When looking ahead at the future of cyber security, there’s one major caveat to keep in mind: it could all change in a moment.
We’ve explored how cyber security has changed in 2020, top threats in 2021, and even security trends smaller businesses should watch for in 2022, and now it’s time to look further ahead. In this blog, Field Effect’s experienced analysts share their thoughts on what the future of cyber security may look like.
What cyber security threats will remain an issue?
Certain attack tactics are bound to stick around — and that’s because they work. These are the threats that our experts believe still pose a serious cyber security risk.
Threats facing remote work and distracted workers
The most apparent cyber security challenge in 2021 revolves around remote work. With many COVID-19 mandates still in effect, remote work (and the cyber risks it brings) will remain prevalent.
Malicious actors look for vulnerable or misconfigured systems that connect to the internet — a much easier task after companies encouraged remote work due to pandemic concerns.
“The biggest cyber security trend this year is the shift toward working at home,” says Ernie Sherman, a Field Effect partner and the President of Fuelled Networks, a managed IT and security services provider that helps companies plan, manage, and align these services with their customers’ business strategies.
“The challenge this brings is that we can no longer assume that corporate resources are protected by perimeter security; we need to adopt a zero-trust model and assume that corporate resources and unsecured devices are sharing the same space and need to be secured accordingly.”
Cyber criminals have also been taking advantage of preoccupied or distracted remote workers and may continue to do so.
Highly targeted cyber attacks
Nearly everyone was stuck at home with more free time over the past couple years — including the bad guys. While the majority used that time to get in shape, learn a skill, or catch up on movies, some spent it researching new attack targets.
Because of the growing cyber-crime-as-a-service (CaaS) economy, cyber attackers can now rent or buy tools for an attack. This has freed up time to research and strategically target companies more likely to pay ransom or otherwise provide better return on investment.
With regulations like the General Data Privacy Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), and California Consumer Privacy Act (CCPA) now in full force, data breach victims may face fines. Attackers are exploiting this, adjusting ransom demands accordingly to make paying up more appealing than paying the regulatory penalty.
Abuse of open-source and legitimate software and tools
Dual-use tools are continuously supported and developed by legitimate penetration testing communities and thus prove effective for a variety of complex attacks that would otherwise take years to develop and test. Several recent leaks of major malware that took years and millions of dollars to develop have proven that off-the-shelf tools are often more cost-effective and are easier to hide in the noise of network activity.
Ongoing disinformation campaigns
The past two decades have revealed a growing demand for information. Widespread adoption of social networking sites and applications have given users everywhere a way to access news and a wide variety of content — but they’ve also made it easier for malicious actors to exploit this need for information.
These actors manipulate content, images, and videos to pursue their political agenda. Deepfakes, bots on social media, and other tactics are frequently used to spread false information or otherwise influence opinion.
What’s coming next for the cyber security industry?
Cyber security spending is unlikely to slow down any time soon. The rise in cyber attacks, especially ransomware, has fuelled the cyber insurance market. GlobalData, a leader in data and analytics, predicted that the industry would hit $8.92 billion in 2021 and more than double to $20.6 billion by 2025.
Cyber security roles likely to remain unfilled
The cyber security talent gap has long been a topic of discussion within the industry, and it’s likely to remain a challenge. ISACA (Information Systems Audit and Control Association) surveyed 2000+ cyber security professionals and found that 62% had understaffed infosec teams and 57% had unfilled positions.
Even with the budget to hire experienced staff, the demand for talent still far exceeds supply. Labour market data company Emsi recently analyzed cyber security job postings and found that for every 100 openings, there were fewer than 50 qualified candidates.
What are the top cyber security trends?
There are a growing number of trends and potential threats that businesses should keep an eye on, regardless of size or industry.
Cyber crime-as-a-service (CaaS)
The cyber crime-as-a-service economy puts the accumulated knowledge and tools of thousands, if not millions, of hackers and cyber criminals at the fingertips of an individual attacker. This makes it easy for inexperienced hackers to rapidly stage complex attacks. CaaS marketplaces continue to operate despite several major takedowns by law enforcement agencies as malicious actors adapt their tactics and techniques to stay under the radar.
Malware attacks are increasingly automated, continuing a recent trend that has forced the cyber security industry to catch up. Security experts are no longer dealing with lone hackers testing their skills with hard-to-execute attacks. Now, hackers can use a machine to automate cyber crime activities, letting them execute thousands of attacks a day. Ransomware is becoming so common that only the largest attacks seem to garner any media attention.
A greater number of malware variants now contain polymorphic characteristics, which means they constantly change their identifiable features to better hide from security teams and common detection techniques. Many CaaS offerings contain some element of code that can mutate so it can remain hidden.
Third-party risks and threats
As companies continue to ramp up their efforts and adopt digital technologies, many turn to third parties, outsourcing some IT and security support needs. As we’ve discussed before, reliance on third parties increases cyber security risks, especially for companies that do not have a strategy in place for managing these risks.
The human element
The one constant in cyber security is the human element. As Matt Holland, Field Effect’s Founder, CEO, and CTO commented on a recent podcast appearance, “The human element is often the problem the large majority of the time, be it clicking on a link or misconfiguring a network, and that is something I think goes understated.” Humans are always present in technology at some point, whether developing, configuring, or simply using it — and humans make mistakes. Education, training, and vigilance are necessary to help reduce the likelihood of a mistake having a serious impact.
Long-term cyber security concerns to consider
Looking past 2021, there are a few threats and trends that may make up the future of cyber security:
Growing use of internet-of-things (IoT)
In the next five years, the use of IoT technology will increase as more people use it in their day-to-day lives. According to data from IoT Analytics, there were 10 billion connected devices in 2019 and we could see that triple to 30.9 billion by 2025. For added context, 2019 was also the year that the number of IoT connections outpaced that of non-IoT.
Despite connecting to networks and other devices that access highly sensitive information, IoT devices continue to have relatively weak security controls. Many businesses already struggle to provide the added defence measures that will keep these devices (and everything they’re connected to) secure.
Focus on social engineering techniques
In five years, internet communications will likely become more secure — especially with the potential rise of quantum networks which will make network-based threats less relevant.
One ongoing challenge is that of human error. Intentionally or not, employees will still enable data loss and attackers will still rely on social engineering tricks such as phishing and business email compromise.
The changing shape of financial fraud
Payment modernization means that financial transactions may become almost entirely digital, requiring support from various platforms and methods.
These platforms will likely be less centralized, and regulations will take time to catch up. This will expand the threat surface for financial institutions and tools, resulting in more fraud-oriented security solutions focused on digital currencies, the blockchain, and real-time payment security.
Difficulty prosecuting cyber crime
Despite a growing number of countries prioritizing cyber security, a lack of attributable data for criminal acts conducted online may make it hard for law enforcement to prosecute cyber criminals.
A shortage of cyber security professionals will also contribute to this challenge, making it harder to proactively find cyber threats.
The future of cyber security and threat detection
Looking ahead, a few themes around the future of cyber security appear.
For one, a greater focus on prevention and preparedness will be vital. Response planning for a security incident or data breach is necessary. Incident preparedness and response playbooks will likely become more commonplace. Employee training at every level will mitigate the role of human error.
And as regulatory concerns become more urgent, ensuring cyber security programs are robust enough to pass muster during audits or compliance assessments will likely be top of mind.
Businesses may want to focus first and foremost on how they can secure their business today. Building a strong foundation of good cyber security habits and best practices is necessary as attacks continue to evolve.
It’s hard to look at the calendar and make predictions about what the future will hold, especially in an industry as complex and fast-paced as cyber security. But by taking the time now to build that baseline, you can set your business up for lasting success as changes arise and new threats appear — whatever they may be.
What’s next for cyber security?
Find out what’s in store for cyber security — including emerging trends, insights, and predictions from the experts at Field Effect — in our eBook, The State of Cyber Security.
Updated: December 24, 2021