Predictions are often a dangerous endeavour. A year ago, someone who wrote this article may not have predicted what was waiting in store in 2020. In cybersecurity, everything has been changed by the wholesale change from the workplace world to the virtual workspace in unexpected ways.
To offer only one example: communication tools like Slack and Teams, on a scale never seen before, have become a serious threat vector.
It looks like 2021 should be more predictable, however. Vaccines will be launched, and the lessons learned this year in cybersecurity will continue to prove useful.
What can we think, with this in mind, about cybersecurity next year? What are the patterns that we would possibly see? What changes should companies be ready for? I’ve identified three responses to these questions here:
- Via social engineering, cyber-attacks can become more personalised.
- As cybercrime gets worse and worse, companies will remain very paranoid.
- Finally, the password will start to die out as a primary security layer.
- Cybercrime Growing Personalization
In B2C consumer innovations, personalization is all the rage. It is also a strategy that bad actors gradually adopt, primarily through social engineering.
A trillion security and compromise events were analysed in the 2020 Trust wave Global Security Survey. The report concluded that “social engineering in the method of compromise reigns supreme.” In addition, attacks on social engineering increasingly target social media as much as they do email. A Verizon study reported that as a tactic, 22 percent of all data violations involved social attacks.
The personalization of cyber-attacks is about social engineering. We should expect this personalization to grow in 2021.
An Info security Thought Leader is Brian Honan, CEO of the Irish firm, BH Consulting. On this subject, he had the following to say:
Brian predicts that “in 2021, criminals will look to make their phishing and social engineering attacks far more targeted and personal.” This would be the case if the attacks are conducted by key personnel against individuals or against organizations. Our social media presence would provide more ammunition and skills for offenders to make their attacks look more compelling and personal.
To stress: email is not the problem here. Criminals would look to other networks to launch attacks against businesses, primarily their social media channels, as Brian says. Personal details leaked by social media online would become weaponized.
Only look at how the Chilean banking system’s ATM infrastructure was hacked by North Korean hackers (zdnetdotcom). Where did they launch the attack? Into LinkedIn. The attackers chose their victims carefully, and tailored their interaction to suit the target. This sort of personalization is working, which is why it will begin in 2021.
If they are just trying to get you, it is not paranoia.
One of the elements that will make 2021 a paranoid year for companies is the growing personalization of cyber-attacks. As Javvad Malik, an advocate for security awareness at KnowBe4 puts it:
In 2021, for most organisations, the default state would be utter hysteria. Can your email be trusted? Your Feed on Social Media? Politicians of yours? Customers of yours? Employees of yours? Your business gadgets? A resounding no would be the answer.
This rising fear is borne out in the figures. Gartner estimates that by 2022, spending on cybersecurity would hit $170.4 billion globally. In several nations, investment has already risen significantly. In Australia and China, 50 and 47 per cent of businesses registered exceeding their cybersecurity budgets, respectively.
Your paranoia isn’t unjustified. 2020 was a cybercrime record year. 53% of respondents to the State of Cybersecurity 2020 study from ISACA foresee a cyber-attack within 12 months. The fastest rising form of crime in the US is cyber-attacks. Cyber-crime damage is expected to hit $6 trillion next year globally. That’s 57x of the 2015 damage.
In short, 2021 will be a year in which companies will remain highly worried. Vigilance or wariness would not be relaxed. In order to continue to affect the cybersecurity industry at large, we should all be ready for a paranoid mood.
Passwords in Question
Passwords have felt a bit like 1995 for a while now. The memorization, the “I forgot my password” link clicked. But the flimsy protection of passwords, above all. Again, here’s Javvad Malik:
“The turning point for passwords will be 2021. With FIDO and MFA developments and adoption, we can see less new platforms providing only passwords as a means of authentication.
This is no surprise, given the risks of using passwords. One of the leading causes of data breaches remains bad password conduct (itgovernancedoteu). Nordpass and partners show that when it comes to formulating passwords, people are always as lazy as ever; and this goes as much for employees of the company as your mom. Of the 275,699,516 passwords associated with 2020 data breaches, just 44% of them were substantially “unique.”
As per Nordpass dot com, the most common password? “123456,” which is used by more than 2,5 million people. In fact, it was disclosed during the Authenticate 2020 conference of the FIDO Alliance that different government units and agencies have accepted FIDO standards and are now implementing them alongside current digital ID policies.
On the other hand, MFA (multi-factor authorization), on the other hand, is now considered one of the best cybersecurity practices and is seeing increased acceptance within organizations across various industries. In 2021, both these patterns will increase.
Javvad, however, also predicts that attacks against MFA or passwordless technologies will increase:. “Examples of SIM hijacking to obtain SMS codes have already been seen, but this is likely to ramp up and we’re going to start seeing bigger and worse attacks.”
(SIM jacking sees bad actors using social engineering tactics to trick cell phone companies into assigning the phone number of a target to a new SIM.) A Private Industry Notification (PIN) document has been released by the Federal Bureau of Investigation (FBI) outlining how cybercriminals attempt to bypass MFA on their victim’s phones.
While MFA is not flawless, however, it stays a lot better than the humble password! Expect next year to be a year where passwords are relied on by a significant minority of services.
Ready for 2021 Ourselves
If 2020 has taught us something, then the future is uncertain at all times. No-one knows what 2021 will hold for sure.I assume, however, that the three patterns listed here are pretty firm bets. We need to do our best to look into our crystal balls as we all continue to develop business agility and business resilience for 2021.
I hope my fortune-telling proves to be of value to you here.