2020 has left many in the cybersecurity community feeling a little dazed. Almost overnight, business models and working practices were abruptly reconfigured and all available IT management staff were enlisted to help out. As the months wore on, new threats emerged and the realization slowly dawned that this was a reality all of us will have to live with for some time. So as we begin 2021, locked down again, what should security leaders’ New Year resolutions be?
While there will be no let up as threats continue to target remote workers and IT infrastructure, there is some reason for optimism. Unlike last year, we’re all getting more familiar with living and working under the shadow of a pandemic. That should make things easier as security leaders prioritize training and tools to support the business and minimize cyber risk.
New year, same old threats
It might be a new year but in many ways organizations will see the same old cyber-threats in 2021. That means data theft and ransomware — often in the same attack — as well as Business Email Compromise (BEC), banking Trojans, coin-mining malware and the other usual suspects. The scale of the threat is remarkable. Trend Micro blocked over 27.8 billion unique threats in the first half of 2020 alone, the majority of which were email borne. While most of these can be linked to automated, commodity attacks, it’s arguably the ones that are more targeted and customized that present the biggest threat to your bottom line and corporate reputation.
Some sectors may be hit harder than others this year, as cyber-criminals always go after the low-hanging fruit first: opportunities to generate maximum ROI from attacks. Thus, as consumers continue to flood online, industries like retail and gaming could be put under increasing strain — especially if newly minted applications are released containing vulnerabilities. Similarly, with hospitals under maximum pressure to cope with an influx of COVID-19 patients, at least until later in the year, expect more ransomware attacks.
As depressing as it is to think about, it’s likely to be many months before life starts to return to a semblance of pre-pandemic normal. This will depend on how effective vaccines are against new strains, how quickly the population can be inoculated, and how businesses react. It’s safe to say that the future will involve at least more remote working than before, and probably a lot more.
That means threat actors will continue to target the perceived weakest security link of home workers and remote working infrastructure. Phishing has been an ever-present over the past decade and COVID-themed lures will continue in 2021. As we found out last year, many home workers may be making the bad guys’ job even easier through risky behavior like uploading corporate data to non-work apps and using potentially unprotected personal devices for work.
Human error doesn’t just mean falling for phishing attacks. It also means cloud infrastructure that is misconfigured, allowing cyber-criminals to find exposed data via a simple IP scan. It could extend to patching failures that leave VPNs and other remote working infrastructure exposed, or RDP servers protected only with weak and/or previously breached passwords. We have to be at the top of our game in 2021 because there are signs that the cybercrime community is increasingly capable of using APT-style tactics to steal data and deploy ransomware. Think “living off the land” techniques, use of pen testing tools like Cobalt Strike and swift exploitation of vulnerabilities in SaaS platforms.
Your 2021 security strategy starts here
That might seem like a lot to take in. But at least this year we know where we stand. Many of these TTPs were trailed last year, and widely publicized. In addition, with remote working the new norm, there should now be more bandwidth for IT security staff to help out. If you haven’t already, carry out a cyber risk assessment to find out where your weaknesses are now, and develop a plan for addressing them.
The approach you take will depend on your organization’s risk appetite, which industry it plays in and the maturity of your current security posture. However, any New Year’s resolution will surely include user training and awareness raising. This really needs to be a continuous program, featuring real-world phishing and BEC simulations, regularly communicated to staff in bite-sized chunks. Adapt training sessions according to the latest phishing campaigns, and ensure your tools offer detailed feedback on individuals so you can focus on the weakest employees. Don’t forget that everyone from the CEO down must attend, including temps and contractors. It only takes one misplaced click to land the organization in trouble.
Zero trust comes of age
Another approach that will become increasingly popular over the coming year will be zero trust. In a world of distributed working, mobile devices and SaaS applications, it’s all about the notion of: “never trust, always verify”. Focus your efforts on authenticating users with multi-factor tools (MFA), and deploy micro-segmentation inside the network to restrict access to resources. This approach also ties in nicely with cloud-based secure access service edge (SASE) tools to give security teams visibility into all inbound and outbound traffic.
The risks associated with a distributed workforce also demand cloud-based security and endpoint management tools for maximum flexibility, visibility and control. Threat detection and response is becoming particularly important, especially solutions featuring AI to help under pressure security teams prioritize how they deal with sophisticated incoming attacks. In fact, AI will continue to make the lives of security professionals easier by spotting suspicious patterns in network traffic that humans might miss, detecting anomalous writing styles in BEC emails, and adding automation to detection and remediation. Suggestions that the technology could completely replace humans in cybersecurity by 2030 are overblown. But security leaders will need to keep a close eye on malicious use of the technology going forward. Unfortunately, the cyber arms race will only intensify in 2021.