By Felipe Ruiz | November 24, 2020
This post is the third and last part of the State of Cybersecurity 2020-21. Of course, to close the subject, we have to emphasize the year that is soon to come, and for which many people in the field of cybersecurity are making some predictions.
Let’s start with some of them:
For some years now, Cybersecurity Ventures' researchers have proposed that the global annual cost of cybercrime by 2021 will be $6 trillion, doubling the value reported in 2015.
They also predicted that ransomware, by 2021, worldwide, will cost 57 times more than five years ago, reaching $20 billion, and with a new victim every 5 seconds.
In terms of global spending on cybersecurity services and products, in 2004, it was worth $3.5 billion, which grew approximately 35 times in 13 years. In the next five years, from 2017 onwards, this value is predicted to exceed $1 trillion on a cumulative basis.
Apparently, based on ENISA’s report, we will continue to see an increase in malware activity in the coming years. These cyber threats are regularly improving their characteristics, including, for example, new propagation mechanisms. File types like disc image files (i.e., IMG, ISO) are becoming famous for spreading malware, apart from the typical XLS, PDF, DOC, and ZIP files. Once the malware is installed, it allows recognition and movement on the victim’s systems and affects their operation or steals data.
On the other hand, there are omens about the expansion of attacks on the mobile sector, on which users currently depend more and more, even in their businesses. "Fraudulent apps, SIMJacking and operating systems exploits make these devices the weakest link." Similarly, there are current warnings about the possible growing impact of attacks on companies via IoT devices, which are increasing in number and have the reputation of not being up to date in terms of security. They can mean easy entry points into companies' networks for cybercriminals.
Highly planned and targeted ransomware attacks on the public sector, especially government and healthcare organizations, may keep their expansion during the COVID-19 pandemic. We will undoubtedly continue to observe what is currently presented in ENISA as an emerging trend: "Attackers […] spending more time gathering intelligence about their victims, knowing exactly what to encrypt, achieving maximum disruption and higher ransoms."
For more information on what is currently representing a trend among cybercriminals, and may continue to do so in the near future, we invite you to check the first post of this series on the State of Cybersecurity 2020-21. At this point, we want to highlight some preventive approaches that we believe will continue being trends in the coming year.
A crucial suggestion for your organization’s security,
which we at
Fluid Attacks never get tired of sharing,
is to shift the 'security element' to the left.
In short, this means that any company creating or using software
(almost all of them today) should think about its security
and apply it from the beginning.
This methodology belongs to the DevSecOps approach,
in which the security testing must be continuous
—covering the whole software development lifecycle (SDLC)—,
and ensures significant savings in time and money.
Then, for the next year, many businesses should move away
from the approach of searching for and identifying vulnerabilities
in their systems and software only after deployment to production.
In such cases, attackers may already have access to the gaps,
which may not be immediately remediated and may require considerable time,
effort and money due to their quantity and complexity.
Cloud services adoption will continue to increase over the next year as multiple companies adapt to the much-requested remote working. (Learn here about our experience.) These companies should be aware of the deficiencies (mainly related to unintended misconfigurations) that are often reported regarding this type of service and which have many times resulted in significant data breaches. On their side, cloud service providers have the challenges of keeping solutions up to date and, at the same time, implementing methods for identifying configuration errors as soon as possible.
Concerns will remain in many companies because some remote workers are not familiar with proper security controls and practices. We have already mentioned that attackers are currently paying too much attention to the human factor to penetrate organizations' systems. And they will surely keep on doing so. That’s why training staff and creating a cybersecurity culture will continue to be a priority to protect information assets.
Linked to the previous trend appears another one that will continue to be outstanding next year, which refers to the formation of multidisciplinary teams focused on cybersecurity. We had already mentioned the shortage of trained personnel in this area and the number of vacancies not being filled. However, different professionals from their particular skills and experiences will provide companies with diverse contributions to respond to cybersecurity challenges and opportunities. Cybersecurity is no longer an issue that only engineers will work on, but also professionals in statistics, economics, cognitive science, business, political science, among other areas of knowledge.
Companies will need to continually reevaluate their cybersecurity, protect every endpoint, and maintain necessary security controls after this digital transformation forced by the COVID-19 pandemic. Many organizations concerned with their security, following many decision-makers' advice, will begin to employ a zero-trust approach, implementing a strict restriction of access and verification of everything. They should always recognize that although in most cases the threats are external, criminals can also be part of their staff. A firm adequately prepared for cyber threats in 2021 will appreciate the benefit of handling multi-factor authentication processes. It will also ensure that its employees create sufficiently complicated passwords and change them with a specific frequency. Some companies will even start using biometric authentication methods, such as face verification for their employees, and why not, for their customers or users.
By 2021 the idea of valuing and recommending manual more than automatic work will be kept active, just for a matter of results. As discussed in part II (that you should read for more recommendations), the abundance of false negatives and false positives in automatic tools' operations continues to make ethical hackers an essential factor in the evaluation of IT security. Following the x or y technique, an automated procedure delivering results will always be insufficient compared to a comprehensive process covering a mixture of automatic and manual hacking. The technological advances are quite useful to us as they are to you. However, we recommend that you do not let yourself be seduced by the capabilities that many companies intend to confer on their security testing tools.
Finally, hoping that we will see a more transparent and promising future amid so much uncertainty related to the pandemic, many businesses must continue their adaptation in cybersecurity. With the help of experts, each company persistently has to stay informed about the risks and the best prevention strategies to be implemented immediately. Besides, every staff must be trained as a group and maintain a collaborative effort that in 2021 and the next years will allow their systems and assets to be as protected as possible.
Do you have any questions? Do not hesitate to contact us!
Corporate member of The OWASP Foundation