2021 cybersecurity predictions: what should happen, but won’t
With the impact which the global pandemic has had on the way we work, organisations have achieved much during 2020 to roll out remote working capabilities on a grand scale. However, the increase in malware, ransomware and data theft attacks has shown that the cybercriminal is keen to leverage this new, less well-defended organisational entry point.
While existing layers of defence do a great job of defeating many attacks, some do get through, so a new data-centric security focus will emerge to fill these gaps.
1. Accepting that unauthorised data access will happen
- Cybercriminals can get in via stolen user credentials, social engineering, malware, ransomware, and so on. And with remote and ‘hybrid office’ working, the starting point for the attack has become much more available. Cybercriminals will make many attempts to gain access, accepting that most will fail. The target organisation, however, needs to defend against all attacks
- Insiders including administrators can be cybercriminals too
- Administrators at third-party service providers often have doors opened to the corporate network, or they have access to cloud-stored data
- System vulnerabilities or misconfiguration remain a significant problem both for internal and cloud-based systems
This won’t happen because… the belief is that no additional measures can be taken to reduce the risk of unauthorised data access and theft.
There are two camps here. The first believes that they have all the layers of security in place to ensure that data remains protected and is impossible to steal. They do all the right things, analysing the latest attacks, exchanging best practices with their peers, and constantly reviewing their security measures. They’ve got it all covered.
The second camp accepts that it is possible that they will either get hacked or an employee, contractor or third-party provider will steal data. They say that there’s nothing to be done and that they have the plans and procedures in place to recover from such an eventuality.
2. The Zero Trust model will be extended in to data
This won’t happen because… the Zero Trust model has been around for a while now, with increasingly wide adoption. Surely if we make sure that only authorised users can open the security ‘doors’ then our data is safe? The argument not to extend Zero Trust into the data is that by adding security doors at every point we have very tight control over everything. And if someone gets through a lot of doors, they’re going to be denied access to all sorts of other areas, so the loss is minimised.
But what data did they get hold of? And this also disregards compromised user accounts and insider data theft…
3. IoT devices will be recognised as a first step to hack the corporate network
This won’t happen because… remote working is here to stay in a big way. And tried and trusted technologies such as multi-factor authentication, Virtual Private Networks (VPN) and Transport Layer Security (TLS) are fully able to protect the corporate network.
But how do these technologies defend against a cybercriminal who has hacked their way onto the remote worker’s PC? They’ve essentially bypassed all those security checks…
And what about all of those ad-hoc spreadsheets, documents and reports held on the employee’s laptop at home? How safe are they?
4. All data will be considered worthy of strong protection
This won’t happen because…‘There will always be some information which is more important than others – so we strongly protect the most important data', so they say. ‘It’s always been this way – we only use encryption for sensitive information.’
The alternative argument is that ‘we already have encryption’. By which is meant full disk encryption. But this check-box approach to data security does not protect information on a live, running system.
In a recent Ponemon report, 69% of respondents say discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy, and 32% say that classifying which data to encrypt is difficult and one of the major hurdles. If this is the top concern, why not just encrypt everything?
Pop quiz: How many phone numbers can you write down from memory? We always used to be able to remember phone numbers – at least a handful. How times have changed.
5. We all stop relying on ordinary people being IT security experts
This won’t happen because…
IT security training is done. Check.
Random phishing tests are organised. Check.
Backups are all on schedule and tested. Check.
So we’ve done all we can to minimise the likelihood and impact of ransomware. Right?
Wrong. Someone sometime will click on something bad, releasing malware. You might not even be aware of it for some time, while it collects and steals all of your data. This is serious, business-busting stuff.
So why not behave like the doorman at the nightclub? ‘If you’re not on the list, you’re not coming in.'