Predictions are always a risky business. Anyone writing this post a year ago could not have seen what was waiting in store in 2020. In cybersecurity, the wholesale shift from the office setting to the virtual workspace has transformed everything, in unforeseen ways. To give just one example: collaboration tools like Slack and Teams have become a serious threat vector, on a scale never seen before.
However, 2021 looks like it should be more predictable. Vaccines will roll out, and the cybersecurity lessons learned this year will continue to prove useful. With this in mind, what can we say about next year in cybersecurity? What trends are we likely to see? What shifts should enterprises be prepared for? Here, I’ve pinpointed three answers to these questions:
- Cyberattacks will become more personalized, via social engineering
- Enterprises will stay very paranoid, as cybercrime gets worse and worse
- The password will finally start to die out as a primary layer of defense
The Increasing Personalization of Cybercrime
Personalization is all the rage in B2C consumer technologies. It is also a tactic increasingly embraced by bad actors, chiefly through social engineering.
The 2020 Trustwave Global Security Report analyzed a trillion security and compromise events. The report concluded that “social engineering reigns supreme in method of compromise.” Moreover, increasingly, social engineering attacks threaten social channels as much as they do email. A report from Verizon revealed that 22% of all data breaches included social attacks as a tactic.
Social engineering is about the personalization of cyberattacks. In 2021, we should expect this personalization to increase.
Brian Honan, CEO of the Irish company, BH Consulting, is an infosecurity thought leader. He had the following to say on this topic:
“In 2021, criminals will look to make their phishing and social engineering attacks much more targeted and personal,” Brian predicts. “This will be the case whether those attacks are launched against individuals or against organizations via key staff. Our social media activity will provide criminals with more ammunition and capabilities to make their attacks seem more convincing and personal.”
To stress: the issue here is not email. As Brian says, “criminals will look at other channels to launch attacks against companies; mainly their social media channels. Personal data leaked online through social media will become weaponized.”
Just look at how the ATM infrastructure of the Chilean banking system was compromised by North Korean hackers (zdnetdotcom). Where did the attack begin? LinkedIn. The attackers carefully selected their victims, and tailored their contact to fit the target. This kind of personalization works, which is why in 2021 it will continue.
It’s Not Paranoia if They’re Really Out to Get You
The increasing personalization of cyberattacks is one of the elements that will make 2021 a paranoid year for enterprises. As Javvad Malik, a Security Awareness Advocate at KnowBe4, puts it:
“In 2021, the default position for most organizations will be full paranoia. Can you trust your email? Your social media feed? Your politicians? Your customers? Your employees? Your corporate devices? The answer will be a resounding no.”
This increasing fear is borne out in the numbers. Gartner predicts that cybersecurity spending will reach $170.4 billion globally by 2022. Spending has already increased dramatically in many countries. In Australia and China, 50 per cent and 47 per cent of companies respectively reported exceeding their cybersecurity budgets.
This paranoia isn’t unwarranted. 2020 was a record year for cybercrime. 53% of respondents to ISACA’s State of Cybersecurity 2020 report expect a cyberattack within 12 months. Cyberattacks are the fastest growing type of crime in the US. Globally, cybercrime damages are expected to reach $6 trillion next year. That’s 57x the damages of 2015.
In short, 2021 will be a year in which enterprises stay very worried. There will be no relaxing of vigilance or wariness. We should all be ready for a paranoid mood to continue to influence the cybersecurity industry at large.
Passwords in Question
For a while now, passwords have felt a bit 1995. The memorization, the clicking on the “I forgot my password” link. But above all, the flimsy security of passwords. Here’s Javvad Malik again:
“2021 will be the tipping point for passwords. With advancements and adoption of FIDO and MFA, we’re going to see fewer new services offering only passwords as a form of authentication.”
Considering the dangers of using passwords, this is no surprise. Poor password behaviour remains one of the leading causes of data breaches (itgovernancedoteu).
Nordpass and partners reveal that people are still as lazy as ever when it comes to formulating passwords; and this goes as much for enterprise employees as your mom. Out of the 275,699,516 passwords relating to 2020 data breaches, only 44% of them were considerably “unique.”
The most popular password according to Nordpass dot com? “123456,” utilized by over 2.5 million users.
In short, the password’s days are numbered, at least as a sole or primary form of defence. We’ve already been seeing an exponential increase in the adoption of Fast Identity Online (FIDO) and multi-factor authentication (MFA). In fact, during FIDO Alliance’s Authenticate 2020 conference, it was revealed that various government units and agencies have acknowledged FIDO standards and are now enforcing them alongside existing digital ID policies.
MFA (multi factor authorization), on the other hand, is considered one of the best practices in cybersecurity nowadays, and is seeing increased adoption within businesses across different industries. 2021 will see both these trends increase.
However, Javvad also predicts an increase in attacks against MFA or passwordless technologies:. “We’ve already seen examples of SIM hijacking to obtain the SMS codes, but this will likely ramp up and we’ll start to see bigger and worse attacks.”
(SIM jacking sees bad actors using social engineering techniques to trick mobile phone providers into allocating a target’s phone number to a new SIM.) The Federal Bureau of Investigation (FBI) have released a Private Industry Notification (PIN) document that details how cybercriminals try to circumvent MFA on their victim’s phones.
However, even though MFA isn’t perfect, it remains a lot better than the humble password! Expect next year to be a year where a heavy minority of services rely on passwords.
Readying Ourselves for 2021
If 2020 taught us anything, it’s that the future is always unpredictable. No-one knows for sure what 2021 will bring.
However, I believe the three trends listed here to be pretty firm bets. As we all try to build business agility and business resilience for 2021, we need to do our best to look into our crystal balls.
I hope my fortune-telling here proves useful to you.