With chaos and uncertainty reigning, 2020 created near-perfect conditions for cybercriminals. The COVID-19 pandemic transformed the way we live and triggered a mass migration to digital channels as companies virtually replaced in-person interactions for employees and consumers alike. Nearly ten months in, the pandemic rages on, and cybersecurity threats are accelerating.
While vaccine distribution is on the horizon, the pandemic’s economic and social fallout will take time to mend. Bad actors see opportunity during turbulent times, which is why the world, including institutions from hospitals to schools, faced unparalleled cyber threats this year.
By November, more than 28,000 common vulnerabilities and exposures (CVEs) were recorded, not to mention the countless ones that went unreported. Unsurprisingly, as initial concern began mounting surrounding the pandemic, the first quarter of 2020 saw a 61% uptick in targeted attacks compared to the last quarter of 2019. As malware, DDoS, and phishing threats grew steadily, security professionals were on high alert all year, scrambling to protect hospitals at the height of the pandemic, secure the U.S. presidential election, and shield businesses after a rapid shift to remote work and digital-first experiences for consumers.
After a year of high stakes and alarming new records, here’s what I predict the coming year will bring:
The real aftermath of remote work arrives
After the sudden shift, remote work is here to stay. But if companies continue allowing employees to work remotely, they must tackle the technical debt left behind from the urgent shift to remote infrastructures. According to IBM, around two-thirds of C-suite executives said the pandemic accelerated their digital transformation plans. This acceleration often involved substantial architectural changes, leaving critical security vulnerabilities exposed.
Given these new—and unprotected—vulnerabilities, the number of breaches is likely to increase in the coming year. Since the shift, no major data breaches have yet originated from an individual employees’ house and personal technology. That’s likely to change in 2021 as bad actors target unprotected perimeters.
As they adjust to this “new normal,” we’ll also see more companies adopt intelligent, dynamic security architectures such as zero trust. IBM also found that 76% of executives aim to make cybersecurity more of a priority over the next two years, and almost half expect to use advanced technology like AI to protect their businesses from bad actors.
While embracing new remote working norms creates a workforce more resilient to business continuity challenges, it also poses new problems. Traditional infrastructure like telecommunications focused on urban centers and traditional workplaces. Now, networks in small towns face loads nobody imagined a year ago, and cell sites further from large commercial centers receive more traffic than those in former business parks and co-working locations. Likewise, business-critical traffic is passing over networks not factored into pre-2020 plans, posing substantial challenges.
IoT and smart devices mature
With more remote workers, personal IoT and “smart” devices will pose more significant threats to corporate security. Given how much time we spent at home this year, we’ve grown more accustomed to these devices. They automate our lives, entertain us, and even monitor our health. Smart devices’ medical-grade sensors now track users’ activities and medical data, like heart rates and oxygen levels. But do those who use or even create these devices know where this data goes? How it’s managed or secured? Even with these questions unanswered, the smart device market keeps growing.
This means IoT will begin to mature from a security standpoint as new frameworks and policies across countries emerge. The U.S. Senate recently passed a bill that mandates security requirements, like identity management and configuration management, for IoT devices purchased by the government. The U.K. offers Secure by Design, a set of resources for securing consumer smart devices.
Other countries, including Australia and Malaysia, are also working to formalize security frameworks and expectations. These all address similar problems, like ensuring users don’t rely on weak default passwords and manufacturers adopting bug programs. These will push manufacturers to implement stronger security measures for new devices in the coming years, but what about the millions of devices left behind?
New guidelines and more robust policies signal that we’re making progress with IoT security, but they’re not a silver bullet. This market will continue to grow as consumer demand and expectations increase.
Attacks will continue to evolve, but so will our ability to assess them
Next year, new areas of the security industry will come into their own, especially those focused on developing our ability to monitor and assess the new attack surface. With so many workers who have privileged access to sensitive data now scattered across the world, traditional security approaches hardly work or simply fail.
The challenges we faced this year—securing a distributed workforce, surges of ransomware and phishing, targeted attacks on essential industries, and more—will give rise to a new wave of innovation. Behavioral analytics, device identification, and intelligent risk management will be critical areas of focus for the industry moving forward.
To say 2020 was a trying year is an understatement. But even with all of the challenges (many that are far from resolved), together we’ll continue to reckon with the year’s aftermath—from breaches stemming from an employee’s home to the vulnerabilities of IoT devices already used by millions—sooner rather than later. The year also reminded me of the resilience and tenacity of the security industry, with which we’re more prepared for new challenges than we think.
Looking forward to 2021, I believe we have many of the necessary tools to tackle these problems. In many cases, it’s just a matter of time and technology. While we adapt to the new normal, however, we need to make a New Year’s commitment to drop the baggage from past years. Ransomware attacks are still trivial, causing unprecedented harm. Vulnerabilities appearing in the wild are still as basic as things like directory transversal attacks. As an industry, we must come together with governments, combine tools with policy, and confront some of these simple yet incredibly harmful problems, once and for all.