December 02, 2020//Tony HowlettLast Updated: December 14, 2020
Coming to the end of 2020, which has been a year of “unprecedented times,” impacted cybersecurity in a big way. With barely any time left in 2020, it’s time to look at what we think 2021 could bring. The main hope is that it will be a little less frantic and there will be fewer viruses of the global pandemic, human, kind. But the malware that inflicts our computers and networks has shown no sign of abating (if only there was a vaccine that worked for them, right?)! So after dusting ourselves off after a tumultuous year, what can we expect in 2021 in the cybersecurity world? Here are a few general predictions of things you can probably expect in the new year and ways to prepare your organization for them.
First of all, we will probably return to our offices at some point in 2021. In general, the pandemic caused massive changes in our IT landscape and some of those changes are going to stick. Both office workers and company owners have seen the benefit from a Work From Home (WFH) workforce with more family time, less commuting, and lower office costs to name a few. Certainly, some of these things have come at the expense of other areas such as mental health and isolation, but a segment of the population most likely will not want to return to the routine of lengthy commutes and breakroom birthday cake every day even in a post-pandemic world. IT and security staff will have to contend with managing a much larger remote workforce, perhaps as big or bigger than their onsite counterparts. And the smart, forward-thinking managers will stop treating remote or mobile workforces as an exception and endpoint security as an afterthought. Because this is likely to be the future, whether or not there is a pandemic going on.
Another phenomenon that isn’t going away is ransomware. Cybercriminals have settled on this as their favored caper, mainly because it has been hugely profitable for them and takes out the middleman of getting paid for hacked networks and stolen data. You can expect them to fine-tune their formulas and get more vicious in extracting payments. We saw our first direct ransomware attributed death in 2020 at a hospital in Duesseldorf. This sadly won’t be the last as the attackers know this will force critical infrastructure providers to fork over the dough (or Bitcoin) to prevent this from happening to their institutions.
I recommend organizations add back offline backup methods and increase the security and frequency of their online methods to insulate themselves from these threats. Also, there will be a rise in focus on Internet of Things (IoT) security and regulation. We got a glimpse of things to come with the US Senate passing a law to regulate IoT security for federal purchases. This will increase and intensify as the deployment of these devices is only going to continue to grow exponentially.
Speaking of regulations, I foresee a continued rise in regulation around privacy. More countries and states will add protections for consumers and responsibilities for companies in this area. Ideally, we would get a US-wide privacy law so that organizations can quit dealing with each new law and just have to address one set of standards. We need to deal with this issue and take it seriously as a country and a Federal law will be a big step in that direction. For now, we will wait to see if the political winds blow favorably in that direction in 2021 and beyond.
Also, we will probably see attackers expand their use of third parties and MSPs to gain access to their targets. The networks of vendors and third parties tend to be an easier way into larger, regulated entities. They will continue to evolve their tactics, creating more custom toolsets and specialized malware to go after the support platforms of vendors. The bad guys see attacking technology providers as the ultimate force multiplier for their efforts, giving them access to hundreds of potential victim customers when they hack one. Organizations will finally have to get serious about Third-Party Risk Management, treating it as a key pillar in their InfoSec posture versus the stepchild of cybersecurity.
State hacking actors, also known as the Advanced Persistent Threats (APTs) and cyber terrorists are also taking note of these IoT vulnerabilities and the ransomware thieves’ successes. The smaller ones will use ransomware more and more to raise money for their causes just as they used the drug trade to fund their dastardly plans before. We have not yet seen a large-scale cyber terrorist act yet and I’m hoping we don’t in 2021, but I wouldn’t be surprised by it. The larger nation-state hacking organizations will continue to leverage cyber-means to achieve larger goals such as political influence and economic advancement of their country’s industries. Few organizations can withstand a concerted attack from these types of hackers so hopefully, a well-funded and forceful effort at the Federal level can dampen these types of attacks.
2020 has truly been a crazy year for all of us in every field. It’s been particularly challenging for IT and cybersecurity professionals who have to deal with the logistics of the systemic shocks delivered by the pandemic. Hopefully 2021 will be calmer and bring positive changes in the cybersecurity landscape. But whatever it brings, with a little preparation and foresight, we will be able to deal with it. If we get through 2020, we can get through anything. Have a great holiday season and a happy and safe New Year! Want to learn more about what to expect in 2021? Download our webinar to see how you and your company can prepare for cybersecurity trends.