Five ways COVID-19 will change cybersecurity

The main story of 2021 won’t be the disease, but the vaccine. With three effective, promising vaccines in development as of November, COVID-19 (and its treatment) will continue causing major shifts in nearly every facet of our lives.

That is particularly true for cybersecurity. Our sector transformed in 2020, and we have still not finished adapting to the virus. Here are five ways that COVID-19 and its vaccines will cause cybersecurity to change in 2021:

Returning to office will create complex cybersecurity challenges

Given the likelihood of vaccinations starting at some point next year, it’s likely that we’ll see some employees return to the office in 2021. Having a significant number of employees head back to the office will be the first major cybersecurity trend of 2021 and will result in a number of complex challenges.

Last year, many organizations rushed out work-from-home resources to ensure business continuity, leading to an unprecedented 42 percent jump in the number of U.S. employees working from home full-time as of June. The coronavirus forced CISO’s hands: in some notable cases, security teams had to launch remote work over the weekend to comply with local work-from-home orders.

I understand the necessity driving that decision-making, but those measures will have serious ramifications in 2021.

CISOs will retrench and rebuild their security policies

Next year, CISOs will have to grapple with the consequences of the decisions they made (or were forced to make) in 2020. One of their first orders of business will be to “un-cut” the corners they took in the spring to stand up remote work capabilities.

We’re already starting to see this trend play out, with zero trust – an emerging security mindset that treats everything as hostile, including the network, host, applications, and services – gaining in traction: in November, 60 percent of organizations reported that they were accelerating zero trust projects. That’s due in no small part to CISOs and CSOs retrenching and taking a more deliberate approach to ensuring operational security.

The security leaders who help their organizations successfully navigate the zero trust journey will recognize that a zero trust mindset has to incorporate a holistic suite of capabilities including, but not limited to: strong multifactor authentication, comprehensive identity governance and lifecycle, and effective threat detection and response fueled through comprehensive visibility across all key digital assets.

To address the increasing digital complexity induced by digital transformation, effective security leaders will embrace the notion of extended detection and response (XDR), striving for unified visibility across their networks, endpoints, cloud assets, and digital identities.

Vaccinated employees will return with infected devices

We’ll really begin to see the consequences of the 2020 “rush jobs” when employees get back in the office. Though an increasing number of employees will receive vaccinations in 2021, their devices and applications will still be infected. In June, researchers reported a sudden spike in attacks and data breaches originating from mobile endpoints.

As more compromised devices re-enter the office and begin connecting with corporate assets and systems, we’ll see the full impact of hasty remote work policies.

Threat actors will prioritize SaaS applications and cloud services

Likewise, because many businesses began relying on distributed workforces in 2020 and broadened their footprints with SaaS applications and cloud services, threat actors will likely prioritize these targets and find new ways to exploit them. They may use a two-step approach, compromising end users and then connecting to the cloud services to which those individuals have access.

Vaccines will give rise to misinformation and phishing attacks

Finally, and maybe worst of all, the availability of real vaccines in 2021 will provide threat actors with a new “channel” to distribute misinformation and new targets to prioritize. Last year showed us that cybercriminals never waste a good crisis, using the coronavirus to disguise phishing, Trojan, and rogue app attacks.

Threat actors will adapt with the crisis: pandemic relief “offers” and contract tracing apps will give way to vaccine-related phishing attacks. These targets will target individual consumers as well as the organizations developing, distributing, researching, and administering actual vaccines.

These schemes may damage public confidence in real vaccines and undercut their efficacy: given how important widespread adoption of these vaccines will be to ensuring public health, social media companies will need to take stronger actions to curb misinformation. A recent alliance between Facebook, Twitter, and YouTube to combat vaccine conspiracies is a good start, but social media will have to act quickly to flag, refute, and remove misinformation.

Hopefully, some lessons have been learned

Our sector faced incredible challenges last year. I’m so proud of how hard-working cybersecurity professionals adapted their work, innovated new solutions, and helped organizations everywhere continue delivering services to the people who relied on them.

It was a brutal year, but I think it was a valuable one, too. The pandemic demonstrated our strengths – and it also exposed some of our flaws, assumptions, and weaknesses.

Let’s learn from this. If 2020 taught us anything, it’s that the next disruption is coming. Being safe now isn’t enough.

In that vein, 2020 has taught us the power of human ingenuity when we come together towards a common cause. In the wake of COVID-19, people have rapidly developed novel therapies, created new approaches to testing, accelerated research on vaccines, identified ways to mass-produce personal protective equipment, and designed new ventilators.

Crises create remarkable moments of truth and force progress in critical areas. At the same time, we need to be cautious about whether solutions developed during this time of urgency are the right long-term solutions for us. We will eventually enter a post-COVID era armed with new insights about society and must recognize that the choices we make today will shape what that society looks like.

Vaccines use pieces of viruses to train the immune system and protect against future infections. My hope is that the coronavirus helped inoculate cybersecurity against the next challenge – that we now know more about what we need to fight back in 2021 and beyond.