Cybersecurity trends and predictions for 2021, and reflections on 2020
Well, 2020 was surely a year to remember—or one that most of us will want to forget. No one could have predicted the turn it would take, and some are still trying to decide what to do with all the toilet paper they bought (which at some point was possibly one of the highest valued assets people owned second to bitcoin.)
The year was likely a gap year for most kids and university students. The travel and tourism industry almost disappeared, and the healthcare industry became a vital backbone in many societies. The one thing many employees will now have a lot of is unused vacation days.
We had a company kickoff and started executing our planned cybersecurity events and activities . . .
The year started off well and appeared to be typical. My calendar was filled with routine cybersecurity events and corporate activities. We had a company kickoff and started executing our plans. I was looking forward to seeing my colleagues throughout the year. As an employee who has worked remotely for more than 10 years, I get excited about catching up with my industry peers and discussing how to save the world from cyber threats, or just having some good coffee and figuring out how to get people to choose smarter passwords.
The pandemic shock
Then, the pandemic hit, and society changed for the foreseeable future. It was like something you only see in the movies. COVID-19 spread from country to country with no clear plan in place to control or prevent it. There was no vaccine in sight; most countries’ only approach to minimize the spread and death rate was to limit social interaction and try to ease the pressure on hospitals.
As the scale of the pandemic unfolded and the reality of it hit us, shop shelves emptied. Masks, hand sanitizer, food, and toilet paper disappeared. Society prepared for a long haul of isolation. It occurred to me that COVID-19 and computer viruses have something in common—they don’t care about age, gender, race, politics, or borders. They are equal opportunity attackers.
It quickly became apparent that working remotely in a pandemic is not the same as working remotely
My experience with the pandemic echoed that of many cybersecurity professionals: all my travel plans were thrown up in the air as flights got canceled or rescheduled. At Delinea we quickly adopted online digital events and continued to educate organizations on the importance of managing privileged access. Luckily, my experience in working remotely helped me adapt quickly. Though it quickly became apparent that working remotely in a pandemic is not the same as working remotely.
Working remotely in a crisis
Working remotely in the midst of a pandemic is something almost all of us got to experience in 2020. Organizations simply closed offices and enabled employees to work from home. But as I mentioned, it’s very different working from home during a pandemic. Everyone else in the family is also at home and laying claim to different parts of the house for their new “office.”
Many employees had never worked from home before and took time to adjust. I believe we have always been moving towards working remotely, but not at the speed and scale we have just witnessed. And mostly focused on high health-risk jobs such as mining, construction, or firefighting. Advancements in technology have enabled employees to perform those jobs using augmented reality and connected devices. Read more about this concept in my blog: Cybersecurity and the Future of Connected Devices.
Businesses that had stayed with on-premise solutions struggled to meet the new needs of employees
As organizations rushed to support the massive increase in employees taking their laptops and desktops home, their infrastructure was truly put to the test—would it be able to support the huge volume increase? Cloud was surely an area that helped many companies quickly adjust by simply increasing their compute workloads and licenses. Businesses that had stayed with on-premise solutions struggled to meet the new needs of employees. Solutions that supported remote access and security got priority.
Company devices that had never left the organization’s managed network were taken home by employees. Once kept safely behind firewalls, IDS, DMZs, and set up with security solutions that kept cyber criminals from attacking them, these devices were now vulnerable as those solutions were no longer fully effective.
Laptops going into the wild public internet now relied on Endpoint Protection solutions to keep them safe. Most were going to be plugged into employees’ home networks (many of which still have default credentials and security disabled leaving them exposed to cyber criminals looking to take advantage of those systems.)
A great increase in exposed Remote Desktop Protocol (RDP) ports could be found via Shodan, a search engine for the Internet of Things. Another serious risk was that many of those employees’ devices held sensitive data, applications, and privileges that if compromised by cyber criminals could provide easy access to laterally move inside the corporate networks.
In 2020, remote working meant that cybersecurity needed to start at the endpoint, and with the employee who worked on the frontline. And this meant that strong cybersecurity awareness training was essential in preparing the employee to be a stronger defense. Privileged access security was critical to protect access to data, applications, and systems, and active endpoint security to control what gets executed on the device.
The society of everything online
Yes, during the COVID-19 pandemic we saw many activities move online. With events being canceled or moved to virtual and digital, we’ve had to embrace online environments. I can’t remember how many different collaboration platforms and conference solutions I’ve used this year. In a typical year, I would likely attend somewhere around 40 in-person events, but in this new digital world, this has increased to 80+ online events. At home, Zoom parties have kept everyone connected, while arts and entertainment programs have kept us entertained through the crisis.
One thing I am sure of is that society finds a way forward, and people are creative in finding awesome solutions. With massive job losses and new mental health challenges, we have to find a way to support each other through this challenging environment. It’s time to go above and beyond and look out for one another, especially those at home alone. Take the time each week to give a video call and have a chat with someone.
Cloud security accelerates
Organizations that have rushed to enable remote working have discovered the benefits of leveraging cloud solutions that enable quick touchless deployments. With supply chains constrained and restrictions coming to the office or data center, organizations have turned to cloud solutions that can be deployed without the dependencies that traditional on-premise solutions bring. Some organizations have been reserved about choosing cloud security solutions while others have embraced the cloud with a cloud-first strategy. As working remotely becomes the norm—cloud security becomes the enabler.
Learn more in my digital book on Privileged Access Cloud Security.
The 2020 US elections replaced COVID-19 in the media for at least a short time. With all the focus on mail-in voting, and prior to the election, on the security of the election, one of the most-asked questions was “Could nation-states or cyber criminals influence the outcome?”
The prospect of cyberattackers gaining access to the infrastructure, machines, and firmware used to cast and count votes is always a concern. And there are multiple areas of the election process that cyber criminals can target to influence election results, not just hacking the outcome of the vote but ultimately hacking democracy.
That said, while there’s still a long way to go when it comes to election security and transparency it’s important to acknowledge the positive changes that have taken place in recent years. The regulations implemented by social platforms that flag and prevent the spread of false political statements, or “fake news”, are a step in the right direction. The public reporting of malicious and ransomware attacks—both related and non-related to the election—has also helped improve transparency and awareness levels.
A key change that still needs to be made: improving the level of confidence that voters have in the security and accuracy of the voter system. This negative perception may lead to an increase in non-voters. The worst potential outcome of this or any election, and the ultimate hack, is to create distrust in the voting system so that fewer voters will participate. So, it’s of the utmost importance that the government rebuild the trust in a democracy that has been eroded in recent years due to foreign hacking influence.
2021 Cybersecurity predictions: What cybersecurity trends will the industry embrace?
The first rule of 2021 is to never talk about 2020. Rather, let’s look forward to new cybersecurity trends that will benefit us in 2021 and the future.
Prediction 1. Cloud security will become the first-choice security strategy
One of the latest trends in cybersecurity will carry over into 2021: organizations around the world will not only continue with a cloud-first strategy but that will now include a cloud-first choice security strategy. As organizations gain more experience in remote working using cloud solutions, and with many planning to enable employees to work remotely permanently, cloud security will be key to enabling those employees to access business applications using privileged cloud access.
Prediction 2. Every user will become a privileged user
It used to be that privileged access was all about the domain administrator or the root account (sometimes referred to as the “Keys to the Kingdom”.) Though as we know, many data breaches have not been about compromised domain accounts but rather about privileged accounts held by employees who have access to privileged data.
Privileged access has now expanded to almost all employees. Every user is now becoming a privileged user, not because of the authorization of the account they are provisioned with but the access to sensitive data. Not all privileged access is equal, and therefore organizations must take a risk-based approach and apply the appropriate security controls to each user based on the privileged access they have to privileged data.
Prediction 3. Passwords will move into the background
You’ve heard about a password-less world, though in reality that is a bit misleading. Passwords are not disappearing. However, they are moving into the background, hidden from users, or replaced with Biometrics, PINs, Behavior Analytics, and Multifactor Authentication. Users will have less need to interact with passwords.
Passwords will still exist, but they will be hidden from the view of the user and authentication will occur behind the scenes. As we move away from having employees choose and change complex passwords and towards letting password managers or privileged access security solutions do that task for them, we will make security a positive experience and reduce one of the biggest causes of cyber fatigue: choosing your next complex, long, strong password.
Why not start a trial of Delinea's Secret Server right now and help reduce password fatigue in your organization?
Prediction 4. Ransomware will still be the biggest threat and financial risk
Organizations should be concerned about ransomware. It’s the biggest cybersecurity challenge and the threat they face. They must prioritize investment in security solutions that help reduce the risks, and they must create and test a solid cyber incident response process to help ensure the business is resilient to high-risk attacks.
Companies have to worry about more than just getting their data back—they also worry about it getting shared publicly
I predict that ransomware will continue to evolve. It’s becoming not just a security incident but also a data breach with more organized cyber crime groups stealing the data before they encrypt it. This means that companies now not only have to worry about getting their data back—they also worry about it getting shared publicly. Ransomware has proven to be unethical in every way and will target anyone, any company, and any government agency, including hospitals and transportation industries. And at a time when they are already under extreme pressure.
Prediction 5. Data privacy will, and already is, becoming a Digital Rights Management issue
Citizens’ privacy will still be under the spotlight in 2021. Regulations will continue to put pressure on companies to provide adequate cybersecurity measures and follow the principle of least privilege to protect the data they have been entitled to collect or process.
I believe the big question, when it comes to data privacy, is “How is citizens’ data being used, collected, and processed?”
Ultimately data privacy will evolve into Data Rights Management. It will become more about how the personal data will be used, and what monetarization is resulting from the data.