysts are tasked with combing through thousands of security alerts a day, which is exacerbated by the fact that over half of their time is spent on data collection and chasing false positives.
“With SOCs being distributed in the remote work environment, CISOs must empower their teams to report staffing and technological shortcomings to develop and enhance security programs. When security teams express issues that may be heavily affecting their work, it lessens the burden on the CISO to evaluate from the top down.
“A CISO acts as a bridge between the security analysts and stakeholders such as the CFO, CEO and board of directors. Streamlining communication between the CISO and their security teams will become critical in 2021 in order for enterprises to stand a chance against advanced adversaries and beat the odds.”
This sentiment is backed up by Tim Bandos, CISO at Digital Guardian, who offers advice on how security teams can improve communication with the hierarchy:
"Communication is key in properly translating cybersecurity and business needs across various levels in your organisation. Having emotional intelligence as a soft skill will allow you to communicate your message more effectively depending on the audience you’re speaking with.
“I also think having strong emotional intelligence allows you to self-evaluate and adjust to avoid the impact of stress and becoming frustrated with a position like that of a CISO. Remaining positive is key. Having the ability to negotiate and influence others to sign up for your cybersecurity initiatives will be critical as well along with being able to build relationships that are based on trust.”
A changing threat landscape
Remote working seemed to be a catalyst for an increased number of cyber attacks in 2020, and Thomas Cartlidge, Head of Threat Intelligence at Six Degrees, explains that we can expect to see business email compromise (BEC) attacks become more frequent in 2021:
“BEC tactics have evolved through 2020, including the targeting of group inboxes with fraudulent instructions to change payment details for a client or vendor.
“The increased availability of deep fake technology could allow BEC to include multiple elements, such as phishing emails and deep fake-enabled voice calls impersonating genuine colleagues or vendors. As this technology becomes more readily available, the threat will increase.
“Technically-advanced criminals, such as those that develop ransomware, could also change some of their focus to BEC. In 2021, BEC may become an equal threat to ransomware for all organisations.”
Jakub Lewandowski, Global Data Governance Officer at Commvault, echoes Cartlidge’s take on growing attacks, and closes by explaining that regulation enforcement should strengthen in 2021 as high profile attacks continue:
“Ransomware is by no means a new threat but it has certainly become deadlier as the years have gone by, as criminals get more intelligent and technology advances. Add to this the introduction of GDPR back in 2018, and things start to get really sticky. With this still relatively new regulation, any company that holds individuals’ data that finds itself victim of a ‘successful’ ransomware attack not only has to claw back its own data but also may face consequences of leaking personal information from customers and regulators.
“In 2021, I think we’ll see a tightening up of enforcement in data protection related cases. At the same time we should be witnessing a judicial verification of fines imposed by the data protection authorities as many high profile cases will be appealed to courts. The outcome should give more clarity on how to quantify legal risks associated with data processing. Companies should also be eying all the latest guidelines and guidance on ransomware prevention issued by data protection and cybersecurity regulators.”
Main image courtesy of iStockPhoto.com