Dealing with uncertainty and unpredictability in an ever-changing industry
When looking ahead at the future of cyber security, there’s one major caveat to keep in mind: it could all change in a moment.
No matter the industry, January is always a time of reflection and prediction. Looking back on what happened in the year that was and ahead to the year to come is always an interesting exercise but making accurate predictions about what could be happening in a year, let alone five, is not always easy in the cyber security field.
Technology, threats, and defences are always changing and evolving. While we’ve already explored some of the top threats to keep an eye on in 2021 and how the field changed in 2020, we haven’t looked too far ahead. That constant change and the uncertainty it brings makes long-term predictions difficult.
The team of cyber security analysts here at Field Effect took some time to share their thoughts on the threats they’re already seeing in 2021, what the year may have in store, and other insights and comments on what the future of cyber security might look like. The following represents a few our team’s predictions at what the future may hold, based on current information.
What immediate threats continue to be challenges in 2021?
It’s a new year, but that doesn’t mean that old threats won’t be a concern. Far from it. Field Effect’s security analysts have already identified major challenges and issues from past years that are still posing serious challenges for organizations everywhere.
Continued threats facing remote work and distracted workers
The most immediate and apparent threat in 2021 is the continued risk introduced by increasingly remote work. With no immediate end in sight for the global coronavirus pandemic, remote work will continue through the year, in turn giving cyber criminals another potential attack vector.
Malicious actors are always on the lookout for vulnerable or misconfigured systems that connect to the internet. The number of these systems has increased drastically over the last twelve months as more companies push to enable work-from-home policies in response to health and safety concerns. Unfortunately, outside the office, cyber security gets even harder, not only because of varying home office security but also a more distracted workforce.
“The biggest cyber security trend this year is the shift towards working at home,” says Ernie Sherman, a Field Effect partner and President of Fuelled Networks, a managed IT and security services provider that helps companies plan, manage, and align these services with their customers’ business strategies.
“The challenge this brings is that we can no longer assume that corporate resources are protected by perimeter security; we need to adopt a zero-trust model and assume that corporate resources and unsecured devices are sharing the same space and need to be secured accordingly.”
What’s more, cyber attacks on remote workers have a greater chance of succeeding because of how preoccupied and distracted employees are. Attackers are taking advantage of this reduced vigilance and will likely continue to do so.
Highly targeted cyber attacks
Nearly everyone was stuck at home with more free time in 2020 — including the bad guys. While many people used that time to get in shape, learn how to bake bread, or catch up on their favourite TV shows and movies, many attackers spent that time researching potential targets. Reports on zero-days spiked accordingly.
What’s more, most of the tools used by hackers are outsourced, leveraging the growing cyber-crime-as-a-service (CaaS) economy to rent or buy the tools and information they need to stage an attack. From there, they can target companies that are more likely to pay or provide a higher return-on-investment.
With enforcement of regulations like the European Union’s General Data Privacy Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA) now in full force, a data breach or ransomware attack is subject to fines. Attackers have adjusted their extortion prices accordingly to make paying up more appealing than paying a fine.
Abuse of open-source and legitimate software and tools
Dual-use tools are continuously supported and developed by legitimate penetration testing communities and thus prove effective for a variety of complex attacks that would otherwise take years to develop and test. Several recent leaks of major malware that took years and millions of dollars to develop have proven that off-the-shelf tools are often more cost-effective and are easier to hide in the noise of network activity.
Ongoing disinformation campaigns
The past two decades have revealed a growing demand for information. Widespread adoption of social networking sites and applications have given users everywhere a way to access news and a wide variety of content — but they’ve also made it easier for malicious actors to exploit this need for information.
These actors manipulate content, images, and videos to pursue their political agenda. Deepfakes, bots on social media, and other tactics are frequently used to spread false information or otherwise influence opinion.
What trends should businesses be aware of in 2021?
As 2021 continues, there are a growing number of trends and potential threats that businesses should keep an eye on, regardless of size or industry.
Cyber crime-as-a-service (CaaS)
The cyber crime-as-a-service economy puts the accumulated knowledge and tools of thousands, if not millions, of hackers and cyber criminals at the fingertips of an individual attacker. This makes it easy for inexperienced hackers to rapidly stage complex attacks. CaaS marketplaces continue to operate despite several major takedowns by law enforcement agencies as malicious actors adapt their tactics and techniques to stay under the radar.
Malware attacks are increasingly automated, continuing a recent trend that has forced the cyber security industry to catch up. Security experts are no longer dealing with lone hackers testing their skills with hard-to-execute attacks. Now, hackers can use a machine to automate cyber crime activities, letting them execute thousands of attacks a day. Ransomware attacks are becoming so common, it rarely warrants news anymore.
A greater number of malware variants now contain polymorphic characteristics, which means they constantly change their identifiable features to better hide from security teams and common detection techniques. Many CaaS offerings contain some element of code that can mutate so it can remain hidden.
Third-party risks and threats
As companies continue to ramp up their efforts and adopt digital technologies, many turn to third parties, outsourcing some IT and security support needs. As we’ve discussed before, reliance on third parties increases cyber security risks, especially for companies that do not have a strategy in place for managing these risks.
The human element
The one constant in cyber security is the human element. As Matt Holland, Field Effect’s Founder, CEO, and CTO commented on a recent podcast appearance, “The human element is often the problem the large majority of the time, be it clicking on a link or misconfiguring a network, and that is something I think goes understated.” Humans are always present in technology at some point, whether developing, configuring, or simply using it — and humans make mistakes. Education, training, and vigilance are necessary to help reduce the likelihood of a mistake having a serious impact.
Long-term threats and concerns to keep in mind
Looking past 2021, there are a few threats and trends that will likely play a bigger role:
- Growing use of internet-of-things (IoT): The world continues to become increasingly connected. In the next five years, the use of IoT technology will likely increase as more people use it in their day-to-day lives. Effectively securing IoT devices can be challenging, and many businesses are already facing these challenges as IoT devices with weak security controls are most often used to networks that also connect to devices highly sensitive information.
- Focus on social engineering techniques: Security solutions are more robust than ever before — but as discussed above, the human element is unavoidable. In five years, internet communications will likely become more secure, especially with the expected global adoption of quantum networks, which will make network-based threats less relevant. But the challenge remains one of human error, as (intentionally or not) users will still enable data loss, and attackers will still be able to exploit a variety of social engineering tricks.
- The changing shape of financial fraud: Payment modernization means that financial transactions may become almost entirely digital, bringing a diversity of platforms and methods for conducting transactions. These platforms will likely be less centralized, and regulations will take time to catch up. This will expand the threat surface for financial institutions and platforms, resulting in more fraud-oriented security solutions that focus on digital currencies, the blockchain, and real-time payment security.
- Difficulty prosecuting cyber crime: Even with a growing number of countries taking a greater role in regulating data privacy and cyber security, it’s likely that a lack of attributable data for criminal acts conducted online will make it harder for law enforcement to identify and prosecute cyber criminals. A shortage of cyber security professionals will also contribute, making it harder to identify growing cyber threats.
The future of cyber security and threat detection
Looking ahead, a few themes around the future of cyber security emerge.
For one, a greater focus on prevention and preparedness will be vital. If the last year has taught us anything, it’s that response planning for an incident, data breach, or other security event is absolutely vital. Preparedness and response playbooks will likely become more commonplace in the face of reduced predictability. Employee training at every level will go hand-in-hand to help mitigate the role of human error.
And as privacy and regulatory concerns become more urgent with the introduction of privacy law enforcement, ensuring cyber security programs are robust enough to pass muster during audits or compliance exercises will likely be another top-of-mind concern.
With all this in mind, businesses should focus first and foremost on how they can secure their business now. Building a strong foundation comprised of good cyber security habits and best practices is vital as attacks and threats evolve.
It’s hard to take a look at the calendar and make predictions about what the future will hold, especially in an industry as complex and fast-paced as cyber security. But by taking the time now to build that baseline, you can set your business up for lasting success as changes arise and new threats emerge — whatever they may be.
To stay informed about new cyber risks and how threat monitoring and detection can protect your business from cyber threats, sign up for our newsletter below.