Year in review and what to expect in 2021
Instead of technology and processes, we need to focus on our people by communicating and taking a holistic approach to cybersecurity.”
If I had to sum up 2020 in one word, without using expletives, I would say change. Changes in technology have been revolutionizing business for a long time but recently this trend has been expedited due to the rapid increase in work-from-home as well as the adoption of technologies such as the cloud.
How have cybercriminals used these changes in technology to launch attacks? Key findings highlighted by the INTERPOL assessment of the cybercrime landscape in relation to the COVID-19 pandemic include:
- Online scams and phishing — Threat actors have revised their usual online scams and phishing schemes. By deploying COVID-19-themed phishing emails, often impersonating government and health authorities, cybercriminals entice victims into providing their personal data and/or credentials (a 15% increase in phishing incidents compared with last year).
- Disruptive malware — Cybercriminals are increasingly using disruptive malware against critical infrastructure. In the first two weeks of April 2020, there was a spike in ransomware attacks by various threat groups. The Avaddon group claimed responsibility for the American Banking Systems security event.
These are just a couple of examples. Let us not forget the data breaches, especially toward the end of 2020. As mentioned above, the ABS event impacted a large number of banks. As of this writing, we still don’t know the details but I’m going to guess that something changed in their processes or controls and left a door open for the attackers.
Same as the Vertafore event. Approximately 27 million Texans’ data were exposed due to human error. How much of that can be attributed to a change being made?
Instead of technology and processes, we need to focus on our people by communicating and taking a holistic approach to cybersecurity. If you do not have a change management program, put one in place no matter the size of your organization. This is especially critical if you outsource to a third party. You want to know every little change being made no matter how technical it is.
What to expect in 2021
From Booz Allen Hamilton, here are a few things that we can expect:
- Next generation extortion and evolution in malware (check your insurance policies and make sure you have coverage).
- Third-party attacks via cloud-hosted environments (a lot of organizations are moving to the cloud and third parties are helping us get there).
- Mandated contact tracing apps may open doors for large-scale cyber-attacks.
- 5G to expand the attack surface for industrial IoT.
- 5G to increase security pressure on mobile hotspots.
New cyber risks emerge not only from the adoption of new technologies but also from changes in work environments, work-from-home being a prime example. It is nearly impossible to envision such risks ahead of time.
In my annual evaluation of testing incident response, I never included a pandemic. My bad for sure. But what is the next big event? What changes are being planned in 2021 to address work from home? What new technologies are you introducing this year? What technologies are you replacing? Do you have a plan? If you have a concern about the cybersecurity function of whether you “need one or not,” maybe it’s time to ask, “how soon can you create one?”