The year 2020 definitely shook up the IT world. The urgent need to rely on distributed workforces forced organizations to accelerate their digital transformations and broadened the IT threat landscape. Looking closely at the ripple effects from 2020 it’s clear security pros won’t be able to yawn their way through 2021.
Here are seven key trends that that will impact organizations in 2021 and beyond:
1. Ransomware will become more sophisticated and will affect the physical world.
Ransomware will remain one of the most straightforward ways for cybercriminals to monetize a breach. Organizations will get better at thwarting attacks and recovering from incidents, but the arms race will continue and ransomware will evolve.
In particular, to compel organizations to pay the ransom, attackers will focus on making attacks more difficult to recover from. For example, they may “brick” devices by modifying the BIOS or other firmware. As operational technology and IoT devices become more common and communication protocols standardize, criminals will target them as well. As a result, attacks will have a much more visible impact on the physical world.
2. Cloud misconfigurations will be a top data breach cause.
The cloud played a huge role in enabling a swift shift to remote work in 2020. But lack of understanding of the shared responsibility model and the security hurdles in the cloud will cause serious problems in 2021. Indeed, the global shortage of IT pros skilled at cloud management and security, combined with lack of visibility into cloud design and workloads, will make cloud misconfigurations inevitable, leading to overexposed data and breaches.
3. MSPs will become lucrative targets for hackers.
With the worldwide IT skills shortage and financial downturn, more and more organizations will rely on managed services. Hackers will then ramp up their attacks on MSPs in order to compromise several businesses at once and monetize their activities at a devilishly high speed.
4. The rapid digital transformation in 2020 will have delayed effects.
Many organizations rushed through their digital transformation in 2020. There was almost no time for planning and testing, and often IT teams lacked sufficient knowledge and experience. Organizations had to prioritize service availability over security, which resulted in unpleasant tradeoffs, and IT pros faced with unfamiliar systems inevitably made mistakes. Some of the resulting security gaps have already been exploited, but we should expect more of them to come to light in the coming year.
5. Organizations will better align security and business needs by focusing on risk.
In 2020, executives had a front-row seat for seeing how closely business risks are associated with cyber events. In 2021, their interest in establishing a mature security posture will increase, and they will rethink their risk management strategies based on more realistic expectations.
Specifically, more organizations will recognize that the goal of a security program is to keep risk at acceptable level and enable resilience, not 100% protection. Accordingly, they will balance their security spend between protective measures and detection and response capabilities.
6. Executives will carefully scrutinize the efficacy of security investments.
A higher awareness of security threats among executives will bring new budgets for security programs, but also a higher level of scrutiny. They will want IT leaders to come up with specific metrics to prove the efficacy of existing security measures and justify the necessity and value of new investments.
Security leaders will also need to develop cost reduction plans. In particular, they should flag overlapping software to eliminate duplicate expenses, and review each solution for unused features and functionalities that could be leveraged, increasing ROI.
7. Insurance and legislation will drive mass adoption of fundamental security practices.
With more breaches being caused by companies failing to take adequate care of customer personal information, we will see both stricter enforcement of existing regulations and adoption of new privacy laws. Also, the grace period on enforcement of some compliance mandates during the early months on the pandemic will expire in 2021.
Faced with increased risk of non-compliance fines as a result of these developments, organizations will turn to cyber insurance. Those policies will come with their own security standards, such as regular risk assessment and effective detection and response capabilities. Organizations will be as focused on meeting those criteria as they will be on complying with the regulatory standards themselves.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.