This blog post is based on the seventh webinar in The New Workspace series — The Top Security Predictions for 2021. The event, which you can view in full here, featured the insights of Fermin Serna, Chief Security Officer at Citrix; Ayman El Hajjar, Course Leader in Cyber Security and Forensics at University of Westminster; and Dick Wilkinson, Chief Technology Officer at the New Mexico Judiciary.
2020 was an intense year for security professionals. The mandate to work from home, combined with an ever-increasing shift toward remote working, meant the traditional security perimeter all but disappeared. Distributed workers have meant distributed data, and security professionals have needed to find a balance between enabling widescale access to private data while protecting their organizations from new threats.
The past 12 months have uncovered unforeseen vulnerabilities, and we are seeing a notable rise in security attacks on businesses. According to a recent Citrix survey, 93 percent of U.S. and European business leaders believe cybercrime and big-data breaches will present a significant risk to organizations over the next 15 years.
In this latest webinar, available now on demand, we consider the new security threats and how security teams can best prepare for them to keep data and applications safe.
How did 2020 and the pandemic impact the world of security?
COVID-19 disrupted the entire business environment. Ayman El Hajjar, Course Leader in Cyber Security and Forensics at the University of Westminster, says that hackers are usually opportunists, and the pandemic served to widen opportunity at a time when no one was ready for it. Reportedly, in the UK alone, there has been an increase in attacks to the value of £20m over the last year.
“We saw, in the first few months, a huge increase in the number of phishing and spam attacks,” El Hajjar says. “People are working from home, which it is a lot more lucrative for hackers since there is a lot more data out there. The home environment threat has been one of the biggest impacts of the pandemic because it is inherently insecure compared to the secure, protected, corporate networks we are used to within our typical work environment.”
Dick Wilkinson, Chief Technology Officer at the New Mexico Judiciary, whose job it is to secure vast amounts of confidential data, says his on-premises network was turned “inside out” following the mandate to work from home. “We have had a real challenge helping people to understand that their home device is at risk, and these sensitive documents need to be protected in just the same way as they would be in the office environment.”
Are organizations approaching security differently after 2020, and is it becoming a higher priority?
Fermin Serna, Chief Security Officer at Citrix, says businesses need to try to achieve their goals while also protecting themselves from potential threats. “Security should not be an afterthought,” he says. “You do it because you do not have any other option. Companies will need to start embedding security into their DNA at every stage, across all projects and processes, and in 2021 the pressure to do so will intensify.”
If security is planned from the outset, it can almost become invisible and, therefore, be a much more seamless experience for the end user. Dick Wilkinson, CTO at the New Mexico Judiciary, says that “when security is baked in, there is no opportunity to resist and ignore the control, so you get better compliance from users and the program is more effective.”
Ayman El Hajjar of the University of Westminster says that, due to the rise in home working and BYOD policies, “security has become a burden on the user and unnecessarily complex. We can’t expect everyone to be a security expert.”
Have cyber actors become more sophisticated, or is there just more opportunity now?
Hackers are becoming increasingly sophisticated, but the opportunities available to them are also a lot greater than they used to be. Ayman El Hajjar says it is like a rat race where hackers often have first mover advantage, making necessary tweaks to circumvent the latest possible security controls.
The network environment has also become increasingly complex, due to technology advances like the internet of things (IoT) and interoperability, which are helping to open more doors for hackers and create insecure network environments. “This is making security a burden for companies, and this is where mistakes will happen, and opportunities for hackers will open up,” he says.
Dick Wilkinson of the New Mexico Judiciary says there has been a clear rise in opportunities for hackers over the past 12-18 months. “If you look at the types of attacks, there is no ransomware 2.0, for example, since we are still dealing with ransomware 1.0. The landscape has been the same for a long time, but over the past year, opportunities have increased exponentially. And so, when we talk about the return to work, I think we will see a corresponding decrease in low-level attacks.”
According to Fermin Serna from Citrix, security experts have a challenging year ahead. He cites the lucrative ransomware Ryuk, which reportedly made $150m last year. “The call and effect to criminals in other fields is going to be massive and we are going to see a lot more actors, and the spectrum will widen. This is big business, and while we need to protect everything, attackers only need to find one way in.”
What are the top trends for security in 2021?
Dick Wilkinson of the New Mexico Judiciary says the cyber threat “industry” is reaching maturity. “Threat actors are making huge sums of money,” he says. “Soon, we will have a whole new level of threat actors out there, and we won’t necessarily know what their motivations are straight away.”
The greatest threat, according to Wilkinson, is “when the hacker decides to ransom a piece of critical infrastructure.” This scenario, of the threat shifting “from personal data to physical danger,” is not far away, he says. 2020 was a defining year for politics and social activism, and Ayman El Hajjar from the University of Westminster says this will be a leading factor in future threats.
How do organizations prepare for the next wave of attacks?
While it is important for organizations to try to predict future types of attack, it is critical that security leaders have a plan for how to react, in the event of one.
Fermin Serna of Citrix says that for organizations to avoid being caught out, they need to know their risks and network environment and, based on the estimated impact or likelihood of each threat, decide whether to “assume it” or “mitigate it.”
“You also need to predict where the technology is going and be there, aided through partnerships with specialist organizations,” he advises. “If the threat actors go one way and you aren’t there, I guarantee you will be caught by surprise.”
Dick Wilkinson of the New Mexico Judiciary agrees and says “put your resources and your money toward that biggest threat first and then work your way down the priority list. Things will happen, but if you are threat focused, you will protect yourself against the bad days most of the time.”
Ayman El Hajjar of the University of Westminster goes one step further and believes businesses need to audit their digital environment, looking at all their devices, including those that haven’t been used in a while.
“Those devices are the biggest threat in your network, because they haven’t been updated,” he explains. “Until we have a secure-by-design environment, where hardware and software manufacturers all work together, this needs to be the priority.”
Final Thoughts
In 2021, it is crucial that security professionals keep pace with the maturing threat landscape and do all that they can to ensure no opportunities exist within their network environment.
The panelists agree that, as the global pandemic has highlighted, the organizations that are agile and able to adapt quickly will be the most able to protect themselves against evolving threats. Technology advances are happening so quickly, and it is critical that security leaders remain curious and continue to advance their knowledge and learning to be a match for the growing capabilities of threat actors, who will be patient and wait for the perfect opportunity.
To listen to the full discussion on IT security in 2021 and beyond, watch the webinar on-demand now.