Many people and companies are eyeing 2021 with a hopeful gleam in their eyes. With the accelerated adoption of remote work arising from the COVID-19 pandemic, security professionals and IT departments have had a stressful year. While vaccines appear to be on the way, many organizations are planning to continue with remote work until at least late spring 2021 while others will continue to migrate to a distributed workforce as part of their long-term business plans. With all of this in mind, a quick look at the cybersecurity, privacy, and compliance Magic 8 Ball indicates that “all signs point to yes” for continued attacks and digital transformation.
In June 2020, Microsoft published a report showing how cybercriminals targeted their phishing attacks to prey on people’s desire for pandemic information. According to the report, COVID-themed phishing attacks peaked in March 2020 but will likely continue in some manner until the global pandemic is under control.
Additionally, information gathered by Microsoft noted that COVID-themed phishing attacks followed waves of news surrounding politicians either addressing their constituents or being admitted to the hospital to treat a case of COVID. For example, Microsoft noted an increase in pandemic-themed phishing attacks in the United Kingdom from April 6 when the Prime Minister was admitted to the hospital until April 12 when he was released.
News from Interpol in August 2020 reinforces Microsoft’s findings, particularly noting that cybercriminals began impersonating government and health authorities to prey upon people’s rising fear. The report notes that the top phishing themes included emails from national or global health authorities, government orders and financial support initiatives, and COVID-19 tracking apps for mobile phones. Given the different ways that country and local governments approached the pandemic, this suggests a more localized approach.
Both reports project continued pandemic phishing attacks responding to vaccine distribution and coronavirus case tracking. Ultimately, security and IT professionals should pay attention to the news around their local pandemic information to help reduce COVID-themed phishing attack success.
Most of the phishing attacks involve installing malware or ransomware on devices, but the future of liability and responsibility might be shifting. Recent research notes that customers and lawyers might be looking to hold c-level executives personally liable for security and data incidents.
A June 2020 article noted that 35% of UK consumers believe that business leaders should be personally liable for cyber incidents. However, this trend appears to be global as well. AN article from Business Law Today also hypothesizes that the 2019 Marchand decision allowing shareholders to hold directors personally liable when they fail to provide appropriate oversight parallels cybersecurity compliance governance. Further, two holdings from 2019 suggest that courts are increasingly looking to apply personal liability to c-suite executives and Directors. In re Yahoo! In Shareholder Litigation and In re Equifax, Inc. Secur. Litig. Both indicate a move towards holding directors and officers liable for known cybersecurity vulnerabilities that remain un-remediated.
Since the Yahoo! And Equifax cases are in different jurisdictions, these filings in conjunction with increased consumer awareness around data’s value indicate that 2021 might see more of these litigations go forward.
Artificial Intelligence (AI) and Machine Learning (ML) will continue to enable organizations to better secure data. The 2020 IBM Cost of a Data Breach report supports the positive impact that these solutions have on cybersecurity posture, noting that AI/ML reduced the average cost of a data breach by $259,354 which is an increased cost saving when compared to 2019’s $230,000.
Even the World Economic Forum’s research supports the value that AI/ML bring to cybersecurity. According to their November 2020 report, these technologies can augment current manual tasks and enable more robust triage so security teams can respond to threats more rapidly. However, the report also lays out several challenges that require action, including:
- Developing defensive technologies without enabling attackers to accelerate their strategies.
- Establishing best practices guidelines for automating detection, responsible and investigation.
- Incorporating secure development principles for design, life-cycle management, and incident management.
As more organizations use AI/ML to reduce cybersecurity risk, they need to ensure that these defensive technologies do not give their adversaries a way to use malicious AI/ML to weaken defenses.
Since many organizations will continue to remain remote friendly for the long-term, the adoption of cloud services will continue to increase. However, this investment will also likely lead to more problems arising from misconfigured cloud resources.
According to The State of DevSecOps, “misconfigured cloud storage services were commonplace in 93% of cloud deployments that were analyzed.” Additionally, the report notes that organizations looking to reduce risk should focus on detecting and resolving policy violations during the development process, suggesting that organizations should look to embrace policy as code processes.
Rolling into 2021, more organizations will be looking to secure their cloud deployments by leveraging Identity and Access Management (IAM) policies to secure access to Infrastructure-as-Code (IAC) environments.
In both the Business-to-Consumer and Business-to-Business space, customers want organizations to prove their privacy and security posture. The Salesforce “State of the Connected Customer 4th Edition,” 86% of respondents want transparency into how companies are using their information, and 61% of respondents feel that they have lost control over how their information is used. McKinsey’s “Cybersecurity in a Digital Era” report supports this data, specifically noting that companies can “differentiate themselves by taking deliberate, positive measures in” the privacy and security domain. Moving outside of the esoteric and into the legislative, the California Privacy Rights Act (CPRA) that passed in November’s election highlights that consumers are asking for greater transparency. The law makes reference to hidden data collection tools, like website heatmaps, requiring companies to be more transparent.
Organizations will continue to build privacy and security into consumer-facing applications. Additionally, companies with robust cybersecurity and privacy postures will be able to leverage these more effectively as market differentiators. As peers look to maintain a competitive edge, they will likely follow suit. In short, building IT ecosystems with privacy and security by design will become industry standards.
While COVID-19 will clearly impact the winter of 2021, the technology, security, privacy, and business outlook for the year offers glimpses of potential. 2020 required organizations to rapidly pivot business models, ultimately accelerating digital transformation plans that were already part of longer-term goals. Despite this transition, many are now further along their cloud-first or cloud-only strategies than they would have been without the pandemic. 2021, therefore, will be the year that companies mature these new digital models, using them to enhance revenue rather than stabilize it.