The pandemic has been hard on security teams in 2020. Ransomware attacks increased. Remote work disrupted and weakened security processes. CISOs were forced to adjust their short- and long-term plans. 2021 will be better, right?
Well, it will be different, and some things are likely to become worse. CSO has been following four key trends to project how they might play out in 2021. All have been driven or influenced by the pandemic, which will have a long-lasting impact on the threat landscape and how security teams protect people and assets.
1. Ransomware: Bigger, meaner, smarter
Cyber criminals are opportunists. The pandemic made organisations more vulnerable as they scrambled to cope with the fallout. That made 2020 a boom year for ransomware attacks, mostly in terms of increased volume. Cyber insurance provider Coalition reports that ransomware accounted for 41 per cent of all cyber insurance claims filed in the first half of 2020.
Businesses, schools, and healthcare organisations struggling to cope with the pandemic could ill afford to have their systems off-line due to a ransomware attack, and attackers know they are consequently more likely to pay. According to the 2020 Crowdstrike Global Security Attitude Survey conducted in August and September, 27 per cent of ransomware victims paid a ransom fee in the previous 12 months, paying on average $1.1 million.
Attackers have shifted tactics recently to raise the stakes for their victims. They’ve improved the implementation of their encryption schemes, making them harder to crack. Rather than simply encrypt critical data, some criminals now steal sensitive data and threaten to release it if the ransom is not paid.
The FIN11 group, for example, had until recently focused on extorting money from financial, retail, and restaurant businesses. Last year, they shifted their focus to ransomware and set up a website where they release data stolen from companies that refuse to pay the ransom demand.
Cloudflare reported that some groups, including Fancy Bear, Cozy Bear and Lazarus, are now conducting ransom-based distributed denial-of-service (DDoS) attacks. The attackers threaten to disrupt a targeted victim’s network with a DDoS attack if a ransom is not paid, sometimes in sync with a “teaser” attack that causes minor disruption.
Increasing pressure to submit to extortion, targeting of the most vulnerable victims, and tactics that make it more difficult to recover encrypted data will keep ransomware the most profitable “line of business” for cyber criminals in 2021 and the single biggest threat for all organisations. That makes it critical for CISOs to ensure they follow best practices for mitigating ransomware risk in the coming year.
2. The expanding role of the CISO
Just as cyber criminals see opportunity in disruption, CISOs have an opportunity to play a bigger role at the executive level. Covid-19 has raised the profile for security. A greater attack volume, especially for ransomware, has caught the attention of CEOs, CFOs and boards of directors, and they are looking to CISOs to respond.
The pandemic-inspired rush to digitally transform organisations could raise their risk, and CISOs need to be part of that process. The sudden need to safely support scores of remote workers has raised concerns over the vulnerability of systems and data.
The most successful CISOs have always viewed the security function in a business context. With the added attention they now have, that’s even more important. So is building confidence in their ability to execute and manage the complex operational changes that the pandemic has forced.
At the recent CSO50 conference, McDonald's corporate vice president and global CISO Tim Youngblood spoke about what a CISO needs to do now to be successful. It starts with being good at the technical aspects of the job, but Youngblood emphasised the need for operational excellence, which he called the ticket that allows CISOs to do other things.
He cited managing identity as an example. “That is the way you connect to every asset in the company,” he said. “At the end of the day, although a big part of identity is protecting things, we’re also enabling just about everything in the environment. That’s where that operational excellence becomes so important. If they don’t trust you with the operations, they won’t trust you with anything else.”
Youngblood also advised security leaders to partner with the business side. “We have gotten a seat at the table. We’re frequently asked to speak with the board of directors. Now that we have a seat at the table, we have to show our value.”
That means going beyond talking about threats and mitigations and explaining how security enables the business as a partner. “If you partner and you’re all bought in, your success is their success,” he said.
Successful partnering requires good communication. Greg Wood, senior vice president for information security and risk management at the Walt Disney Company, spoke at the CSO50 conference about how CISOs should talk about security going into 2021.
“CISOs need to be able to speak about cyber security matters at different altitudes, and they need to know what altitude they are at.” While CISOs must be able to show technical knowledge when speaking with technically savvy colleagues to have “street credibility,” he said, CISOs need to communicate in “the language, the focus, the perspective” of each partner in the business.
“We’re being pulled more quickly into business strategy meetings,” Wood said, “where they used to be technology strategy meetings. It’s a sign of maturity in the organisation and in the discipline itself when you’re called in not because the CIO wants you there, but when the CFO wants you there.”
Not just the pandemic is reshaping the role of CISO. New privacy and security regulations are also having an effect. “Our jobs have fundamentally changed,” said Roland Cloutier, CSO at TikTok, at the CSO50 conference.
“Our services need to morph, especially around how we protect data. How do you drive data defense programs that are cross-pollinated with other specialties in the organisation around privacy, IT, data management, data governance. This is so far beyond cyber defensive operations. We’re really talking about controls, assurance, and monitoring at a data level and how you integrate that into your security platform.”
The key for CISOs to navigate these new regulatory demands is to have a good relationship with their organisation’s general counsel and privacy groups, said Cloutier.
“We need a clear understanding of our business and what we deliver and where we deliver it. Once you understand your operating parameters…and you have that great relationship, you’re in a really good position to start building out the services you need to provide.
3. Organisations reassess security strategies and tech stacks
How do you protect all your endpoints if they can be anywhere and perhaps on devices you don’t control? Is your organisation prepared for the increasing sophistication and professionalism of organised cyber criminals? Can your security infrastructure and staff pivot and adapt to rapid changes?
Many, if not most, of the newly remote endpoints that security teams suddenly had to protect in Covid-19's work-from-home shift will become permanent. Skybox’s Cybersecurity in the New Normal survey shows that 70 per cent of organisations expect at least a third of their remote workers will remain so in 18 months. Security measures taken on the assumption the move would be temporary must be reconsidered.
The pandemic has also spurred companies to start or accelerate digital transformation projects, which most significantly means moving more systems to the cloud. That, too, requires a rethinking of security strategy and infrastructure.
Security leaders are becoming more concerned about direct and indirect threats posed by nation-states and their proxies. Eighty-seven per cent of respondents to the Crowdstrike survey said that nation-state sponsored attacks are more common than most people believe, and 73 per cent said such attacks pose the single biggest threat to organisations like theirs in 2021.
Not surprising during a pandemic, biotech and pharmaceutical organisations say they are at the highest risk (82 per cent). That doesn’t account for the indirect nation-state threats posed by their proxies acting on their own or the increased availability of their tactics, tools and procedures (TTP) to criminal groups.
To cope with these permanent changes and enhanced threats, companies are looking at several technologies to pilot or implement in 2021, according to IDG’s Security Priorities Study. Respondents say they will either evaluate or invest in these technologies for 2021:
- Zero trust (40 per cent)
- Deception technology (32 per cent)
- Authentication solutions (32 per cent)
- Access controls (27 per cent)
- Application monitoring (25 per cent)
- Cloud-based security services (22 per cent)
4. Security talent acquisition: Demand goes up
As security leaders adapt to the long-term changes brought on by the pandemic, many will likely want to add staff or change the make-up of their security teams. That’s difficult in the best of times, but with everyone reassessing staffing needs, hiring security talent is bound to get tougher in 2021.
The security function has mostly been spared from pandemic-related layoffs—only 24 per cent of respondents to the Crowdstrike survey said they lost staff due to Covid-19 and 35 per cent have put security hiring freezes into effect. So, don’t expect a big influx of talent on the market in 2021 due to staff cuts.
Demand for talent seems to have grown, too. CyberSeek, which supplies data on the cyber security job market, shows about 525,000 open security jobs in the US at this writing, compared to 390,000 before the pandemic began. What’s worse, Emsi Research reported in July that there were fewer than 200,000 qualified candidates for those jobs.
One option is to consider remote security workers. Many organisations have resisted hiring remote security professionals, but the pandemic has proved to many that not all security talent needs to be on premises. This frees businesses to expand their searches for hard-to-find talent to different geographic regions.
Emsi Research’s report offered a couple of recommendations to fill open security positions. The first is to train non-security people, what it calls a “build, don’t buy” approach. IT, finance, and business operations staff are among the most viable employees for retraining and have the highest rate of transitioning to cyber security, according to the report.
Each has domain knowledge, such as networking systems, financial transactions, and business processes, that would enhance any security skills they learn.
The other recommendation is for employers, educational institutions, and local workforce development programs to collaborate. By identifying specific security needs, they can develop talent together at a local level. For example, they can make it easier for job seekers to pursue security roles by communicating the value of security certifications and reducing their cost.