We’re just a few weeks into the new year and let’s be honest - it doesn’t feel all that different than 2020. That said, vaccines are being rolled out and we’re all hopeful we’ll see an end to the pandemic this year. However, some of the radical changes it brought with it are likely here to stay.
Stanford economist Nicholas Bloom has written that we live in a “Work-from-Home Economy” in which there could be a reverse migration from city to suburb, a worsening of income inequality, and new headaches for information security. The number of U.S. employees working from home is now twice that of those in the office, and those at home account for over two-thirds of the U.S. economy.
In 2020, students, professionals, and even world leaders were forced to do most of their work online. Everything from elections to diplomacy, and business to romance, was seemingly conducted via Zoom. Due to the pandemic, we simply do not see our friends or colleagues nearly as much as we used to. Among the downsides are the security vulnerabilities associated with remote communication, and hackers have noticed.
The new network diagram is dotted with remote endpoints, novel applications, cloud computing, edge computing, and microservices. It is the very definition of workplace disruption. Hackers see this and think at least two things: ‘Can I turn your home office into a hub for cybercrime?’ and ‘Can I turn it into a beachhead from which to invade your corporate network?’ They look for gaps, misconfigurations, and poorly-designed architecture. They target VPNs, RDPs, and send you an email claiming that you are next in line for the COVID vaccine.
For some historical perspective, the work-from-home threat vector is not new. More than 20 years ago, the CIA yanked the security clearance of a former Director after learning that he had stored Top Secret information, including ultra-sensitive Presidential “covert action” programs, on a personal home computer that was also used to visit extremely high-risk, malware-prone websites. Therefore, it is not surprising that during the coronavirus pandemic, the CIA made clear to its employees that they may NOT conduct espionage from home.
Most of us are not worried about getting hacked by the KGB, but every data security expert knows that cybercrime poses a serious threat to any commercial business, and that malware is constantly evolving. Here are 5 trends to keep an eye on in 2021.
- Our software supply chain is under attack.
- COVID-related phishing campaigns are underway.
- Fileless malware is hitting the endpoint.
- Criminal gangs divide and conquer.
- If you need a hacker, just hire one.
Let’s take a closer look at perhaps the hottest malware type: ransomware. Recent evolutions include automation, data theft prior to encryption, a focus on cloud repositories, and increased pressure tactics. Hackers are showing increased patience to find the most valuable systems (e.g. admin accounts), and have no shame in shooting for “double extortion,” where data is both encrypted for ransom, and if demands are not met, released to the public in plain text. Successful strikes in FinTech and critical infrastructure only serve to up the ante. The ransomware threat has now risen above cybercrime, and into the national security space, with geopolitical ramifications.
Data security in 2021 will place increased focus on the human factor. Hackers look for gaps in network defenses, and they will see the physical distance between remote workers as an opportunity. Further, the increased accessibility of the Dark Web has led to numerous scenarios related to insider threats. The fact is that the average corporate employee does not know much about cybersecurity, and may rarely think to patch or monitor their systems. Thus, a primary enterprise goal for 2021 is to teach security best practices to remote employees.
One of the key dynamics to watch will be the biggest architectural shift of 2020: the mass migration to the cloud. There are sound reasons for this shift, including the rise of remote work, increased security, and regulatory compliance. But of course, “the cloud” really just means someone else’s computer, and that other computer is also vulnerable to exploits, outages, and misconfigurations. Hackers have also looked up, admired the clouds, and bought a plane ticket. Therefore, many enterprises will hedge by securing distributed and/or multiple cloud options.
Now let’s talk about leadership. In the C-Suite, two of the most important driving factors in data security are legal and financial. First, national and state data privacy legislation are appearing like mushrooms, such as Brazil’s LGPD and California’s CCPA. Second, in the midst of a pandemic, security budgets can be hard to predict, because the real return on investment is simply the lack of a hack. CISOs have many requirements and limited resources, and are likely to strategize around convergence, outsourcing, and validation through metrics.
And of course … DevSecOps. Security is never the end goal. However, because information technology is now used to manage everything from elections to electricity, we simply cannot write code with no concern for security. The learning curve is steep: internally, we are expected to master challenging frameworks such as the Information Technology Infrastructure Library (ITIL), MITRE ATT&CK, and Secure Access Service Edge (SASE); externally, we must accurately evaluate a dynamic array of subscription-based offerings.
At the end of the day, data security is risk management. Every user is a potential threat, because hackers have found numerous ways to compromise the endpoint, the application, the cloud, and multi-factor authentication (MFA). This is why many enterprises are moving to a “Zero Trust” model, in which all users, no matter where they sit, are continuously authenticated, authorized, and verified prior to application and/or data access. It is reminiscent of Ronald Reagan’s use of the Russian proverb “Trust ... but verify.”
In summary, in 2021, your enterprise should renew its commitment to defense-in-depth. That means gaining greater visibility and insight into both self-managed and third-party SaaS environments, securing your end-to-end CI/CD pipeline, and thinking about Zero Trust. Thank you for reading our blog on data security in 2021, and you can expect a near-term deep-dive into the Zero Trust model!