Looking forward to 2021, Fujitsu expects challenges to persist as organisations look to ensure their remote workforces’ security and productivity. It also expects a reset in the attitudes towards risk as organisations grapple with the dilemma of tackling new challenges with lower security budgets and anticipate the increased use of new technologies to open new security vulnerabilities.
The next 12 months will undoubtedly have its challenges. Still, organisations that are aware of these risks and take steps to mitigate their impact will be well-positioned to secure future growth in what is likely to be another interesting year.
Fujitsu’s Head of Enterprise and Cyber Security, Fiona Boyd’s top 10 cyber security predictions:
1) Working from home has increased the attack surface
The proliferation of working from home has forced many organisations to expedite their digital strategies.
Employees have been forced to change their working habits and patterns, as many people are now working from home. This increases the so-called attack surface for any company – mainly if employees use personal devices to connect to corporate resources, since these may not have an enterprise-class level of protection. Spear-phishing emails, in particular, increase the threat to organisations. These often follow traditional attack profiles in terms of initial reconnaissance via social media before any attempt is made to compromise a user’s credentials. The end state is a crafted, targeted email. Increasingly, these emails appear to be more credible.
As home working looks set to continue, organisations should make sure employees are educated and alert for phishing emails.
2) Success requires finding the right balance between security and user experience
The global pandemic has changed user behaviour in terms of how we are communicating, working, consuming, and spending our free time. This creates new requirements for the services we use. One common theme to all these changes and new demands is that all require our digital identities.
The sophistication of how organisations use, manage, and protect identities has not yet reached the so-called new normal. For many, this means that security controls surrounding identities still have a negative impact on user experience. Users find security to be complicated, cumbersome, and time-consuming. Consequently, frustration often results in users abandoning a service or bypassing security controls. The winners in the new normal will be those able to adapt to these new requirements and provide a strong user experience in a secure and trusted way.
3) Risk appetites must be re-evaluated
Many security teams will enter 2021 with reduced budgets due to the impact of COVID-19.
This will require careful evaluation of spending priorities and will necessitate hard choices about which investments to cut. This will mean firms cannot evolve their security posture in line with changing security threats. Consequently, they will have to accept a higher risk that complex attacks will be successful and go undetected for longer.
4) New life for ransomware attacks
Ransomware attacks are set to grow in scale and sophistication throughout the next year.
We are already seeing increasing numbers of attacks on previously untapped market sectors, such as healthcare. The nature of the damage of a ransomware attack is also changing. We see an increase in extortion in terms of the number of attackers threatening to release stolen data into the public domain (also known as Doxxing) rather than simply locking it away.
To compound these issues, we expect to see greater use of AI technology in ransomware attacks, as attackers seek to launch increasingly sophisticated, coordinated attacks to evade today’s detection measures. AI will be part of the problem. It also offers part of the solution, as it continues to develop greater capabilities to detect and flag suspicious behaviour.
5) The age of disinformation attacks
The pandemic has had a significant impact on everyone and disrupted our social and work lives.
There has been one constant throughout: cybercriminals leveraging current topical themes, such as the UK’s withdrawal from the EU, elections and COVID-19. At their core, criminals are launching social engineering attacks designed to take advantage – and even create – panic and fear. In 2021, we will see new themes used to target businesses and individuals, focusing on pandemic-related topics such as mandatory vaccines, health passports, mass testing, and lockdowns. We anticipate a lot of disinformation on these topics. With the desire of many to return to post-pandemic normality, we expect multi-vector attacks built on these themes from both criminal gangs and nation-states. Some countries are already testing the use of machine learning to defend against disinformation campaigns.
6) Security compromised while privacy preserved
DNS over HTTPS is set to become a common attack vector.
This has become a standard feature of mainstream web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge. Effectively, this means security controls cannot analyse website requests. On the surface, this is a viable development in terms of user privacy. However, many cyber security attacks rely on access to an external website to retrieve malicious files as part of a multi-stage attack. DNS over HTTPS encrypts these requests, meaning that these requests are masked from security controls, and giving an attacker the upper hand before cyber defenders can react and respond.
Organisations should carefully evaluate whether to enable this feature on corporate devices and consider the new office dynamic, with an increasing number of workers connecting from home on personal devices to corporate infrastructure and services, increasing the opportunity for this attack type.
7) 5G will rapidly open more potential vulnerabilities
As 5G technology matures and telcos continue to roll out 5G networks, security concerns will also increase.
Among others, these will stem from an endless stream of insecure IoT devices that manufacturers are rushing to market, as well as the security requirements of critical national infrastructures. 5G security is and will remain a national security concern. It will increase enterprises’ need to revisit their security strategy for using public and untrusted mobile networks.
Organisations cannot ignore the opportunities that 5G provides. Nevertheless, to ensure their safety, they should adopt a secure-by-design mindset when exploring how to use 5G networks best.
8) Security concerns for the Internet of Behaviours
As we develop new remote ways of going about our everyday business during the pandemic, the world is now connected more than ever.
The Internet of Things (IoT) has driven innovation in every area of life, including connected homes, internet-enabled and autonomous cars, health monitoring via smartwatches, and even the testing of drones to deliver our online shopping. However, the IoT exploded without a robust security framework. The proliferation of attacks meant that the privacy of CCTV cameras and some other IoT devices was compromised in huge DDoS attacks. 5G will accelerate the potential for the use of connected devices to track individuals’ everyday behaviour, observe where we go, who we see, where we shop, what we buy – and even to use facial recognition to work out our identity.
This innovation must be coupled with robust data privacy controls, which should be evaluated up front rather than as an afterthought, so we can trust that the same data is not used nefariously and targeted by threat actors.
9) Hitting where it hurts
Attacks that target characteristics specific to certain industries will continue to present more significant opportunities.
The number of attacks on connected cars has risen sharply in the last year, while in the manufacturing and utility sector, Operational Technology (OT) systems have seen a quadruple figure percentage increase in attacks. The targeting of these technologies is growing because they have less mature security controls. Many can directly impact an organisation’s operations. We expect this trend to continue in 2021.
On the positive side, we expect more organisations to recognise the value of cloud computing as a reliable means to deliver OT security to locations where it is not practical or feasible for a physical deployment.
10) Cloud-centric does not equal threat free
Multi-layered cloud protection will take on new importance in 2021.
As organisations move toward a cloud-centric future, there will be continued disruption attempts for monetary, intellectual property, or political gain. In the first half of 2019, Netscout reported 4.8 million DDOS attacks. Ransomware attacks were also up 50% in Q3, according to data from Check Point. Such attacks can cripple businesses in very short timeframes, and the financial impact has seen companies willing to pay a ransom for their data or bring their services back online.
This trend is a cause for concern, and multi-layered cloud protection should be a focus area for many businesses in 2021 as they balance digitalisation and security.