“Leadership teams the world over will be asking themselves how much more can our business take?” says Stephen Roostan, VP EMEA at Kenna Security. “Notwithstanding the uncertain trading conditions, I’d wager that very few can withstand a crippling cyber attack such as those suffered by British Airways, Zoom, Uber and others. For many businesses, if the impacts of the breach itself were not enough, the ICO’s fine could be enough to close the doors for good.

“At last, cybersecurity has become a board level issue. Executives have seen what has happened to other firms and are now questioning their own cybersecurity posture. Could a breach like that happen to us? How at risk are we? What is our own impact tolerance?”

Three simple questions. But for resource-strapped and under-invested cybersecurity and IT teams it’s rarely possible to give a definitive answer. Drowning under the weight of threat data, tickets and patches, they have no hope of quantifying the risk to their business in a meaningful way.

“Executives must understand their organisation’s individual risk posture relative to the enormous pool of vulnerability and threat data that exists. But they must also equip their cybersecurity and IT teams with the necessary tools to cut through that, to calculate the risks correctly for their own business. It is about accurately pinpointing the most effective actions,” says Roostan.

Remote control
“Cybercriminals will always follow users and launch attacks that exploit their behaviours and habits,” says Anurag Kahol, CTO and co-founder at Bitglass. “We saw this very clearly in 2020 when employees suddenly became remote workers and their use of technology and devices shifted.”

Cybercriminals took advantage of this disruption to launch phishing, vishing, ransomware, and a whole slew of other attacks that targeted gaps in security; many organisations were not prepared to support a remote workforce securely.

“Prior to the pandemic, many companies (82%) enabled bring your own device (BYOD) for employees, partners, or other stakeholders. But 72% lacked BYOD malware protection entirely or relied on endpoint software installations. As the pandemic has further enabled BYOD, this lack of preparedness is potentially disastrous.

“This failure led to nearly 25% of organisations paying unexpected costs to address cybersecurity breaches and malware infections. If organisations don’t rethink their approaches to security, cybercrime will continue to evolve and exploit remote workers as the ideal entry points into corporate IT ecosystems.”

To pay or not to pay
“Ransomware will remain the most prominent cyber threat to all organisations,” predicts Thomas Cartlidge, head of threat intelligence at Six Degrees. “The tactics of ransomware operators will evolve to ensure they continue to evade defences and pressure victims. There will be an increased emphasis on leaking data online to extort, with an increased use of social media to amplify the pressure. Other tactics could include increased use of distributed denial of service (DDoS) to attack victims. Ransomware group SunCrypt conducted a DDoS attack against a victim in late-2020 as they were negotiating a possible payment.

“Ransomware-as-a-service (RaaS) has allowed unskilled threat actors to use technically advanced ransomware to attack victims, while providing additional income to the groups that created the software. RaaS allows the number of groups conducting attacks to increase, and the technically skilled groups time to focus on modifying software and strategy to evade defences.

“They’ll continue to exploit remote access vulnerabilities to launch attacks, because using such methods allows attackers to gain access without having to phish or social engineer.”

Jakub Lewandowski, global data governance officer at Commvault, believes that in light of this, we’ll see new data regulations introduced in 2021: “There’ll be a tightening up of enforcement in data protection related cases. At the same time we should be witnessing a judicial verification of fines imposed by the data protection authorities as many high profile cases will be appealed to courts.

“The outcome should give more clarity on how to quantify legal risks associated with data processing. Companies should also be eying all the latest guidelines and guidance on ransomware prevention issued by data protection and cybersecurity regulators.

“With regards to the UK, we can’t discuss 2021 without mentioning Brexit. It’s going to become increasingly important that companies ensure they’re meeting regulatory requirements, and particularly with regards to cross border data transfers. As Britain leaves the EU, how this will affect GDPR and data protection across Europe remains to be determined, and you must ensure you’re prepared for a transition period filled with uncertainty and change.

“One key step organisations can take now is to back up your data. Finding a solution that can support the organisation in its compliance efforts with applicable legal requirements – and that can take some of the complexity out – will make a huge difference to efficiency and effectiveness.”

Three measures to take in 2021

1. Invest in MSP support
   Jay Ryerse, VP cybersecurity initiatives at ConnectWise, expects a rise in investment in MSPs to reduce risk: “To keep up with demand, companies will pivot towards automation and streamlining the various security products that exist and aligning them whenever possible. Attack techniques are changing, and with people working from home there has been an increase of phishing, for instance, on targets’ family members as they are now sharing equipment and networks while working on sensitive business data.
   
   “The demand to double down on cybersecurity to tackle the new challenges that come with a remote workforce will see many companies turning to MSPs to address the volume of attacks, for education and to help reduce risk in 2021. “
   
   We’ll continue to see heavy private equity investment in the MSP space, leading to further consolidation, as well as private equity buying security companies at an unprecedented rate. The objective of these consolidations may be to gain market share and intellectual property while streamlining delivery of secure services. It will likely drive market separation for the largest providers and, conversely, create an opportunity for smaller providers to enter the space and meet the demands of delivering security service at scale.”
    
2. Take stock and reevaluate
   Samantha Humphries, senior security strategist at Exabeam, says the rapid shift to remote working has disrupted business security.
   
   “The hasty nature of these changes – combined with reduced staffing, less investment in security and an increase in attacks – presents some major data security issues. A Exabeam survey of cyber professionals conducted in May this year painted a bleak picture: 71% of cyber professionals were seeing an increase in threats, three quarters had furloughed members of their SOC team and 60% needed to defer planned investments in security technology.
   
   “For most security teams, 2021 will be a time to take stock and retrospectively apply due diligence to all cloud applications and services brought online to support remote working in 2020. Most organisations – out of necessity – reduced security standards to meet the demands of a newly remote workforce. This has created a bigger playground for cybercriminals, and unless controls are strengthened this will lead to a flurry of data breach notifications. Going into 2021 one thing is clear: protecting the credential will be key. With far more entry points open to attackers, securing and monitoring the credential is more important than ever,” said Humphries.
    
3. Adopt Zero Trust-as-a-Service
   “I believe we’ll see a significant increase in the adoption of a Zero Trust-as-a-Service model being used in security strategies beyond 2021,” says Tim Bandos, CISO at Digital Guardian. “We’ve learned over the years that relying heavily on network security such as firewalls does almost nothing for you when faced with determined adversaries.
   
   “Also, as organisations move more of their workloads to the cloud, it becomes more imperative to protect and restrict those who have access and to ensure you have the right level of visibility. This approach requires more granular perimeter enforcements based on who the user is, where they are located, and other elements of data to determine the level of trust granted. Implementing this type of strategy is not something that happens overnight.
   
   “Embrace the Zero Trust model: first design it and try to avoid the incorporation of legacy systems that aren’t fully capable. For larger and more complex businesses, this may be a multi-year project depending on your IT environment. But for smaller and medium-sized companies, it could be a great opportunity to transform the cybersecurity approach.”