Traditional infrastructures suddenly couldn't cope with everyone working remotely. None of us could have predicted the kind of capacity needed for this scenario. Now, in 2021, it’s likely your security team is still running at or beyond capacity. In times of stress, humans take less care than normal and cyber adversaries will try to leverage this.
So, stay calm, take your time, and if in doubt, especially where processes are changing, stop and check. Talk to your team about the key trends in cybersecurity and how to protect your organisation. Here are my predictions for where we’ll need to focus this year:
- The consumer hop: With so many working from home, the weak point becomes what else could act as a bridge to the secured business device. Many homes may have between 20 and 50 things connecting to home Wi-Fi hubs, with the increase in smart home devices, including doorbells, TVs, digital assistants, as well as a plethora of family phones, tablets, wearables, and computers. Our recent IoT security research report found more non-business devices are coming onto networks, with everything from connected teddy bears to medical devices and electric vehicles now needing to be secured alongside business IoT. We’ve also seen organisations relaxing their security policies with the need to allow staff to use their devices at home, for example, enabling USB ports to allow home screens and printers, or other requirements. All of this means the end device and those things around it become bigger risks of access into your business’ critical systems and information.
- Investment fraud increases: Be it small business or consumers, so many are finding times incredibly tough financially during the COVID-19 crisis. Cybercriminals sadly prey on such circumstances, and in times of desperate need, people are more susceptible to click on scams that offer loans, payment holidays, and other financial opportunities that we would, in hindsight, recognise as too good to be true. So much of cybercrime succeeds through psychology; where there’s an emotional need, cybercriminals will exploit it.
- Criminals target new or modified touchless processes: As we’re looking to reduce our risk of infection in every aspect of life, we’re seeing increases in contactless payment limits, but also other methods, such as QR codes, being used to reduce points of touch. Our Unit 42 threat intelligence team has uncovered examples of QR codes being exploited, and seen increasing discussions and tutorials on how to abuse QR codes in underground forums. We should expect to see criminals continue to focus on immature contactless processes or changes to mature trusted ones where criminals can either intercept financial transactions or compromise systems to gain identity or other personal information.
- Employee fatigue: Working from home means many of us are now living online for between 10 and 12 hours a day, getting very little respite with no gaps between meetings and no longer having a commute. We’ll see more human errors causing cybersecurity issues purely driven by employee fatigue or complacency. This means businesses need to think about a whole new level of IT security education. This includes ensuring people step away and take a break, with training to recognise signs of fatigue. When you make a cybersecurity mistake at the office, it’s easy to go down and speak to a friendly member of your IT security team. This is so much harder to do at home now without direct access to your usual go-to person, and it requires far more confidence to confess. Businesses need to take this human error factor into consideration and ensure consistent edge security no matter what the connection. You can no longer just assume that because core business apps are routing back through the corporate VPN that all is as it should be.
- 5G and edge computing could catch some people napping: With the debates on which hardware can be used where, and of course, all the other challenges you and others faced in 2020, 5G, edge computing and, to some degree, IoT have not been at the forefront of businesses’ minds. Yet in the background, huge investments are being made for 5G’s deployment, and due to the delays, when it happens, expect the ramp-up to be faster. 2021 will be the year we see cybercriminals really probe these spaces to see the art of the possible, as by 2022, more than a third of operators will have 5G networks in place in Europe, according to survey data from Enea. What's more, with the changing working environment, expect to see private 5G networks springing up to enable collaboration spots for staff in redesigned office working spaces.
- Rush to the cloud; security playing catch-up: Most companies in Europe had plans to move key business processes to the cloud over the next few years, but with the onset of the pandemic, this became the next few months. Rather than taking the time to recodify processes, an intermediary lift and shift step was added: the quick move. While the process may still be the same, your environment and security changes. Businesses, in 2021, are already planning stage two: recodifying to gain the real advantages of agility from the cloud, while security teams are still fixing the issues from the intermediary shift. This continuing migration at pace will lead to security gaps, and we’re likely to see more cloud security incidents until the shifts are completed and stability resumes, at least for a while.
- eCrime takes advantage of GDPR compliance challenges in the cloud: It took most companies years to get their PII (personally identifiable information) ready for GDPR when it came into force in 2018. With the urgent shift to cloud and collaboration tools driven by the lockdown this year, GDPR compliance was challenged. As businesses try and regain control of PII in the cloud, expect cybercriminals to be looking to take advantage. We know from our Unit 42 research that cloud security is not often as strong as it should be, again the result of often accelerated shifts. In a recent Red Team exercise, one simple IAM misconfiguration allowed our researchers to compromise an entire cloud environment and bypass nearly every security control.
- Privacy goes ever more local: We are seeing more of a focus than ever in Europe on privacy. Just one example of how significant this has become is a major smartphone company running TV adverts in the region highlighting its data protection capabilities. It's not an upsell; this is simply becoming a core requirement. At the same time, we have the EU looking to build EU clouds, such as the Gaia-X project, that align to the broader EU cloud strategy. All of this highlights how high privacy is on the EU agenda. This will potentially make digital transformation strategies more complex in the longer term as either trends continue, focused on regionalising data, or more likely, there will be stronger separation between actual PII data and the metadata behind it. In an ever more globally connected world, privacy is driving many people to view data as a more local commodity.
- SOC teams struggle with a new working environment and increased workloads: As many businesses look to reduce costs, one natural solution is to accelerate the digitisation of processes. This means evermore cybersecurity telemetry coming back to the security operations centre (SOC). Add to this the shift we’ve already seen in telemetry as employees work remotely and an increase from more new collaboration tools and cloud processes. Many SOC teams had also been used to using multiple screens for big data analytics, and regular team huddles to discuss complex issues; so the shift to work from home, often with one screen, has been tough for some. The teams keeping up will be the ones taking a data-driven ML/AI-based platform approach, helping them to be proactive against attackers trying to out-innovate them.
- Cybercriminals love current affairs: Cybercriminals will always flock to exploit the latest global trend or news item. We’ve seen this throughout 2020 around the pandemic with widespread use of virus-related themes, such as COVID-19-themed business email compromise campaigns, and on average 1,767 high-risk or malicious COVID-19-themed domain names being created every day. With the Brexit transition period ending on December 31, there is, again a flurry of news as well as a desire for information on how it impacts both our personal and business lives. From December into 2021, we have to expect to see scams, misinformation, and attacks leveraging what is such a significant change not just for UK residents but many across the EU too. We might see fake websites springing up around the forms that businesses will need to complete to hire employees from the EU, for example. Brexit will also mean that so many business processes will have to change (e.g. applying for more export licences). There will be a big rush to do this, and we’re likely to see mistakes along the way, which could open up unnecessary risks and further opportunities for cybercriminals.
What is the key takeaway you should remember for this year?
We are shifting to an increasingly connected world where visibility and access to information is king. That also applies to knowing where your own business data is and how to secure it. To scale your business while staying compliant, it is crucial you have visibility of who has access to what and why. The lesson learned: be ready to move faster, but also don't lose sight of your long-term security priorities.
About the author
Greg Day is VP and Chief Security Officer for Europe, Middle East, Africa at Palo Alto Networks. He is a respected thought leader and advocate for stronger proactive cybersecurity, who has lived and breathed cybersecurity since the dawn of the industry. In fact, he developed his own behavioural security solution as long ago as 1995.
Greg’s passion is building stronger mutual understanding between non-technical and cybersecurity leaders within organisations. As part of Palo Alto Network’s Office of the CSO team, Greg is a regular writer and contributor of essays and blogs on cybersecurity issues, as well as a keynote speaker and expert panellist on industry forums across EMEA. He currently chairs the global CSO community I-4 members advisory committee.
On policy, Greg acts as an industry advisor within many crucial cybersecurity organisations, including being the chair of TechUK Cybersecurity AI Working Group, given evidence both in the UK Parliament and Brussels, and working as a member of the World Economic Forum’s (WEF) Centre for Cyber Security.