New Year’s is a time of reflection, and there’s plenty to say about cybersecurity in 2020. Ransomware attacks soared and brazen hackers targeted hospitals, schools, and other vulnerable organizations, holding their networks hostage unless huge demands were paid. Threat groups linked to nation states launched some of the most sophisticated and damaging attacks seen in years, including one that rippled through the federal government and countless companies.
What will cybersecurity look like in 2021? Which trends will fade and which emerging threats will vex organizations? We asked cybersecurity experts to share their thoughts:
Better Things Ahead
Steve Durbin, managing director of the Information Security Forum
“I think there’s a tremendous number of things that make me optimistic, and that may sound strange to some people. I’ve been accused of being a glass-half-full kind of guy. But I think there are great lessons we learned from the pandemic—if we think back to when it struck, lots of organizations had to move employees from offices to their homes, and security was there to make it happen. They had to talk about some of the tradeoffs between connectivity, accessibility, and security, which are conversations security leaders always wanted to have with business leaders. That’s something we’ll need to continue going forward.
We’ve also, from a security standpoint, had to learn how to work collaboratively with our users who are not in the same building, who are perhaps in their homes, who have a range of different demands and needs, so we’ve had to be more reflective of the needs of our users. Security has often been criticized for being the traffic cops and preventing people from doing things. This year has been all about security demonstrating that they can facilitate and help.
The third thing, and one that I talk about often, is the need for security to work closely with the business to determine where the business is going to go—the strategic direction. Most organizations are having that conversation at the moment, and because people are still widely dispersed and security has a seat at the table, security has been getting involved in those conversations.”
Challenges With Returning to “Normal”
Steve Grobman, chief technology officer at McAfee
“Different types of organizations will return to different office environments at different rates, and this will create opportunities for cybercriminals. The opportunities will be both in terms of social engineering—we’re resetting accounts, creating new passwords—and technology, since we’re going to be powering up machines that have been touched for a year. Organizations might want to think twice before putting out a big PR release that they’re going back to the office on a certain date. Figuring out how to get machines patched and inoculating employees against phishing before returning to the office is going to be important.
The other thing we will see in 2021 will be a new administration in the White House, and hopefully an Olympics and other major events. These could potentially be opportunities that cybercriminals will use for social engineering efforts. There’s no data I’ve seen that suggests the seriousness of cyberattacks is going to decrease, or the uptake in new technology [which can make organizations more vulnerable] is going to slow down.”
New Threats On the Horizon
Lavy Shtokhamer, former head of Israel’s Cyber Emergency Response Team (CERT)
“I think machine learning-based attacks will be developed during 2021 and 2022—they will be automated and have a large scope. A few years ago the internet was very targeted. I think attackers understand now that they need to choose carefully which company they want to work on. Being able to patch and identify new vulnerabilities within a number of days might not even be efficient enough to stay safe.
We’ve also seen a few incidents where big companies have been compromised through Internet-of-Things devices. I think major enterprises will move forward to protect their IoT environments, their Wi-Fi environments, and their ICS [industrial control systems] environments when applicable, like manufacturers.
Lack of talent has always been an issue, but over the last few months I’ve been seeing on LinkedIn a lot of CISO positions for many companies that haven’t thought about cybersecurity until now. Awareness is going to rise based on the events of the last quarter [with the SolarWinds breach]. There’s still a huge gap between what we thought we would need and what we actually need, and a lot of companies didn’t invest in cybersecurity until now. Many focused on compliance, to continue working with their own customers, but now people understand that they need to actually invest in security, and how to upgrade and maintain your technology and build an operation around it.”