State of Cybersecurity 2020-21, IIIGlimpsing the trends for 2021
This post is the third and last part of the State of Cybersecurity 2020-21. Of course, to close the subject, we have to emphasize the year that is soon to come, and for which many people in the field of cybersecurity are making some predictions.
Let’s start with some of them:
For some years now, Cybersecurity Ventures' researchers have proposed that the global annual cost of cybercrime by 2021 will be $6 trillion. This would double the value reported in 2015.
They also predicted that ransomware, by 2021, worldwide, will cost 57 times more than five years ago, reaching $20 billion, and with a new victim every 5 seconds.
In terms of global spending on cybersecurity services and products, in 2004, it was worth $3.5 billion, which grew approximately 35 times in 13 years. In the next five years, from 2017 onwards, this value is predicted to exceed $1 trillion on a cumulative basis.
Apparently, based on ENISA’s report, we’ll continue to see an increase in malware activity in the coming years. These cyber threats are regularly improving their characteristics, including, for example, new propagation mechanisms. File types like disc image files (i.e., IMG, ISO) are becoming famous for spreading malware, apart from the typical XLS, PDF, DOC, and ZIP files. Once the malware is installed, it allows recognition and movement on the victim’s systems and affects their operation or steals data.
On the other hand, there are omens about the expansion of attacks on the mobile sector. Users are now more and more dependent on it, even in their businesses. "Fraudulent apps, SIMJacking and operating systems exploits make these devices the weakest link." Similarly, there are current warnings about the possible growing impact of attacks on companies via IoT devices. These machines are increasing in number and have the reputation of not being up to date in terms of security. They can mean easy entry points into companies' networks for cybercriminals.
Highly planned and targeted ransomware attacks on the public sector, especially government and healthcare organizations, may keep their expansion during the COVID-19 pandemic. We’ll undoubtedly continue to observe what is currently presented in ENISA as an emerging trend: "Attackers […] spending more time gathering intelligence about their victims, knowing exactly what to encrypt, achieving maximum disruption and higher ransoms."
For more information on what’s currently representing a trend among cybercriminals and may continue to do so in the near future, we invite you to check the first post of this series. At this point, we want to highlight some preventive approaches that we believe will continue being trends in the coming year.
Some preventive trends in 2021
Shift to the left
A crucial suggestion for your organization’s security,
which we at
Fluid Attacks never get tired of sharing,
is to shift the 'security element' to the left.
In short, this means that any company creating or using software
(almost all of them today) should think about its security
and apply it from the beginning.
This methodology belongs to the DevSecOps approach.
There, security testing must be continuous
—covering the whole software development lifecycle (SDLC)—,
and ensures significant savings in time and money.
Then, for the next year, many businesses should move away
from the approach of searching for and identifying vulnerabilities
in their systems and software only after deployment to production.
In such cases, attackers may already have access to the gaps.
And these issues may not be immediately remediated
and may require considerable time, effort and money
due to their quantity and complexity.
Secure hosting in the cloud
Cloud services adoption will continue to increase over the next year as multiple firms adapt to the much-requested remote working. (Learn here about our experience.) These firms should be aware of the flaws (mainly related to unintended misconfigurations) that are often reported regarding this type of service. Defects that have many times resulted in significant data breaches. On their side, cloud service providers have the challenges of keeping solutions up to date and, at the same time, implementing methods for identifying configuration errors asap.
Employees educated in security
Concerns will remain in many companies because some remote workers are not familiar with proper security controls and practices. We have already mentioned that attackers are at this time paying too much attention to the human factor to penetrate organizations' systems. And they’ll surely keep on doing so. That’s why training staff and creating a cybersecurity culture will continue to be a priority to protect data assets.
Cybersecurity with multidisciplinary teams
Linked to the previous trend appears another one that will continue to be outstanding next year. It refers to the formation of multidisciplinary teams focused on cybersecurity. We had already mentioned the lack of trained personnel in this area and the number of vacancies not being filled. However, different professionals from their particular skills and experiences will provide companies with diverse contributions to respond to cybersecurity challenges and opportunities. Cybersecurity is no longer an issue that only engineers will work on. We’ll also have professionals in statistics, economics, cognitive science, business, political science, among other areas of knowledge.
Companies will need to continually reevaluate their cybersecurity, protect every endpoint, and maintain necessary security controls after this digital transformation forced by the pandemic. Many organizations concerned with their security, following many decision-makers' advice, will begin to employ a zero-trust approach, implementing a strict restriction of access and verification of everything. They should always recognize that although in most cases the threats are external, criminals can also be part of their staff. A firm adequately prepared for cyber threats in 2021 will appreciate the benefit of handling multi-factor authentication processes. It will also ensure that its employees create sufficiently complicated passwords and change them with a specific frequency. Some companies will even start using biometric authentication methods, such as face verification for their staff, and why not, for their customers or users.
A mixture of automatic and manual work
By 2021 the idea of valuing and recommending manual more than automatic work will be kept active, just for a matter of results. As discussed in part II, the excess of false negatives and positives in automatic tools' operations continues to make ethical hackers an essential factor in evaluating IT security. Following the x or y technique, an automated procedure delivering results will always be insufficient compared to a comprehensive process covering a mixture of automatic and manual hacking. The technological advances are quite useful to us as they are to you. However, we recommend that you do not let yourself be seduced by the skills that many firms intend to confer on their testing tools.
Finally, hoping that we’ll see a more clear and promising future amid so much uncertainty, many businesses must continue their adaptation in cybersecurity. With the help of experts, each company persistently has to stay informed about the risks and the best prevention strategies to be implemented right away. Besides, every staff must be trained as a group and maintain a collaborative effort that in 2021 and the next years will allow their systems and assets to be as protected as possible.
Do you have any questions? Do not hesitate to contact us!