2021 Cybersecurity Predictions
What will be the next big thing in cybersecurity?
We asked our experts to weigh in.
2020 was a year for the record books. Amazingly, many of our 2020 cybersecurity predictions held strong, despite the fact that we were thrown a collective loop by way of a global pandemic almost no one saw coming. No, we could not have imagined #Coronavirus would be a top search trend in 2020. We did, however, predict a rise in the adoption of DevOps and DevSecOps tools which was helped by the increase in apps developed to help businesses’ transform their brick-and-mortar operations into digital storefronts. There was also an unprecedented number of cyber attacks on healthcare devices and organizations. Quantum may be a bit closer than it was this time last year, but we’ve still got a ways to go.
So, what’s next? It’s hard to say – these are strange and uncertain times, after all. But we thought we’d ask some of our in-house experts what, if anything, we can learn from this rollercoaster year and possibly expect in 2021.
As you’ll see, their opinions span a wide range of topics within cybersecurity. We hope you have time to read and share them all. And we’re curious – what’s on the top of your mind as inch closer to the new year? Did we miss any major vulnerabilities or risks? Breakthrough technological developments? Any history-making events waiting around the corner? Find us on LinkedIn or tweet us @globalsign with the hashtag #Prediction2021 to let us know what you think.
The cybersecurity talent gap will narrow through untraditional hiring
The narrowing of the cybersecurity talent gap will accelerate through a concerted effort to recruit, inspire, and mentor talent from non-traditional backgrounds. Women and minority hires whom might not have traditional cyber intelligence training will be lured into the cybersecurity job market by cybersecurity professional community groups, government, and the private sector who realize investment in this often ignored talent pool can reap huge rewards in terms of filling many lingering open positions. Cybersecurity leaders will see this investment as a tremendous value in terms of both talent retention via enhanced loyalty, as well as putting capable and highly committed talent into open seats that fill significant gaps in cybersecurity expertise and coverage.
The untenable level of cybersecurity vacancies leave organizations vulnerable to non-compliance findings around required critical infrastructure network, PII, and organization IP protection, and also creates very real security vulnerabilities. It is my personal goal to mentor any non-traditional aspiring cybersecurity professional wishing to take either an initial brave first career step or later-stage career pivot into the fascinating and highly rewarding world of cybersecurity. One such organization I’m committed to supporting is the WiCyS New England chapter, a community dedicated to engage, encourage, and support women in cybersecurity.
There will be an increased adoption of zero trust
Zero trust security has been a concept within the security community for the last 10 years but is finally getting traction, partially accelerated by the publication of NIST SP-800-207. Zero trust in cybersecurity is the principle of treating everyone and everything as untrusted, effectively not distinguishing between employees, internet users, working from home or the office… The focus is on identifying legitimate users based on strong multi-factor authentication rather than whether they are an internet customer or an employee using a corporate or BYOD device, and where they are located (office, home).
The global remote work paradigm will demand new tooling by IT and cybersecurity teams
As companies of all sizes adjust to a culture of “remote work by default”, IT and cybersecurity teams will have to build completely new tooling for maintaining and monitoring security. This will have echoes of the seismic shift to “BYOD” a decade ago, but now reversed – company-controlled equipment in a physically and logically insecure environment. This requires a completely different security paradigm, which will not affect some companies, but others (especially larger corporates who have always assumed a large, fixed perimeter) will have to completely rethink their controls and processes. Cyber criminals will of course be quick to jump on any of those who miss-step during these changes. Digital signatures of all forms will be a large part of this new world, not only replacing “wet” signatures on physically printed documents, but also certificates on emails and devices, proving identity when physical location is no longer the guarantee of provenance. Worker decentralisation will also have an impact on corporate infrastructure, both internal and SaaS. The move of compute power to the “Edge” will accelerate as large centralised servers become a less efficient processing medium, hopefully driving new standards and guarantees in SaaS storage security, and allowing more users to safely move corporate storage to more distributed environments. However, continued increases in laptop processing power coupled with workers relying on slower home internet connections also creates pressure for a (probably flexible) return to more “traditional” application models, running mostly at the user’s terminal rather than the edge or data centre, providing still further headaches for the IT department!
Four IoT predictions for 2021
With a rebounding economy in 2021, IoT OEMs and operators will increasingly move past Proof of Concept s(POCs) and betas, planning for full operations. With this phase shift in IoT adoption, scale becomes essential. IoT OEMs and operators will find scale and cost efficiency with cloud-based IoT platform and security providers.
In addition, IoT, DevOps, and enterprise IT security concerns will create conflict and enter a stormy phase with disconnected, but related requirements. An enterprise encompassing all areas will want cost savings and unification of their security posture. However, disparate business owners, siloed technologies, and emerging success blueprints will introduce difficulty to achieve the unification.
Also, Robotics Process Automation (RPA) will continue its expansion across enterprises to aid in improving knowledge worker efficiency, but it will be faced with security obstacles in how bot identities and access can be managed at scale in conjunction with the bots’ wetware counterparts.
Finally, following the election chaos that ensues in the US surrounding mail-in ballot systems, there will be a renewed interest in updating legacy technologies with secure remote electronic voting systems.
Reliance on eCommerce will only grow – and cybercriminals will redouble their efforts
Covid-19 had a lot of immediate effects on the way we work and interact, and in 2021 one of the more residual effects is going to be our continued use of, and reliance upon, eCommerce. The technological barrier to entry, most prevalent amongst older individuals, was smashed when huge swaths of population went into isolation and lockdown during the pandemic. Suddenly ordering toilet paper off Amazon wasn’t so preposterous.
The pendulum will swing back towards brick-and-mortar stores to some extent once people feel safe again, but things will never return to pre-Covid norms. A byproduct of this is that cybercriminals will likely redouble their efforts in this realm in 2021.
It makes sense, a huge influx of new consumers is now participating in eCommerce and many of them will carry an exploitable level of naivete into the marketplace. When you factor in some of the recent changes to browser UI, like minimizing trust indicators, the ability for criminals to render highly convincing websites that display those trust indicators on account of easily-sourced free SSL/TLS certificates and the fact this all looks even more convincing on mobile devices – it’s easy to see how business is about to be booming. That’s why it’s never been more critical to train the public on how to weed out fraud and scams from legitimate eCommerce websites.
Just this summer my own father told me how he was bilked out of $100 and had to get a new credit card because he tried to buy some dumbbells on Instagram. Why my sexagenarian father is even on Instagram isn’t something I want to delve into without a copay, but this is a retired Fortune 500 executive – not someone who is uneducated. The point is, this is going to happen a lot – possibly to your own parents and loved ones – unless we collectively do a better job of educating internet users. It would be nice to just stamp out this sort of fraud all together, but the confidence game is as old as humanity itself, so the more practical route would be to make sure the public knows about the risks that accompany the convenience of the eCommerce world. A good starting point would be eCommerce companies educating their own customers on how to make sure they’re on the right site. But it needs to be a joint effort across multiple industries and stakeholders.
The pandemic will force digital transformation across the globe, and more regulation to go along with it
The pandemic has forced companies to accelerate towards digital transformation. And as they strive for faster adoption of digital processes, they will be inclined towards better, more secured and trusted forms of standards. Document signing, being an intrinsic part of any digital transformation, will see more adoption of PKI-based digital signatures from companies around the world as adopting them provides less compliance burden across geographies.
2021 will also see even more regulatory authorities around the world forming their guidelines along the lines of eIDAS, an EU specific regulation, giving digital signatures a more prominent space in terms of assurance and legal value. We are already seeing this happening this year 2020 for a few geographies including some in South America.
The need for faster transformation and easy adoption of digital practices will also force some companies in conservative economies to open the door for cloud-based signing solutions.
- Download our free guide to eIDAS - Coming soon!
- Watch our webcast, “Bringing Secure Digital Signatures to Every Business with the Cloud”
Expect increased vulnerability of virtual infrastructures, especially for SMBs
The pandemic has dictated a great deal of changes, accelerating both AI solutions and remote requirements.
Now that remote work is here for the foreseeable future, any type of virtual infrastructure may be more vulnerable to cyber attacks, especially small companies that may not have the resources of larger companies. Given that, in 2021:
- Expect to hear more about secure email solutions.
- VPN protection will be non-negotiable.
- “Deep fake” cyber attacks will increasingly be utilized by cyber criminals to penetrate and swipe corporate data.
- There will be more penetration testing and security preventative measures (as with all aspects of life, prevention is the best medicine!).
- Last but not least, secure transactions (SSL) will be a top priority for small, medium, and large corporations regardless of their scope. Markets like healthcare and financial will be leveraging security as a competitive differentiator.
Deepfakes will continue shaking up the online identity landscape
2021 will be the year where we will see the further rise of deepfakes and other forms of advanced impersonation and identity fraud attacks. With these new identity fraud techniques, it is almost impossible to distinguish real from fake videos and voice recordings. Humans will need to be extensively trained on how to recognize them. Reality is that we need to create innovative prevention and detection controls to be abreast of these new attack techniques. Strong identity verification and authentication techniques such as PKI and central identity authorities (i.e. CAs) will be at the frontline of making sure that strong digital identities are only issued to the legitimate holders of that identity.
Brazil will continue to promote basic education in cybersecurity on a national level
Like the rest of the world, Brazil urgently faced the need to enable its citizens to work remotely this year. This was a significant challenge since the level of security understanding for most Brazilians is extremely low, to the point that citizens do not even consider privacy to be an issue. On top of that, currently there are no laws in Brazil that provide for imprisonment for cybercrimes.
Not surprisingly, the number of cyber attacks on Brazilian companies grew by 330% between February and April, according to a survey by Kaspersky. Since Brazil was already lagging in the safeguarding of privacy and data, it is reasonable to conclude that the delay in putting the proper laws into place may cause more problems to emerge. And so it’s likely hackers will likely continue to take advantage of the loopholes left by companies. Consequently, phishing and malicious attacks will still be a concern in 2021.
Fortunately, in February the Brazilian Government created the National Cybersecurity Strategy – “E-Ciber” in an attempt to increase the average citizen’s understanding of cybersecurity, and to follow the expectation of growth in investments in this area. It is hoped that the strategy will become law next year. If that happens, Brazil will steadily improve its cybersecurity stance with the steps proposed by the strategy, as well as the enforceability of the administrative sanctions provided for by the LGPD (general data protection law).
Also next year, look for the continued growth in digital signatures. During Covid-19 companies began relying on them even more, setting the stage for additional growth next year.
If you haven’t experienced a remote medical appointment or received an electronic prescription yet, you will in 2021
With Covid-19 spreading globally, more and more non-urgent medical appointments will be performed remotely. Electronic prescriptions backed by Advanced or Qualified Electronic Signatures (AES or QES) will enable less contact points for potentially sick patients. That move will allow consumers to receive their medication without having to attend a doctor or even a pharmacy in person. This in turn can mean that untested, asymptomatic Covid carriers needn’t attend a medical practice and risk spreading and conversely, non-infected vulnerable patients can reduce their need to attend potentially higher-risk environments. It’s a change that can be made easily by healthcare providers and can be universally accepted by dispensing chemists and pharmacies and is likely to see large scale adoption over 2021 and beyond. As the healthcare landscape shifts rapidly and drastically to the new normal, electronic prescriptions and remote consultations will be key to reducing non-Covid related excess illness and deaths currently elevated as less people seek help through fear of infection.
The paperless revolution will reach new levels
For the last several decades enterprises have been steadily digitalizing their processes in order to become fully paperless. With the consequences of COVID-19 and the global working from home trend, the need for digitalization has dramatically increased. Suddenly, complete processes and flows had to be rehauled this year because business as usual events such as the physical execution of agreements could not take place. This effort will continue in 2021. Rebuilding processes such as contractual signing in a haste leads to its own set of challenges: how to obtain high assurance on the identity of the signing parties and non-repudiation of the signatures. Adapting these concepts is complex and requires niche expertise: when incorrectly applied could invert the burden of proof or even validity of digital signatures.
DevSecOps will become an integral part of software development lifecycle
The ability to develop, deploy and upgrade applications at faster pace to stay ahead in competition and baking in security in application development process will be the two major concerns of enterprises in 2021. To overcome the conflicting priorities DevSecOps will become an integral part of the software development lifecycle.
Organisations will need to focus on adoption of suitable toolchains, best practices, and change management to incorporate security across the development stages from build and test to deploy and run. Also, to overcome container and orchestration framework vulnerabilities, default settings would require additional adjustments and third-party solutions to harden security.
Security would need to be ensured in deployed code and environments from the early stages of development process.
Operators of IoT networks will look to IoT device manufacturers to provide secure, unique identities
Nefarious attacks on IoT systems and the sophistication of those attacks are on the rise. Hackers are clever, with the skills to execute complex assaults that achieve their goals and grant them access to lucrative data and even device control. In 2021, operators of IoT networks and systems, especially high-value or critical infrastructure ones, will be seeking ways to harden their ecosystems against these attacks. They will focus on securing their devices - the most common attack point -with device identities that can be secured with certificate-based PKI authentication. They will be looking to IoT device manufacturers to provide secure, unique identities as part of the product build, or even to chip manufacturers to include attestable chip/TPM identities that integrate with the PKI to protect the component they are built into, or the entire device, throughout its lifecycle.
Cybersecurity training will be even more of a necessity
It makes for shocking reading: nearly 70% of IT & Security Pros hone their cyber skills outside of work, while 43% of employees lack regular cyber security training. So, it’s no big surprise that security skills are very much down to employee initiative rather than an organization wide standard. Will 2021 be the year when businesses are driven into focussing on cybersecurity training programs for their staff?
With a global pandemic that has forced organisations big and small into remote working, many will have had a wake-up call to really step up their cybersecurity game. The interest in remote authentication has increased, many offline processes were forced to digital channels and yet encouragingly many organisations have been surprised just how well they are working as a remote workforce. But basic security principles are remaining a mystery to a large number of employees, e.g.:
- Spotting phishing attempts
- Secure password management
- Multi-factor authentication
- Reporting suspicious activities
The pandemic and remote working have accelerated the digital transformation, increased the so-called data sprawl and multiplied the risk of cyber attacks. For 2021 we will therefore see an increase in investment and focus on cybersecurity training. Because ultimately, better security starts with a smart workforce.
Governments will try to exercise even more control online
With China operating a national intranet for many years already, other countries have been looking to mimic such a concept. Russia ran some tests around the end of last year already. At the same time, Iran disrupted the internet to prevent protestors from exchanging information with each other.
But even Western democracies are trying to take political influence on the Internet. At the time of writing, the EARN IT act has just been introduced into the House of Representatives. In a nutshell, the EARN IT act would enable both state and federal legislatures to pass further regulations for what’s happening online. And in the European Union voices are emerging to regulate secure end-to-end encryption, in a misguided effort to combat child sexual abuse.
It’s very clear that many such political initiatives are undertaken without consultation of independent experts in technology. Therefore, in 2021 it will be more important than ever before that experts in technology, privacy and data protection come together and help legislative authorities achieve their objectives, while at the same time protecting fundamental values of democracy and freedom of citizens.