As a new year looms bright with possibility in front of us, how can we prepare for a world that looks profoundly different than it did a year ago? On the cybersecurity front, we can always anticipate continuing battles with familiar foes, as well as a few new challenges on the horizon. Though we may not have a crystal ball, based on our observations and discussions, here are six predictions for the upcoming year.
1. Remote Work Will Become the Norm
While 2020 saw a massive shift to remote work, don’t expect everyone to return to the office in 2021. Many organizations and employees have seen big benefits in telework, including increased productivity, reduced spending on infrastructure, and flexible hours. Unfortunately, from a cybersecurity perspective, remote work offers the additional challenge of a larger attack surface. Every wifi-enabled device in an employee’s home–gaming systems, printers, tablets, and smart TVs, to name a few–will be an additional attack vector, as it will be looped into the organizational network. Additionally, remote workers likely do not know that their home routers may be misconfigured or unpatched, providing an ideal target for hackers to exploit.
Organizations will need to think ahead about managing this attack surface. Additional monitoring will need to be considered. If organizations want to have eyes on the connection an employee is using, they should consider providing that equipment for the home offices. Guest networks should be set up to create a partition between your professional and personal connection. And all employees should only have the privileges that they need, which will reduce risk if their credentials are compromised.
2. Continued Rise in Phishing
Phishing remains the most successful method of breaching an organization. Filters can only do so much, and you’re largely reliant on the vigilance of the recipient. Phish come in all shapes and sizes, from basic, relatively obvious phishing emails sent out en masse to incredibly well researched spear phish targeting and tailored to an individual or group. The pandemic only increased the use of phishing in 2020, with Google reporting that they were blocking 18 million phishing emails a day that contain the keyword “COVID-19,” in addition to 240 million emails with the simplified term “COVID.”
Such an effective method isn’t going anywhere, so organizations will have to prioritize employee education. Use live virtual training, webinars, or written reminders to regularly urge caution when opening links or attachments, particularly those that come unprompted or from unusual sources. Employees should all know the signs of obvious phish, like odd URLs, and follow best practices, like going directly to a website instead of using a link when possible.
Additionally, organizations should utilize social engineering pen testing to run phishing simulations that imitate a real attack. These simulations can uncover which employees are vulnerable to phishing and discern what types of phish are most likely to fool them. It is especially critical to continuously retrain and retest, to make sure that phishing always remains top of mind whenever an unusual communication is received.
3. Attacks on the Healthcare Sector
Healthcare records offer incredibly lucrative data—social security numbers, bank information, and personal health information. While healthcare has always been on the radar of attackers, the pandemic seems to have painted an even larger target on the sector. And it’s not just large, tier one hospitals that are at risk. Smaller hospitals, clinics, and facilities are also popular targets, as their security may not be as robust, and may provide a foothold into larger healthcare networks that they are a part of.
In late 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an advisory that there was an increase in ransomware activity targeting healthcare that could lead to data theft and disruption of healthcare services. This risk will likely continue well into the new year.
With high-end IoT devices like X-Ray machines and MRIs, hospitals will need network monitoring solutions that can provide visibility into these attack vectors and give insight into performance issues, outages, bandwidth, and any other changes in the network. Without such monitoring, these devices not only can serve as attack vectors, they allow an infection to remain unnoticed, increasing dwell time and the risk of serious damage.
Since healthcare data is so valuable, it’s also critical to carefully manage and limit who has access to what systems and when in order to prevent disclosure of this personal and private information. Use Identity Governance solutions to enforce security policies, eliminate excess privileges, and uncover potential violations within the healthcare system.
4. Getting the Most Out of Role Based Access Control (RBAC)
A role-based approach to identity governance means identifying and grouping common access privileges together across individual users so that they can be easily used to mitigate risk and improve efficiencies. Instead of assigning each individual user their own set of privileges, a role is a collection of access privileges typically defined around a job title or job function.
While RBAC has been around for some time and is on the rise, many organizations, particularly large enterprises, have found themselves struggling with “role explosion” and end up with almost as many roles as identities. This can often be the result of trying to implement roles too quickly, without a planned approach.
Luckily, there are now solutions that provide intelligent analytics and better visualizations of data that can help to recommend roles, as well as regularly audit them to suggest changes to role definitions. This reduces role-overlap, avoids overprovisioning, and incorporates new access so your role definitions keep pace with the access requirements of your users. With these more advanced solutions, organizations will be able to maximize their benefits, and avoid shortcomings seen from RBAC being managed with spreadsheets.
5. Integration of PAM with Mainstream IGA Solutions
Privileged accounts have access to valuable data and execute any application or transaction, typically with little or no tracking or control. Because of elevated access, privileged accounts have more significant risks than non-privileged accounts and have more potential for exploit or abuse. Privileged Access Management, also known as PAM, enables organizations to properly oversee these accounts, simplifying how they define, monitor, and manage privileged access across IT systems, applications, and infrastructure.
Identity Governance solutions also deal with access, but at a broader level. They determine how access is assigned for everyone within an organization, not just those with the highest privileges. Despite their clear relationship to one another, PAM and IGA solutions have stayed relatively independent of one another. In the past, they have been managed by different departments or decision makers in a business, with PAM being seen as a distinctly IT problem, while IGA is seen as a general business user issue. This has resulted in the two being in distinct silos, even unintentionally.
Separate management has often resulted in security gaps and confusion over decisions on access policies. To address this, PAM and IGA initiatives have started to merge. Solutions will begin to follow suit by providing more integration opportunities, allowing PAM and IGA to be considered holistically and centrally managed.
6. IT Will Get Bigger Budgets
Finally, it feels like IT and security teams are always being tasked with “doing more with less.” However, 2021 may finally be the year when they get to do more with more! As discussed earlier, 2020 showed how much office work can be done from home. It also provided some clarity on how much business travel is necessary, and what can be accomplished virtually. If travel and infrastructure spending can go down, businesses can take the opportunity to reevaluate budgets.
2020 also showed why the cybersecurity budget is deserving of this potentially available funding. Major breaches were more publicized than ever, and a massive surge in phishing attacks brought to light just how costly a cyberattack can be. Many security teams may have to opportunity to get both the personnel and solutions they need to significantly improve their security posture.
The Enduring Need for Cybersecurity
With the exception of those living completely off the grid, every single person has the potential to be affected by a cyberattack. Whether you’ve had your credit card information stolen, your city’s government is brought to a standstill by a ransomware attack, or your company has been brought down by a breach, we all have a personal stake in safeguarding technology. So while there is no way to guarantee that all of these predictions will have come to pass by this time next year, there is one thing we’re certain of: cybersecurity will remain as critical as ever.