Amanda Finch at CIISec makes her predictions for 2021
Cyber-security will face its toughest challenge yet
Cyber-security will face its toughest challenge yet as Brexit and COVID-19 meet. ‘Unprecedented’ was the buzzword of 2020, and will likely continue in 2021, as two huge events collide: Brexit and the COVID-19 pandemic. As with any chaotic, uncertain moment, attackers will be quick to exploit the situation; this has already begun, with scam calls jumping in October.
Compounding this is the economic impact of both events potentially leading to widespread redundancies. Individuals desperate to make ends meet could become more susceptible to joining the ‘dark side’, turning to cybercrime. Thanks to cyber-crime-as-service, becoming a cybercriminal is worryingly easy even for non-technical individuals. On the other side, those still working may be more susceptible to falling victim to these attacks – due to both sheer volume, and because depleted work-forces will result in more stressed, less vigilant employees.
The industry needs to do everything it can to mitigate these risks. Hiring and training individuals to attract them towards cybersecurity rather than cybercrime – as well as to become more cyber aware in general – will be key. The industry needs to band together and efforts like the DCMS’s launch of a cybersecurity council in March 2021 will be crucial in holding back the tide.
Cyber-security will become front of mind
Cybersecurity will become front of mind for the public as attacks become bigger and more brazen.In 2021, the industry will likely begin to see a rise in blended attacks, with organisations across all sectors facing a combination of attacks from lone hackers, organised groups and nation-backed operations. For instance, the NCSC found that, over the past year, more than a quarter of cyber incidents detected by UK spies involved criminals and hostile states exploiting the pandemic.
Attackers in 2021 will also likely become more brazen, specifically targeting organisations and institutions where breaches are most likely to undermine public confidence. only added more strain onto hospitals’ often outdated IT systems, making them even more vulnerable to attacks – particularly ransomware. All it takes is one successful attack to drastically undermine public trust and the collective sense of safety.
The reality is, it’s likely a question of ‘when’ and not ‘if’ an attack like this will occur. The only thing organisations and security teams can do it prepare for the worst and be ready to learn from the harshest of lessons. 2021 will be the school of knocks, and we all need to come out with diplomas.
Human factors rise in significance
The human factor in cybersecurity will become more important than ever.With all the threats that 2021 could hold, cybersecurity teams are going to be more thinly spread than ever. Burnout was already a serious issue for the profession, with our recent survey finding that more than half (54 percent) of cybersecurity professionals had either left a job due to being overworked or experiencing burnout or worked with someone who did.
This was a problem before COVID-19 struck but now, with the powder keg of the pandemic and Brexit, security teams simply cannot afford to lose a single employee in 2021. The profession needs to turn around this culture of stress and burnout, creating a working environment that encourages employees to follow their career path.
In 2021, we will see a growing willingness to approach cybersecurity as a shared responsibility to lessen the load on security teams. By implementing business-wide cybersecurity awareness training, employees can understand what risks to look out for, what is at stake and how to mitigate them. There will also need to be a growing emphasis on employee mental health, particularly of cybersecurity teams at risk of burning out. By ensuring the mental wellbeing of these employees is not overlooked, the profession can better secure the longevity of careers and keep all hands on deck in 2021 and beyond.
Diverse cyber recruitment will be a lifeline
Diverse recruitment will be a lifeline for the cybersecurity industry in 2021. To prevent security teams from being ever more thinly spread, recruitment will be key. The likely economic constrictions, and associated redundancies, we expect in 2021 will create a vast pool of individuals in need of employment and retraining.
At the same time, the skills security teams need are changing. With remote working now a permanent fixture for many, employees are effectively their own branch office, and so a new front line against attackers. Educating the workforce on the risks they face, and giving them the skills and knowledge they need to protect themselves, will be an essential task for the security team.
The need to beat cyber criminals to the punch when recruiting fresh blood, and the need to bring more diverse perspectives into the industry, will make potential new employees a vital resource. As a result, we will see a significant change in the makeup of the industry.
To begin with, the new I35 tax regulations will make hiring contractors and freelancers less attractive in many cases; causing many security teams to swell with new, permanent employees. At the same time, the changing demands of the career, such as the need to manage and communicate with unskilled colleagues across the organisation, means organisations will need to look beyond individuals with technical STEM-based backgrounds.
We will see the – possibly unfair – image of cybersecurity change, as it looks to attract individuals from a diverse range of backgrounds, experiences and industries, and begins to value people skills as much as technical.
Supply chain resilience will be key
In 2021, supply chain resilience will be key. Although cyberattacks on SMEs are still the most common, we’re beginning to see more and more attacks on large organisations. This is likely to continue to be the case in 2021, but the focus of attackers will change.
Attackers will quickly realise that an apparently “hard” target can be penetrated by looking for easier prey further down the supply chain. For instance, providers that deal with many organisations of different sizes can provide easy access to these organisations’ vulnerable underbellies if compromised. As organisations realise that these service providers can represent a highly concentrated risk to many partners or customers, systemic resilience in supply chains will become a high priority.
Just as security will be a more collaborative undertaking within organisations, so collaboration and openness will be essential up and down the supply chain. Organisations will want to both be certain that their partners are not leaving them open to risk, and prove their own security bona fides to their own partners in turn.
Amanda Finch is CEO of CIISec, the Chartered Institute of Information Security