2020 brought major changes to how we live and work. And as we look forward to the new year – and what we hope is an approaching return to normalcy – there are three core things security leaders should be focusing on.
The continuation of remote working
The abrupt shift to remote work earlier this year left many organisations enacting what amounted to a three-year digital transformation plan in a matter of months. “Organisations figured out how to survive the initial shock, but it’s time now to start preparing for the future,” says Mark Whitehead, Global Vice President of Trustwave.
One of the biggest ongoing challenges – and one that is frequently overlooked – is the skillset suitability of IT teams working to support the newly established environments. “The core part of digital transformation, from a business perspective, is cloud adoption because it provides agility and flexibility,” says Derek Taylor, Lead Principal Security Consultant at Trustwave.
“Traditional IT skills don’t directly map to cloud-related skills, specifically within security, so there’s definitely a need for upskilling and technical training,” says Ed Williams, Director of SpiderLabs EMEA. “Typically, if you did something internally that was unsecure, the impact was small and contained; now, if it’s hosted in the cloud, the impact could be massive and widespread. Moving into next year, we’ll likely see a number of businesses investing in technical training for the cloud.”
Cyber-crime-as-a-service
Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2020 highlights cyber-crime-as-a-service (CaaS) as being increasingly leveraged by technically unsophisticated criminals. Offerings such as malware coding or distribution are created and sold by developers or consultants. This shift, IOCTA notes, highlights the increased professionalisation of the cyber-crime landscape.
“Cyber-criminals are getting much slicker and more professional and are truly organised at the people level,” Williams explains. “They’re taking data out as well as encrypting all the hard drives and then threatening to sell the data they’ve extracted online. They’re becoming more pernicious and have evolved to the next stage, and this is something that’s likely to continue to evolve.”
Ransomware-as-a-service – provided by cyber-criminals to non-tech-savvy criminals – is proving similarly popular. Europol considers ransomware will become one of the main threats in the virtual world in 2021. The increasingly businesslike nature of ransomware attackers is exhibited in their engagement in online public relations stunts – some even conduct their own information campaigns to advance their goals.
Ransomware has proven to pose a significant threat by targeting supply chains and third-party service providers, for example. According to a Ponemon Institute survey, more than half of companies experienced a cyber-security breach that originated from a vendor in their supply chain. This number can be expected to continue increasing as more organisations accelerate their digital transformation timelines in light of evolving trends in the work environment that are likely to continue into next year.
Economic and business implications
The long-term impact of the pandemic on the world’s economy may result in any number of scenarios, all of which will require cyber-security professionals to remain alert and at the ready.
Some experts predict an increase in mergers and acquisitions as struggling enterprises join forces to stay afloat. It’s easy to overlook the significant impact cyber-security can have in these types of transactions. However, if you’re a CISO whose organisation is considering acquisitions in 2021, it is vital that you make a thorough assessment of their systems and security protocols.
Don’t assume a company is doing all the right things when it comes to cyber-security: even the most tech-savvy company may be leaving itself exposed in some way. Once a deal has closed, the acquiring company becomes responsible for any newly acquired cyber-risk, a hard lesson learned by Marriot in 2018, when it failed to address the significant cyber risks of Starwood.
For the acquisition target, on the other hand, ensuring your business already has these systems in place can help you become an even more attractive target simply by demonstrating strong cyber-security performance.
Some analysts predict we could be entering another “roaring 20s”, similar to the economic boom that followed the 1919 Spanish Flu pandemic. In this scenario, organisations will be racing to generate money before their competitors. This year, companies being cost-conscious as the result of the pandemic has caused gaps in their security postures. “It is imperative businesses don’t get overly optimistic next year and again risk leaving security investments behind,” says Taylor.
The plethora of challenges and changes we’re likely to face in 2021 are now engrained in the “new normal”. The three areas discussed are the ones to watch as we optimistically look ahead to next year. Trustwave remains your ally and advocate for any cyber-security concerns you might encounter, now and in the future.
by Ed Williams, Director, SpiderLabs EMEA at Trustwave