While large-scale transitions to our business environments changed in 2020 due to the COVID outbreak and implementation of remote work strategies, we are still forecasting how to create an adaptable security plan for the near future. Many are probably more than ready to move on to 2021 as quickly as possible, while hoping for a more stable and unobtrusive year ahead. In order to ensure that your desired level of “regularity” becomes reality, it is critical to understand what cybersecurity trends will play out in 2021. Our professionals shared some insight on key areas to focus.
Known Vulnerabilities will be the Biggest Threat Vectors
According to Chris Cronin, ISO 27001 Auditor and The DoCRA Council chair, your biggest vulnerabilities can be identified, based on public information. In 2020 the Department of Health and Human Services told healthcare providers to relax HIPAA compliance in favor of patient care. While privacy should never take priority over patient care, many hospitals and healthcare providers dropped their guard too much and incidents of phishing attacks and ransomware in that sector boomed. Is your business sector dropping security requirements? Are you allowing the new population of remote workers to use their own computers to get their work done? Look at your new vulnerabilities – especially the ones that will be obvious to people who read newspapers – and that’s your biggest threat vector. These broadcasted measures meant that remote work operations were taking place in non-enterprise, non-secure environments and that healthcare providers could take shortcuts when it came to cybersecurity. Cybercriminals can easily recognize brief windows of opportunity and can easily beef up or adapt their attack strategies to take advantage of them. That is why companies must always consider the security implications of any large scale or dramatic changes in their operational procedures. It’s important to have a well-conceived cybersecurity strategy in advance because in the heat of the moment, cybersecurity often gets short changed.
Data Breach Vectors of Attack
Breach prediction is like romantic comedies; you may not know the details and the names of the characters, but you can see the plot coming from a mile away. Chris Cronin suggested, “If you look at public breach data over time, two things become obvious; we never know the particular approach that will boom in the coming year, but we always know the major vectors of attack. Industries that rely on a lot of person-to-person handling of information will mostly breach by human error. Organizations that rely mostly on automated systems will mostly get hit through unhardened systems and services. Focus less on which systems get attacked by which methods and much more on using security standards to lock down what you know is regularly exploited.”
Clearer Definition of Reasonable Security
With risk being a primary security gauge for professionals, we were especially interested in a prediction made by Chris Cronin concerning legality matters when it comes to cybersecurity. Due to the increasing array of regulations and compliance requirements and escalating costs of data breach litigation, 2021 will be the year we can expect a clearer definition of reasonable security.
“Expect a clear definition for reasonable security. This is huge. The influential Sedona Conference just released their Test for Reasonable Security and provided it to regulators and judges. This gives regulators, litigators, and legislators a calculation or test to determine whether the burdens from security controls are worth the risk reduction they provide. Pennsylvania has already used a prototype of the test in their action against Orbitz in 2019. Illinois is running privacy legislation using a similar model, and the team that wrote the Sedona paper are each leaders in their field using the new test in their work. What will this effect? You will be able to rationalize your security priorities and expenses based on a cost-benefit test, your regulators will have to accept your definition of a reasonable security control (halleluiah!), and your insurance company will be able to provide a more rational cybersecurity policy because they’ll know that the policyholders that use the new test will be reducing their post-breach liabilities.”
In the event that a cybersecurity incident results in litigation measures, it will be up to the court to determine what a company’s “duty of care” is. A proper definition of reasonable security can reduce the associated legal risks of a cyber incident.
Cybercriminals will continue to Take Advantage of the Remote Workforce
Erik Leach, CISSP, SCF, continues to expect increased attacks as a result of remote work. The sheer speed at which remote work strategies were put into place created a far less than optimal security configuration. According to Leach, “Attackers are now targeting remote access gateways and open communication ports that are vulnerable or provide broad access that does not require multi-factor authentication.” HALOCK Senior Consultant, Steve Lawn reinforces this belief and says that the continued reliance on remote workers further justifies the need for wide scale security awareness training throughout organizations. Users must be able to spot what might be trouble or issues and alert the proper personnel without delay, regardless of location.
When a security incident does occur, teams must be ready to respond appropriately. Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP, ISO 27001 Lead Auditor, advises that having an updated incident response plan (IRP) is essential to address the evolving threats. IRP training for your team also makes a difference. Employees should know who to contact, what to do, and how to proceed quickly to minimize the impact of an attack.
On top of training your teams, an ongoing effort that should be incorporated into security strategies is to ‘continuously assess your risk and manage to risk’ for the changing environment, advises Viviana Wesley, PCI QSA, ISO 27001 Auditor. A current risk and security profile better positions organizations to address new regulatory requirements such as the anticipated PCI DSS v4.0 for 2021.
Data will be Stolen and Encrypted
The vulnerabilities mentioned earlier created fertile environments for ransomware attack. So much so that ransomware attacks were up in triple digits this year. Despite the string of successes for ransomware perpetrators, companies are beginning to get smarter about how to combat these attacks through effective backup strategies. Because of this, the objective for hackers is no longer just to encrypt your data for extortion purposes. It’s to steal it as well.
Traditionally, Ransomware was delivered in serendipitous fashion, snaring a victim who happened to click on a malicious link. The encryption process was automated and immediate. Ransomware 2.0 is more methodical in its approach. Once the malware successfully infiltrates a host, the perpetrators then manually control it in patient fashion, seeking high value data. The files are first uploaded to a secure location, then the encryption process take place. Should the victim be able to recover from the encryption attack, the criminals then threaten to sell or publish the stolen data, adding another extortion element.
Steve Lawn indicates “if a company has no idea what data they have and where that data resides then they will have no idea what data was taken or how serious an issue it is that the data was stolen. With a data inventory the company will know what type of data is where. With data compliance they can track that data to make sure that, if anything is happening to the data, it is blocked or at least tracked.”
Erik Leach advises to conduct sensitive data scanning in order to know what data has been compromised in an attack. The increasing regulations and compliance requirements regarding data privacy nationally and internationally, requires companies to identify, track, and control sensitive data, wherever it resides, to demonstrate good data governance and to avoid potential fines.
Unified Endpoint Protection
In a recent article that featured HALOCK SME’s and other industry experts, longtime MVP and IT author, Jeremy Moskowitz, predicted that more Windows PCs will be sold in 2021 than the two previous years combined. Should a refresh surge of this magnitude occur next year, endpoint protection will be an even bigger issue than it is now. Steve Lawn says that endpoint security must become more consistent and constant in order to be effective in the near future. “We run into too many corporations where they have several different endpoint solutions,” he says. “This variety of solutions can cause a gap in the security of the endpoints and leave the environment open to attack.” Active monitoring is going to become an essential step in securing client and server devices. Just as there is no ‘set it and forget it’ approach to cybersecurity at the perimeter, endpoint security should not be considered a passive forgettable task.
HALOCK Security Labs in 2021
No one knows the exact future that awaits us. What we do know is that hackers and criminal organizations aren’t going to let their foot off the gas next year.
We invite you to talk to our team of SMEs to find out how protect yourself from the threats of both today and tomorrow and learn about these and other challenges that await in the coming year.
Our comprehensive Risk Management Program can help you continually manage your risk to be “reasonable”, prioritize your IT investment and resources, and provide you with ready executive reporting to justify your budgets.