2020 was a year of ups and downs and unexpected twists. Nowhere was this more apparent than in the realm of cybersecurity. As many want to draw a line under 2020 and not look back, let’s instead gaze into the future and examine the cybersecurity outlook for the upcoming year.
1. COVID-19 will continue to impact cybersecurity
The biggest story of 2020 was the COVID-19 pandemic. Its impact was worldwide and threw every business sector into chaos. Things changed overnight, and cybersecurity struggled to keep up. Many organizations may have pushed aside some cybersecurity measures and training in an attempt to save time and/or money, leaving them even more exposed to attacks. For example, new applications aimed at contact tracing were rushed to market without proper testing, leading to leaks of personal data.
In 2021, the impact of the pandemic on security will continue to be felt across all aspects of business, education and home. Attacks will continue to occur on businesses at an unprecedented rate. There will be an increase in attacks on hospitals and remote learning platforms, two areas that have seen an increase in traffic due to the pandemic. With the value of healthcare data increasing, hackers will follow the money. Phishing attempts based on the upcoming vaccines will also take advantage of people who are worried about the virus.
2. Work-from-home is here to stay (and so are the cybersecurity headaches)
The COVID-19 pandemic caught many organizations flatfooted when it came to switching rapidly to a work-from-home culture. Rapid digital transformation occurred that steam-rolled concerns around data protection and privacy. Organizational trust in infrastructure and people was strained with the rapid move to remote working environments.
In 2021, organizations will have to take time to look at the impact of remote working in relation to regulatory compliance. Distributed networks and cloud-based platforms, which saw such rapid adoption during the early days of the pandemic, will need to be shored up from a security perspective to prevent breaches at all endpoints. Devices will need to be updated to keep up with work and security demands. Workers will need to be offered specialized cybersecurity training to shift their mindset to this new normal.
3. The impact of 5G and the corresponding growth of the Internet of Things on cybersecurity will be huge
5G technology and Internet of Things (IoT) devices are not new. The rollout of these technologies has occurred over the last few years. However, expect to see rapid adoption and growth as more parts of the world have access to the faster internet speeds and 5G network connectivity. There will be a flood of new IoT devices to the market to take advantage of this new high-speed network.
As we have seen in the last five years, there is already an issue with IoT devices being rushed to market without proper design or testing for security and privacy. Expect this issue to escalate as businesses race to grab market share. Also, with the expense of these new technologies, we will see a rise in cheaper knock-off IoT devices that are even less secure. New malware and phishing attacks will be specifically targeted to these technologies.
4. New OWASP Top 10 coming in 2021
There has not been an update to the OWASP Top 10 Most Critical Web Application Security Risks since late 2017. Although the current Top 10 list remains effective at raising awareness of critical issues that are still faced in development, a new update to this de facto application security standard will be welcomed by many.
OWASP has promised an updated version of its popular Top 10 in 2021, so it makes our cybersecurity outlook list for the coming year. Although originally slated for 2020, the OWASP Top 10 fell victim to the pandemic and had to be delayed. As before, the new version will reflect the OWASP Foundation’s commitment to providing a report that can be used to create a strong application security program. OWASP is improving its approach in several ways: enhancing its data science and community-driven qualitative process, providing a stronger tie-back to CWEs, allowing anonymous data submissions, and improving the look and feel of the presentation while providing more means of consumption. Look for the new version of the Top 10 in Q1/Q2 2021.
5. Focus on privacy weighs heavy in the cybersecurity outlook
The last few years have seen the rollout of a series of governmental regulations related to the protection of individual privacy. The General Data Protection Regulation (GDPR) from the European Union, the California Consumer Protection Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA) from Canada, and the Lei Geral de Proteção de Dados Pessoais (LGPD) from Brazil have all come into effect in the last with years with a focus on privacy and data protection. We can expect this trend to continue in 2021.
In November 2020, voters in California approved Proposition 24 to create the California Privacy Rights Act (CPRA), an expansion and amendment of the CCPA. One of the biggest changes is the creation of a new category of data, “sensitive personal information,” with additional requirements for protections for disclosure and use.
A coalition of organizations has begun to advocate for the adoption of the Global Privacy Control (GPC) standard, a setting or extension in browsers and mobile devices that indicates the user’s preferences in relation to privacy. This is another step toward a related trend we will see in 2021 – using concerns and respect for consumers’ and users’ privacy as a business differentiator.
6. The cost of data breaches will continue to grow
According to the IBM and Ponemon Institute’s Cost of a Data Breach study, the average cost of a data breach in 2020 is $3.86 million. The average cost of each data record lost was $146. The most expensive type of data record to lose is customers’ personally identifiable information (PII). These costs are direct and indirect. They are long term, and the financial ramifications can last for years.
One thing the data has shown in relation to the cost of a breach is that it directly correlates to an organization’s level of security preparedness. The less prepared a company is, the more records lost and the higher the risk that these records contain confidential information. Expect the cost of data breaches to continue to climb as more PII is being held by organizations that are not fully prepared to protect the data adequately.
7. Disinformation campaigns against businesses will grow
A word that many people learned during the 2020 U.S. election cycle was “disinformation.” Simply stated, disinformation is knowingly spreading what is known to be false or misinformation. Although used prominently in recent years in the political world, moving forward, we will see this weapon being used against business entities more often.
The use of disinformation campaigns against businesses has the potential to do significant harm to goodwill and reputation. These attacks can take many forms – deep fake videos, forged press releases or policy documents, fake social media posts, and more. Even fake review postings with bad reviews for a business can be “flooded” and used to sow distrust or anger among potential customers. From a cybersecurity perspective, these types of attacks can put data at risk, as well as be the first step in a multi-phased cyber attack on an organization.
8. Zero Trust security model and architecture adoption will continue to rise
Zero Trust is a term many have heard, but few may be able to clearly articulate. The concept of the Zero Trust model dates back to 2003, and the first adoption of a Zero Trust architecture was in 2009 by Google. Since that time, this set of security paradigms has gained increasing momentum. It has especially gained popularity with the shift to remote working due to the COVID-19 pandemic. At its heart, Zero Trust simply means what its name implies – do not trust devices or people by default, even within your organizational network.
The appeal of the Zero Trust model is that it is designed to meet the needs of the organization, so its application is not like trying to fit a square peg in a round hold. Organizations may already have many of the hardware and software components needed for Zero Trust. The change is in the approach to how they are implemented. Adding back verification and authentication at each point of access by a device or user helps to combat two of the most popular means of breach – insider threats and credential theft.
9. Importance of security awareness education is increasing
What remains true year after year in cybersecurity is the need for security awareness training and compliance training to strengthen an organization’s “human firewall.” Employees are the lifeblood of any organization, including its security stature. Mistakes by people continue to be the leading cause of data breaches. Lost or stolen credentials, circumventing systems or processes, device loss – the list of possible mistakes that can lead to a major breach is long and continues to grow as technology advances.
Expanding the view of who should be trained is important. Companies should require security awareness and compliance training for
- employees (full-time, part-time, seasonal, interns – all all levels in the organization),
- contractors, and
- third-party vendors