In the past 12 months, the IT security industry saw a resurgence in malware, an increase in rogue phishing scams and much more. But with the sun rising on 2021, security pros are turning their attention toward another year of trying to catch up with the bad actors.
In it, they see a future with a threat landscape not all that much different from the present–but with a few changes in scenery.
Ransomware payments will go underground.
Ransomware payouts have increased significantly over the past 12 months, as malware authors continue to innovate and cyber criminals outsource tasks to monetize operations more quickly. To compound this, the Treasury Department recently warned that firms that negotiate with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions. In response, we will see ransomware payments go underground in 2021 and beyond. Companies will take whatever measures necessary to regain access to critical systems and data to keep the business running, regardless of government regulations. —Joe Partlow, CTO, ReliaQuest
The corporate network as we know it will disappear.
Remote work–in some form–will stay. It would be naive of businesses to think that they’ll go back to the old ways of working. IT leaders, therefore, need to address the fact that the concept of a network, as we’ve previously known, will disappear and that company security is now very much in the hands of employees.
So instead of just securing networks and endpoints, CISOs must consider how their 2021 strategy will protect their remote workers, while empowering them to work productively and flexibly. All too often, security solutions can stand in the way of people getting their work done, and they’ll quickly find unsafe workarounds. Companies must make security as flexible as their people in 2021. —Tim Sadler, CEO of Tessian
Hybrid software attacks will spike, especially impacting COVID-19-related sectors.
Year after year, our State of the Software Supply Chain reports show developers continue to download hundreds of millions of vulnerable code components from open source repositories, resulting in supply chain attacks across government, financial and business institutions. The recent Octopus Scanner Malware breach alerted us that attackers were mixing techniques from the ‘90s with modern tooling to recycle older virus-like behaviors in new domains. I predict we’ll see an increase in hybrid attacks on the software supply chain, especially across the healthcare, financial, and political sectors–those most affected by the COVID-19 pandemic. –Brian Fox, CTO of Sonatype
We’ll see a ‘crisis of confidence’ in 2021.
As a digital society, we are facing a privacy reckoning and a crisis of confidence — and we’ll see it come to a head in 2021. The level of data collection by tech companies has reached a new peak, and consumers are losing faith in service providers’ ability to manage their data respectfully. 2021 will be the year that consumers demand more control of their personal data and how it’s used and shared. The identity security industry, specifically, will evolve to address this demand with new ‘personal identity’ frameworks that give consumers control over their identities and which attributes to share with service providers. By allowing people to pick and choose specific data and identity attributes to share with apps, and giving them the capability to validate their identity without revealing more than necessary, we’ll put an end to the status quo of giving up excessive amounts of personal data to do basic tasks in our everyday lives. —Andre Durand, CEO of Ping Identity
Universities will lean more on cyber-savvy students to secure their networks.
The education sector experienced a 30% increase in weekly attacks during the month of August in the run up to the start of new semesters. In 2021, smart and strategic university security teams will prioritize cyber education and empower their students to help monitor breaches and support admins. Most students are already willing to do this for free in order to gain hands-on learning experience, and these security teams need all the help they can get as budgets are cut and cybercriminals target vulnerable education sectors. —Joe Partlow, CTO, ReliaQuest
The biggest threat to personal privacy will be health-care information.
Researchers are rushing to pool resources and data sets to tackle the pandemic, but this new era of openness comes with concerns around privacy, ownership and ethics. Now, you will be asked to share your medical status and contact information, not just with your doctors, but everywhere you go, from workplaces to gyms to restaurants. Your personal health information is being put in the hands of businesses that may not know how to safeguard it. In 2021, cybercriminals will capitalize on rapid U.S. telehealth adoption. Sharing this information will have major privacy implications that span beyond keeping medical data safe from cybercriminals to wider ethics issues and insurance implications. —Joe Partlow, CTO, ReliaQuest
5G will open the floodgates in 2021.
In 2021, 5G will bring boundless opportunity, both in introducing new ways to connect and elevating the standard for securing disparate infrastructure. Once 5G is widely available, the floodgates will open, and both the white hats and black hats of the world will experience a swift learning curve in navigating the mass distribution and interconnectivity of 5G. The profound speed and reach will connect businesses more than ever before, which translates to dangerous ripple effects of a successful attack.
5G will revolutionize the security landscape. More devices will be brought online than ever before and we will see more convergence among IT and OT as the environments collide. To avoid creating an attacker’s advantage, the market will learn lessons from cloud adoption and embrace a shared risk responsibility. As data continuously flows through potentially vulnerable 5G infrastructure, this will be essential to build holistic security to close the exposure gap. In order to combat new and emerging threats, this will require both users and service providers to lock arms to prioritize security measures and build an ecosystem of trusted vendors. —Glen Pendley, deputy CTO at Tenable
Account takeover will lead CISOs to implement a zero-trust model for email.
Account takeover will surge as attackers further advance their phishing techniques in 2021 and make their scams more convincing.
While many companies have done an okay job educating their employees on how to spot a phishing email over the past year, people receiving these fraudulent emails will likely have no idea that the person in their trusted network has been compromised. The emails appear genuine, come from a trusted contact and pass authentication. Why would someone question it?
As such, account takeover will erode people’s trust in email in 2021, and render IT teams powerless in stopping people from falling for the scams. Businesses, therefore, need to recognize threats from their extended networks and adopt a zero-trust model of email security to quickly and accurately detect incidents of ATO. —Tim Sadler, CEO of Tessian
CISOs will rely on automation to offset impacts of the pandemic.
The sudden switch to remote work after Coronavirus lockdowns has blurred the boundaries between work and home for millions of people worldwide. Almost a year in, IT and security teams are still scrambling to secure remote workforces, and we’ll see more breaches and information disclosures as a result. In 2021, CISOs must rely on better automation to fill the gaps. While more automation does not mean more tools, they must embrace key concepts to offset budget loss and keep the team moving while resources are limited. -–Joe Partlow, CTO, ReliaQuest
Gen Z will close the cyber skills gap in 2021.
Generations Z and Alpha are arguably the most tech-savvy of any generation before them. Ninety-five percent of 13- to 17-year-old Gen Zers have access to a smartphone and 51% of Gen Alpha want a job where they can use technology to make a difference. Many of them grew up with the latest and greatest technology within arms’ reach. While no one could have anticipated it, this has actually greatly benefited them during the unprecedented shift to remote learning. I suspect this virtual crash course in all things technology will bring about a more cyber-conscious generation that will understand and appreciate technology on a deeper level. The coming year will offer valuable cyber skill sets to mold the future of our workforce and, hopefully, close the cyber skills gap.
We should take this as an opportunity to meet the skills gap challenge head-on by bringing cybersecurity into classrooms as early as possible. This means ensuring we’re not only making cybersecurity accessible to all students, but actively encouraging boys and girls, especially students of color, from all walks of life to pursue the field. The security challenges of tomorrow cannot be solved in a vacuum and will require diversity of thought and experience to truly be effective. —Renaud Deraison, CTO of Tenable
The Top Three Security Threats in 2021:
- Botnets pose the single largest security threat in 2021. It’s not a stretch to assume that just about any individual or organization can be taken down considering the size of some of the botnets we’ve seen recently. For example, earlier in 2020 we saw what has been attributed to the Fancy Bear or APT28 botnet shutdown trading on the New Zealand stock exchange for four straight days, despite highly collaborative public and private defense efforts that escalated with each impacted day. We will continue to see highly detrimental botnet attacks, such as the stock exchange attack, but likely ever more focused on supply chain weaknesses exposed by the pandemic. In parallel, we will see botnets continue to grow exponentially through the exploitation of consumer devices. As bad actors are more than aware of the changes in remote work, the same compromised devices in the home that have been added to botnets (TVs, modems, smart lighting, etc.) will be used to exfiltrate data from consumer networks. Why? It’s more likely than ever that information stolen from consumer networks can be used to break into the larger prize: enterprises and governments. —Curtis Simpson, CISO of Armis
- We will see more ransom-based attacks in 2021, particularly in OT environments. Most OT security practitioners are just starting to understand the risks they’re up against and build strategies around them. The attack patterns from the last year are consistent and we can expect to see more of them—especially in the energy industry. The worst-case scenario is a widespread power grid outage that impacts a large part of the U.S., which I don’t believe is all that far-fetched. With recent vulnerability disclosures in protection measures harkening back to Stuxnet and Triton and corresponding warnings from intelligence agencies, there are even concerns that some adversaries are truly focused on arming themselves with destructive capabilities that can do material damage to companies and nations. –Curtis Simpson, CISO of Armis
- We will see an uptick in attacks targeting health-care. We saw the devastating success of such attacks in 2020; the fact that they’re working combined with the reality that health-care practitioners are delivering more tech-enabled services to patients than ever before, means unfortunately we can expect to see more damaging attacks in 2021. –Curtis Simpson, CISO of Armis
The mere thought of federal regulations will drive self-governance across the developer landscape.
I predict we will see an increase in talks about heightened regulations, but the wheels of government move slowly so it will be several years until we actually see new policies form. However, the very threat of federal regulations is enough to motivate developers/businesses to come up with their own forms of self-governance. Government regulations tend to blanket everything so I predict we will see the developer industry implement standards themselves so as to avoid any government involvement. –Brian Fox, CTO of Sonatype
More passwordless security on the way.
In 2021, more and more companies will transition their consumers to a passwordless experience. This trend will pressure others to invest in smoother customer user experiences just to keep up.
We will see a number of high profile breaches due to unsecured integrations to business critical SaaS apps. Security focus will turn in that direction.
Zero trust went from a buzzword to a strategy in 2020. In 2021, this will accelerate, with CISOs creating their own zero trust strategies, instead of adopting them from vendors. We will also see a number of high profile breaches due to unsecured integrations to business critical SaaS apps. Security focus will turn in that direction to try to counteract that. Additionally, based on the continued decline of malware over the past five years (2020 VDBIR), attackers will be pushed to more sophisticated attacks to defeat MFA. Enhanced authentication techniques will be critical against that threat.
Following the impacts of ransomware in 2020, the combined efforts between government and industry over the next year will significantly decrease the effectiveness of ransomware attacks. The Biden administration will work with Congress to enact laws to regulate technology companies in the areas of privacy, content moderation and encryption. —Robb Reck, CISO of Ping Identity
More data breaches coming involving health-care data.
In 2021, we will start to see the rise of customized healthcare, with companies offering custom benefits plans that use data science to unlock personalized healthcare and reduce costs. Because of this and consumer demand, we’ll also see an increase in cost transparency in healthcare. Eventually, I believe we will reach a more collaborative approach to public health, and a more streamlined FDA process – particularly as we continue to see more tech companies getting into public health, e.g. Amazon Halo. However, due to this evolution, I also anticipate we’ll see more data breaches involving consumer healthcare and insurance data, especially as the CURES Act mandates open API.
Over the next year, we’ll see a greater focus on securing remote workers using modern tools, particularly as companies begin to move farther away from centralized command and control. However, I also think we’ll encounter a backlash against remote work and learning (like we’re already seen with university and high-school students) as creativity and innovation declines. The key to preventing this is continuing to refine technologies like SSO, that offers a seamless user experience.
I anticipate we’ll see more innovation in fintech under the new administration,such as digital currency and digital identity. The relief effort under the pandemic highlighted the broken system of identification and payment distribution. It can be fixed with a digital first approach. —Baber Amin, CTO West of Ping Identity