State of Cybersecurity 2020-21, III

Glimpsing the trends for 2021

Blog State of Cybersecurity 2020-21, III

| 5 min read

Contact us

This post is the third and last part of the State of Cybersecurity 2020-21. Of course, to close the subject, we have to emphasize the year that is soon to come, and for which many people in the field of cybersecurity are making some predictions.

Let's start with some of them:

  • For some years now, Cybersecurity Ventures' researchers have proposed that the global annual cost of cybercrime by 2021 will be $6 trillion. This would double the value reported in 2015.

  • They also predicted that ransomware, by 2021, worldwide, will cost 57 times more than five years ago, reaching $20 billion, and with a new victim every 5 seconds.

  • In terms of global spending on cybersecurity services and products, in 2004, it was worth $3.5 billion, which grew approximately 35 times in 13 years. In the next five years, from 2017 onwards, this value is predicted to exceed $1 trillion on a cumulative basis.

Apparently, based on ENISA's report, we'll continue to see an increase in malware activity in the coming years. These cyber threats are regularly improving their characteristics, including, for example, new propagation mechanisms. File types like disc image files (i.e., IMG, ISO) are becoming famous for spreading malware, apart from the typical XLS, PDF, DOC and ZIP files. Once the malware is installed, it allows recognition and movement on the victim's systems and affects their operation or steals data.

On the other hand, there are omens about the expansion of attacks on the mobile sector. Users are now more and more dependent on it, even in their businesses. "Fraudulent apps, SIMJacking and operating systems exploits make these devices the weakest link." Similarly, there are current warnings about the possible growing impact of attacks on companies via IoT devices. These machines are increasing in number and have the reputation of not being up to date in terms of security. They can mean easy entry points into companies' networks for cybercriminals.

Highly planned and targeted ransomware attacks on the public sector, especially government and healthcare organizations, may keep their expansion during the COVID-19 pandemic. We'll undoubtedly continue to observe what is currently presented in ENISA as an emerging trend: "Attackers […​] spending more time gathering intelligence about their victims, knowing exactly what to encrypt, achieving maximum disruption and higher ransoms."

For more information on what's currently representing a trend among cybercriminals and may continue to do so in the near future, we invite you to check the first post of this series. At this point, we want to highlight some preventive approaches that we believe will continue being trends in the coming year.

Korpa

Photo by Jr Korpa on Unsplash.

Shift to the left

A crucial suggestion for your organization's security, which we at Fluid Attacks never get tired of sharing, is to shift the 'security element' to the left. In short, this means that any company creating or using software (almost all of them today) should think about its security and apply it from the beginning. This methodology belongs to the DevSecOps approach. There, security testing must be continuous —covering the whole software development lifecycle (SDLC)—, and ensures significant savings in time and money. Then, for the next year, many businesses should move away from the approach of searching for and identifying vulnerabilities in their systems and software only after deployment to production. In such cases, attackers may already have access to the gaps. And these issues may not be immediately remediated and may require considerable time, effort and money due to their quantity and complexity.

Get started with Fluid Attacks' Security Testing solution right now

Secure hosting in the cloud

Cloud services adoption will continue to increase over the next year as multiple firms adapt to the much-requested remote working. (Learn here about our experience.) These firms should be aware of the flaws (mainly related to unintended misconfigurations) that are often reported regarding this type of service. Defects that have many times resulted in significant data breaches. On their side, cloud service providers have the challenges of keeping solutions up to date and, at the same time, implementing methods for identifying configuration errors asap.

Employees educated in security

Concerns will remain in many companies because some remote workers are not familiar with proper security controls and practices. We have already mentioned that attackers are at this time paying too much attention to the human factor to penetrate organizations' systems. And they'll surely keep on doing so. That's why training staff and creating a cybersecurity culture will continue to be a priority to protect data assets.

Cybersecurity with multidisciplinary teams

Linked to the previous trend appears another one that will continue to be outstanding next year. It refers to the formation of multidisciplinary teams focused on cybersecurity. We had already mentioned the lack of trained personnel in this area and the number of vacancies not being filled. However, different professionals from their particular skills and experiences will provide companies with diverse contributions to respond to cybersecurity challenges and opportunities. Cybersecurity is no longer an issue that only engineers will work on. We'll also have professionals in statistics, economics, cognitive science, business, political science, among other areas of knowledge.

Reevaluate cybersecurity

Companies will need to continually reevaluate their cybersecurity, protect every endpoint and maintain necessary security controls after this digital transformation forced by the pandemic. Many organizations concerned with their security, following many decision-makers' advice, will begin to employ a zero-trust approach, implementing a strict restriction of access and verification of everything. They should always recognize that although in most cases the threats are external, criminals can also be part of their staff. A firm adequately prepared for cyber threats in 2021 will appreciate the benefit of handling multi-factor authentication processes. It will also ensure that its employees create sufficiently complicated passwords and change them with a specific frequency. Some companies will even start using biometric authentication methods, such as face verification for their staff, and why not, for their customers or users.

A mixture of automatic and manual work

By 2021 the idea of valuing and recommending manual more than automatic work will be kept active, just for a matter of results. As discussed in part II, the excess of false negatives and positives in automatic tools' operations continues to make ethical hackers an essential factor in evaluating IT security. Following the x or y technique, an automated procedure delivering results will always be insufficient compared to a comprehensive process covering a mixture of automatic and manual hacking. The technological advances are quite useful to us as they are to you. However, we recommend that you do not let yourself be seduced by the skills that many firms intend to confer on their testing tools.

Conclusion

Finally, hoping that we'll see a more clear and promising future amid so much uncertainty, many businesses must continue their adaptation in cybersecurity. With the help of experts, each company persistently has to stay informed about the risks and the best prevention strategies to be implemented right away. Besides, every staff must be trained as a group and maintain a collaborative effort that in 2021 and the next years will allow their systems and assets to be as protected as possible.

Do you have any questions? Do not hesitate to contact us!

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Logan Weaver on Unsplash

Introduction to cybersecurity in the aviation sector

Photo by Maxim Hopman on Unsplash

Why measure cybersecurity risk with our CVSSF metric?

Photo by Jukan Tateisi on Unsplash

Our new testing architecture for software development

Photo by Clay Banks on Unsplash

Protecting your PoS systems from cyber threats

Photo by Charles Etoroma on Unsplash

Top seven successful cyberattacks against this industry

Photo by Anima Visual on Unsplash

Challenges, threats, and best practices for retailers

Photo by photo nic on Unsplash

Be more secure by increasing trust in your software

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.