2020 set the stage for cybersecurity priorities in 2021
It’s safe to assume that pretty much everyone is ready to move on from 2020. Between the COVID-19 pandemic, political battles, and social unrest, this has been a stressful year in so many ways.
It has also been a very active year for cybercriminals and fraudsters who have preyed on people’s fears and vulnerabilities to push new scams. They’ve spoofed government health sites to trick people into clicking on malware links. They’ve targeted food delivery apps with credential-stuffing attacks. They’ve posed as the CDC to send phishing emails. And those are just a few examples.
Unfortunately, COVID-19 is expected to follow us into 2021, and cybercrime will too. In the interest of putting 2020 in the rearview mirror, let’s take a look at what is expected in the cybersecurity realm in the new year.
Mingling of work and personal accounts will lead to a rise in vulnerability
When the coronavirus hit in early 2020, offices and schools shut down, forcing millions of parents and children to work and learn from home. That phenomenon led to kids using parents’ devices, accounts and credentials for their educational and recreational technology.
With 65% of adults admitting to reusing passwords across multiple accounts, it stands to reason that the habit has proliferated across family members. A study of 3rd to 8th graders from two U.S. schools by the National Institute of Standards and Technology found that children’s understanding of password hygiene is generally good, yet they use the same password for everything more often than not (58% of 3-5th graders and 78% of 6-8th graders). Even after parents go back to work and kids go back to school, data breaches of just one app or piece of software may expose multiple accounts across family members.
Companies will extend cyber protection to personal accounts
When threat actors find a high-value target, they look for any vulnerable entry point. Burglars check every door and window for one that might be unlocked; cybercriminals going after business data might find a weak spot via someone’s personal email account. Password reuse across work and personal accounts and credential-stealing malware on personal devices present open doors to corporate data.
Security teams are wising up to the fact that targeted attacks on privileged users are increasing in scale and damage, and those users’ personal accounts present a huge liability – and blind spot – for many enterprises. But criminals are targeting more than just executives: human resources, payroll, finance, developers, and systems administrators may be pathways to valuable information. With increased understanding of the threat, I expect that in 2021 we’ll see more security teams extending enterprise-grade monitoring and protection to potentially valuable, vulnerable personal accounts.
Retailers will bear the brunt of online fraud
The global pandemic led to a boom in online retail activity. From Amazon to small niche eCommerce sites, consumers turned to their computers to purchase necessities and enjoy some retail therapy during the stressful year. Fraudsters capitalized on this spike in activity with a range of scams that will ultimately end up hitting the retailers’ bottom line.
This holiday season was already going to be tough on retailers because consumers are going out less and spending less because of economic concerns. Fraudsters are adding to the headaches by perpetrating account takeover, impersonating buyers and intercepting deliveries. Retailers understandably want to make the purchase process quick and easy to reduce friction for customers, but that also makes criminals’ jobs easier. I’m afraid that in early 2021, we’ll see chargebacks erase a hefty chunk of retailer profits from the holidays.
Ransomware will continue to pay off
In the first half of 2020, cities, universities and businesses spent a whopping $144 million responding to the 11 biggest ransomware attacks. That’s an average of more than $13 million per attack, so you can see why the criminals keep coming. It’s a very lucrative business model.
Even with the U.S. Treasury Department threatening to fine companies that pay the ransom, there is a strong incentive to do so. It’s the fastest way to resume business as usual. The ransoms are increasing, and companies continue to pay, which gives attackers reason to keep pursuing this method of attack.
Covid-19 is having an impact here as well. The switch to remote work and distance learning has increased exposure to cyberattacks for organizations of all types. Hospitals and healthcare companies are increasingly targeted because scammers know they would rather pay than risk downtime that could be even more costly.
We’ll spend 2021 recovering from Covid-related scams
We expect 2021 will be a year of recovery in many ways. We hope it allows us to put Covid-19 behind us, but it is likely that the recovery – economic and otherwise – will take a while.
As I mentioned above, cybercriminals have been busy in 2020 taking advantage of the pandemic to prey on people, steal information, and use it to take over their accounts for all manner of fraudulent activity. SpyCloud has ingested over one billion breach assets per month this year. These credentials, stolen via spoofed sites, malware, and data breaches, have a long tail, and victims of account takeover will be dealing with the fallout through much of 2021 and beyond.
Businesses need to take steps to protect themselves and their individual users. More and more, companies are operating as if cybersecurity is a basic responsibility to customers, and for the most trusted companies, it is one of their guiding principles. As we think about our New Year’s resolutions, everyone should put cybersecurity on their lists. We can all be more vigilant against the virus – and the criminals trying to take advantage of us.