After an arduous 2020, the new year has finally arrived. While rollout of the COVID-19 vaccines suggests life could return to normal later in 2021, it’s likely change will be slow in the near-term. This has implications for all aspects of our personal and professional lives, not the least of which is cybersecurity.
The widespread shift to remote working has resulted in undetected security vulnerabilities, which will continue to impact businesses in the months ahead. That said, it’s not all bad news. The New Year also brings new opportunities for automation to aid enterprises in their ongoing struggle to do more with less and other trends with a positive business impact.
With that in mind, let’s take a look at some select cybersecurity themes for 2021.
Acceleration of WFH Sweetens Ransomware Pot
Expect to see continued growth of ransomware and monetization of exploits throughout the year. When the majority of companies were forced to implement remote working for all employees at the height of the pandemic, many loosened their infrastructure and created security gaps that hackers detected and exploited. Case in point, 2020 saw a huge uptick in ransomware attacks with a seven-fold rise in these nefarious campaigns compared to the prior year. WFH may be considered a new normal across many industries and ransomware will continue to be a major concern. I predict it will continue and worsen in 2021, with at least one or two major companies publicly falling prey to such attacks. As such, expect to hear ransomware discussed in earnings calls and potentially negatively impact company valuation long-term. Also, I predict we’ll see more small and mid-sized companies seeking out cyber insurance coverage to protect themselves from the fallout from such attacks.
Continued IoT Adoption and WFH Bring Heightened Risk
IoT attacks are on the rise, with malware targeting IoT devices up 50% from the prior year. The bulk of these attacks were against consumer devices and, with more people working from home for the foreseeable future, the risks are high. We’ve already seen some discomforting IoT hacks ranging from smart home systems to baby monitors, but expect hackers to increasingly target consumers’ connected devices in an attempt to infiltrate corporate networks. With so many people working from home, security teams need to be concerned about your Ring doorbell as well as your company-issued laptop.
Grim Forecast for Cloud Service Attacks
Another COVID-related trend is the increased migration of data and services to the cloud. Again, as organizations were in a rush to ensure business continuity during the pandemic, many prioritized employee productivity over security. While that may have been the right decision for the time, companies now need to review those changes made in 2020 and ensure that they are secure for 2021. We’ve seen numerous attacks occurring because companies neglected to lock down cloud storage and databases, left credentials accessible in source code or failed to patch systems or maintain good security hygiene in virtual machines and containers. As more bad actors catch on to these mistakes, expect to see cloud service attacks increase.
Dearth of Skilled Labor = Increased Vulnerabilities
We’ve been talking about the IT skills shortage for years, but 2021 will see the lack of trained cybersecurity professionals emerge as a top enterprise vulnerability. Despite high unemployment rates, skilled cybersecurity resources remain elusive. Even the US government’s Cybersecurity and Infrastructure Security Agency is having trouble recruiting enough skilled cybersecurity labor. Coupled with the pandemic-related trends outlined above, many organizations will simply be unable to adequately cope due to a lack of experienced personnel. Expect to see cybersecurity training courses continue to proliferate and cybersecurity salaries surge.
More Fallout from the SolarWinds Attack
Investigators have said the SolarWinds hackers were linked to known Russian spying tools. The ‘backdoor’ used to compromise up to 18,000 customers of the US software maker closely resembled malware tied to Turla, a Russian hacking group that may be associated with Russia’s FSB security service. Security teams in the US government and private sector are still working to determine the full scope of this attack. As they dig deeper, we may find more links to Russia. It’s also possible that we may find more security and IT vendors that have been impacted. Researchers have indicated it could take months to understand the full extent of the compromise, possibly even the full year to remove the hackers’ access from victim networks. The continuing fallout from this attack will likely consume the attention of large portions of government, government contractors and many Fortune 500 cybersecurity teams in 2021. It will also likely result in more stringent cybersecurity policies established and enforced in reaction, especially targeting supply chain vulnerabilities.
An Extra Helping of Credential Stuffing
Hackers’ appetite for credential stuffing will increase this year, with account takeover (ATO) in particular on the rise. Records exposed in the old 2016 Yahoo! breach are still being used to carry out ATO attacks, and the recent Cit0day.in leak, in which 13 billion credential records were exposed, has given countless hackers ample fodder to take ATO to the next level. Our analysis indicates that there are a significant number of new records in Cit0day.in versus those disclosed in the 2019 Collections data leak. Given the sheer volume of available credentials, I predict we’ll trace a handful of high-profile ATO attacks to the Cit0day.in leak throughout 2021. To get ahead of this, companies would be wise to review all existing user credentials to ensure they have not been compromised – either by the Cit0day.in situation or another security event. Hindsight is always 20/20, but ignoring the threat of exposed credentials is one mistake organizations can’t afford to regret.
Increased Consumer Interest in Privacy
With the recent attacks in Washington, DC and the documentation of those events on social media, consumers are learning more about privacy the hard way. As Parler demonstrated, some of the most basic security measures were overlooked and proper handling of the security processes would have prevented the automated scraping of the site’s data. Parler’s posts were accessible by a simple incrementing ID, so scraping was straightforward. Additionally, Parler didn’t require any authentication to view public posts and did not limit access to posts. Consumers assume privacy in most of their online activity so the scraping of Parler caught them off guard. Consumers are learning to become more savvy about privacy and this may be a hotter trend in 2021.
Organizations must be mindful of the areas outlined above and take steps to address them before bad actors have the chance to capitalize on existing vulnerabilities. The recent SolarWinds and FireEye attack underscores that no organization is immune to the threat of attack.
Just a few weeks into 2021, it is already clear that the New Year will be anything but predictable. While there will likely be much that is beyond organizations’ control, it is a good time for businesses to go through additional audits and reviews of their cybersecurity processes and practices. It’s impossible to entirely prevent attacks, but simple steps like enforcing policies around WFH access and reviewing credentials can go a long way in reducing the risk.