Nigel ThorpeTechnical Director
2021 cybersecurity predictions: what should happen, but won’t
20 Dec, 2020 6 min read
With the impact which the global pandemic has had on the way we work, organisations have achieved much during 2020 to roll out remote working capabilities on a grand scale. However, the increase in malware, ransomware and data theft attacks has shown that the cybercriminal is keen to leverage this new, less well-defended organisational entry point.
While existing layers of defence do a great job of defeating many attacks, some do get through, so a new data-centric security focus will emerge to fill these gaps.
1. Accepting that unauthorised data access will happen
Organisations will start working with the reality that it’s just not possible to keep all cybercriminals out all of the time. For example:
- Cybercriminals can get in via stolen user credentials, social engineering, malware, ransomware, and so on. And with remote and ‘hybrid office’ working, the starting point for the attack has become much more available. Cybercriminals will make many attempts to gain access, accepting that most will fail. The target organisation, however, needs to defend against all attacks
- Insiders including administrators can be cybercriminals too
- Administrators at third-party service providers often have doors opened to the corporate network, or they have access to cloud-stored data
- System vulnerabilities or misconfiguration remain a significant problem both for internal and cloud-based systems
This won’t happen because… the belief is that no additional measures can be taken to reduce the risk of unauthorised data access and theft.
There are two camps here. The first believes that they have all the layers of security in place to ensure that data remains protected and is impossible to steal. They do all the right things, analysing the latest attacks, exchanging best practices with their peers, and constantly reviewing their security measures. They’ve got it all covered.
The second camp accepts that it is possible that they will either get hacked or an employee, contractor or third-party provider will steal data. They say that there’s nothing to be done and that they have the plans and procedures in place to recover from such an eventuality.
2. The Zero Trust model will be extended in to data
Following the first point, Zero Trust will be extended into the data itself using authenticated file encryption. You can build as many micro-perimeters with authentication and access controls as you like, but if a cybercriminal – insider included – gains effective user access, then data is there for the stealing. And relying on full disk encryption to protect data is of no use in this case – on a running system it is about as useful as most ‘Secret Santa’ office gifts.
This won’t happen because… the Zero Trust model has been around for a while now, with increasingly wide adoption. Surely if we make sure that only authorised users can open the security ‘doors’ then our data is safe? The argument not to extend Zero Trust into the data is that by adding security doors at every point we have very tight control over everything. And if someone gets through a lot of doors, they’re going to be denied access to all sorts of other areas, so the loss is minimised.
But what data did they get hold of? And this also disregards compromised user accounts and insider data theft…
3. IoT devices will be recognised as a first step to hack the corporate network
The growth of connected devices at home will be recognised as a significant security concern, whereby cybercriminals gain access to the home network through a weak point – one of many network devices to choose from. Once in the home network, the jump to the employee’s laptop, then into the corporate network itself, is relatively easy. All riding on the user’s own identity, and benefitting from their data access.
This won’t happen because… remote working is here to stay in a big way. And tried and trusted technologies such as multi-factor authentication, Virtual Private Networks (VPN) and Transport Layer Security (TLS) are fully able to protect the corporate network.
But how do these technologies defend against a cybercriminal who has hacked their way onto the remote worker’s PC? They’ve essentially bypassed all those security checks…
And what about all of those ad-hoc spreadsheets, documents and reports held on the employee’s laptop at home? How safe are they?
4. All data will be considered worthy of strong protection
All data will be considered equally important. Cybercriminals are really pretty clever. They don’t just use the information they stole from your company; they’ll aggregate this with other stolen or purchased data to form a comprehensive view. For example this technique is used to build personal identities for use in identity theft. On the back of this realisation, all data – not just the ‘most important’ (whatever that is) – will be secured with the strongest security – after all, there’s no longer any down-side to doing this.
This won’t happen because…‘There will always be some information which is more important than others – so we strongly protect the most important data', so they say. ‘It’s always been this way – we only use encryption for sensitive information.’
The alternative argument is that ‘we already have encryption’. By which is meant full disk encryption. But this check-box approach to data security does not protect information on a live, running system.
In a recent Ponemon report, 69% of respondents say discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy, and 32% say that classifying which data to encrypt is difficult and one of the major hurdles. If this is the top concern, why not just encrypt everything?
Pop quiz: How many phone numbers can you write down from memory? We always used to be able to remember phone numbers – at least a handful. How times have changed.
5. We all stop relying on ordinary people being IT security experts
We will stop relying on individuals to recognise a suspicious link or email attachment. It’s just too easy for a busy, distracted, non-IT person to click on something in an email which releases ransomware across the network. No amount of IT security education will eliminate this risk. Blocking all unauthorised processes is the only way to stop all malware from working.
This won’t happen because…
IT security training is done. Check.
Random phishing tests are organised. Check.
Backups are all on schedule and tested. Check.
So we’ve done all we can to minimise the likelihood and impact of ransomware. Right?
Wrong. Someone sometime will click on something bad, releasing malware. You might not even be aware of it for some time, while it collects and steals all of your data. This is serious, business-busting stuff.
So why not behave like the doorman at the nightclub? ‘If you’re not on the list, you’re not coming in.'