Introduction
Key Takeaways
From personal health and business resiliency to an increasing number of cyber breaches, 2020 was certainly the year of risks.
Fueled by the shift to remote teleworking as a result of COVID, we saw an unprecedented number of breaches—across all industries and levels of government—exposing millions of records and other sensitive data.
While much of the world adapts to an expected surge of coronavirus cases into the New Year and a hopeful recovery in the second half, cybersecurity risks will also continue to morph and change in the coming year.
Checking the Rearview Before We Depart
As many industry professionals are seeing firsthand, the accelerated shift to cloud applications for businesses and ecommerce for consumers with expanding attack surfaces, the odds are we will see more hacking attempts, and as a result, more successful breaches. In addition, leapfrog innovations in traditional IT, mobile, cloud, IoT, and IIoT will push the boundaries for understaffed and vulnerable ecosystems that can’t match leaps in innovation with great security.
Here are some of the top trends every IT professional and company should understand and plan for in 2021.
Top Risks to Prepare for in 2021
1. Mid-market/SMB Risks
Often, effective cybersecurity is closely tied with the amount of staffing and budget allocated to cybersecurity. As a result, we see larger organizations, like the Fortune 500, generally better prepared to keep up with today’s evolving threat landscape. As these large enterprises fortify their security perimeters, attackers are moving elsewhere to often lesser-prepared organizations such as small-and-midsize businesses (SMBs). This is meaningful because large companies rely on a large number of SMBs as a part of their own supply chain and vulnerabilities downstream create harmful access points and risks to the enterprise.
SMBs should expect to see an increase in email compromises, credential theft, and phishing attempts, even old-school phone-based attacks where employees are deceived into revealing sensitive data to help attackers make their way into SMB systems.
What you can do: Understanding the security levels of your SMB and mid-market supply chain will continue to be highly critical. As many organizations—both large and small—have indicated, they will continue to extend remote work opportunities into 2021, so these types of risks are likely to remain throughout the new year and beyond. SMBs should focus on employee awareness education and training, while large enterprises should expand their vendor management programs on a wide scale to include more of their SMB partners and suppliers.
2. Managed Service Providers (MSPs) Vulnerabilities
Increasingly, organizations are outsourcing IT to managed service providers (MSPs). While this gives organizations access to more resources and expertise than they may have accessible in house, it can also increase security risks.
In June 2020, the U.S. Secret Service issued a warning highlighting an increase of attacks targeting MSPs. One of the challenges is that many MSPs use open-source software and other apps that are prone to vulnerabilities. Attackers want big pay-offs and successfully breaching a known vulnerability or weakness within one MSP opens the door for movement across multiple clients. Instead of hacking into one enterprise, an MSP is a gateway to hundreds of companies and their sensitive data, which makes MSPs valuable targets for threat actors.
We will see hackers ramp up their targeting of MSPs in 2021.
What you can do: If you’re using an MSP, make sure you ask tough questions about their security practices and ensure they’re successfully meeting all of your legal, compliance, and regulatory standards. If you’re not doing it already, now is the time to audit your MSP contracts and service level agreements (SLAs). Be sure to do this routinely, not just when you’re up for a renewal. Check to see if your MSP is working with third-party suppliers, and if they are, you’ll want to ensure those third-parties are also meeting your SLA requirements.
It’s also a good idea to evaluate all of the remote administration tools your MSP uses to access your environments. And, as the Secret Service recommends, adopt 2FA or another form of MFA for your remote logins.
3. More Apps Mean More Risks
Organizations of all sizes are quickly recognizing the efficiencies and cost-savings associated with cloud-migration. As a result, many organizations are doubling-down on acquiring cloud-based apps, especially in our new pandemic-led teleworking world.
IBM’s 2020 Work from Home Study revealed that 53% of people working from home are using their personal laptops for work, which increases security risks. Not only are these employees downloading applications for work use, but these machines may also host applications for personal use, sometimes across families, including children.
Even on work-issued machines, many app purchases are made on an individual or departmental basis with no formal processes for evaluating third-party vendor risks associated with these apps. Unsecured apps can lead to unintended compromises across your entire enterprise. Attackers know this and as they anticipate continued adoption of teleworking as a new standard, they’ll ramp up their focus on infiltrating cloud-based apps in 2021.
What you can do: First, you should ensure your organization has clearly defined security policies for all remote workers that specify do’s and don’ts for everyone. If you need security policies, you can find some great templates here.
Champion effective communication and routinely educate your employees on your standards for downloading and using third-party apps. Also, be sure to provide your employees with the tools needed to keep your data safe, for example, secure virtual machine (VM) access, VPNs, and anti-virus software. Build an asset inventory of all of the software your organization uses and audit frequently with a particular focus on access control (who can access which systems and software apps).
4. Not Enough Security Talent
Even as reported cyber incidents spike, there is an increasing shortage of the cybersecurity talent needed to address them. Worldwide, there are currently more than 3 million unfilled job openings in the field, growing by almost 1 million new openings every 18 months. Companies of all sizes are struggling to hire for security, and that includes almost a million more workers needed to meet the demand in the U.S. alone.
According to “The Life and Times of Cybersecurity Professionals 2020,” published jointly by Enterprise Strategy Group and the Information Systems Security Association International (ISSA), the skills shortage in cybersecurity is only getting worse, with 70% of ISSA members saying the shortage has impacted their organization.
Why is this happening? Cybersecurity professionals earn among the highest salaries in IT, comfortably for many well into six figures. As breaches and other incidents increase, so goes cybersecurity as an industry. So why are we struggling to find workers? It may very well be related to costs, level of training, and the years of real-world experience required to gain cybersecurity expertise.
What you can do: In the short-term, many organizations may choose to deal with the skills shortage by not addressing it at all and instead turning to more managed security service providers (MSSPs) to handle their needs in 2021 and beyond. That can be a very viable choice.
But, if we’re looking more long-term for a solution, the answer may be in a unified model that culls resources of the government, private organizations, and educational institutions to develop programs and incentives to bridge these gaps. I talked about this recently with CISO Magazine, where I shared a great example of the Cybersecurity Talent Initiative. With this program, students can earn student loan forgiveness to help build cybersecurity skills. We should all be thinking about this in 2021 and work toward programs that make this type of education program available to more people, with a focus of building more diverse programs that introduce cybersecurity to a new generation of potential professionals.
5. Vendor Overload
Vendors vendors everywhere. Many IT professionals don't know what to make of the flooded cybersecurity vendor market. There are more than 5,000-plus security vendors in the U.S. alone and the list is growing rapidly. With so many vendors, organizations and the teams they’re tasking to tackle cybersecurity are experiencing vendor fatigue and confusion.
Not only are there countless vendors in the market, the solutions offer a range of disparate data and returns, leaving professionals struggling to cobble solutions together and dig out of the data overload that comes with them. While we may get more insight into security risks with new solutions, many struggle to know how to decipher results and how to put them into meaningful actions that actually make organizations safer.
What you can do: It’s easy to get caught up in all the bells and whistles and marketing messages for a new or improved solution. Many buyers go into a new purchase led by the vendor first—where the vendor tells the buyer what it can do and then the organization scratches its head trying to figure out how to make it work.
Flip this script on its head. Do a business impact analysis and risk assessment to determine what your organization needs. Shortlist vendors that meet those needs. Look for vendors and solutions that can grow and scale with you. Best yet, look for solutions that are simple to use and integrate with your most critical business systems and applications. Make your vendors tell you how their solution works for you. Then, take it for a test drive and see for yourself before committing.
If your resources and time are limited, consider going to a cybersecurity marketplace like CyberXchange to help you understand your organization’s needs and priorities and then easily find solutions. I think we’ll see in 2021 that security professionals will start to care less about working with the biggest providers and care more about purpose-built solutions that are easy to use and provide clear, measurable value.
About Armistead Whitney
Armistead Whitney, Apptega Founder, is a cybersecurity entrepreneur, investor, and visionary with nearly three decades of experience leading tech and security companies across the U.S. Armistead is well-respected for his abilities to turn ideas into profitable businesses, including raising more than $50 million in venture capital and being involved in several tech-exits and an IPO. He is a featured speaker about emerging global technology and security issues, having appeared on CNN, Fox News, ABC News, and in the Wall Street Journal. For more information, visit www.apptega.com.