Enterprise cybersecurity threats spiked in 2020, more to come in 2021
After an unprecedented year from an enterprise cybersecurity threat standpoint, security leaders are preparing for growing number and sophistication of attacks in 2021.
Security leaders predict 2021 will be a repeat of 2020 as the arms race between cybercriminals and security departments continues to accelerate.
An explosion in digital engagements, fueled in part by the increased number of remote workers, will keep security teams scrambling.
"I think we're going to have a rough end to 2020 and a rougher start to 2021," said Spencer Wilcox, chief security officer and executive director of technology at PNM Resources, an energy holding company based in Albuquerque, N.M.
Wilcox said he has seen a dramatic escalation in the number of cyberthreats in recent months, among them distributed denial-of-service, ransomware and phishing attacks, both within and outside his organization.
Mobile attacks are also on the rise as hackers look for ways to exploit vulnerabilities brought on by the shift to remote work due to the COVID-19 pandemic. Meantime, attackers are seeking new avenues to hit their main objectives, such as exploiting weaknesses at third-party organizations working with primary targets.
In response, Wilcox, a speaker with the International Information System Security Certification Consortium, or (ISC)², said security departments have fortified their defenses by adding more tools and intelligence to deter and more accurately respond to threats.
"It's about knowing yourself and your inventory, and it's about knowing what works within your enterprise," Wilcox said.
Studies show cybersecurity realities
Statistics confirm Wilcox's concerns.
Earlier this year, for example, the FBI reported its Cyber Division was receiving as many as 4,000 complaints per day about cyber attacks, a 400% increase from pre-pandemic figures. In September, tech security company CrowdStrike said it had seen more intrusion attempts during the first half of 2020 than in all of 2019.
Researchers are predicting more of the same for 2021. "Threat actors will continue to attack without any regard for the challenges faced by their targets," cybersecurity company FireEye stated in its report examining the year ahead. "These actors continue to be motivated by espionage and monetary gain, though their [tactics, techniques and procedures] will always evolve. This means organizations will continue to be breached, resulting in business disruptions, data compromise, reputational harm, and almost always a financial loss." Security company Kaspersky issued a similar warning in its 2021 forecast.
Threats remain persistent
Companies acknowledge they're in for a challenging 2021.
"As the COVID-19 pandemic rides what looks like another wave into 2021, we can expect to see more of the same with a focus on business email compromise scams, spoofing and phishing, malware and ransomware," said Eugene Okwodu, director of cybersecurity solutions at Guidehouse, a consulting and technology services company. He predicted the financial services, health care and energy sectors will be top targets, as well as state and local government agencies.
"These industries represent what has been historically the most lucrative from an attacker perspective."
Even though Okwodu doesn't expect attack vectors to change, he does anticipate an "increase in sophistication as attackers learn from last year's experiences on what worked and what didn't. The expectation is that sophistication of attacks will continue to increase as attackers learn from their mistakes and reinvest in technology employing automation, machine learning and AI to improve their attack methodologies."
Sushila Nair, CISO at NTT Data Services, said she's concerned about the pace of ransomware and identity attacks. "Ransomware has been trending up with some estimates of a 7x increase, and I expect this to continue," she said. "We will also see an increase in identity attacks as in a remote environment, identity is the new perimeter."
Remote access and VPNs will also continue to be favorite targets, with hackers flooding servers with DDoS attacks or targeting weaknesses in the Remote Desktop Protocol. "The acceleration into a remote world has created risk around misconfiguration, which is the top attack vector for cloud attacks," Nair said.
2021 will also see the development of malware specifically engineered to target Linux, Android and other mobile platforms as attack surfaces continue to multiply. IoT is another favorite target, Nair said, with "adversaries [looking] to leverage default credentials and discovered vulnerabilities to weaponize these devices."
"In addition to targeting mobile phones and IoT devices, we'll also see deepfakes used as scams and bots will go rogue," Nair said.
Evolution of cyber defenses
Despite the onslaught of threats, organizations and their CISOs are hardly buckling. Security leaders are constantly rewriting their defense strategies as they take steps to secure their enterprises.
"The criminal world is becoming better equipped; it's becoming more knowledgeable and better sourced. But keep in mind, if we're talking about enterprise security, that's not a new challenge," said Vladlena Benson, professor of cybersecurity management with the Aston Business School at England's Aston University, and a member of the ISACA Emerging Technology Advisory Group.
In fact, the challenges of 2020 pushed enterprise security to the forefront at many organizations. Board members and C-suite executives haven't merely deemed security investments essential; they see them as being a differentiator in the marketplace. That has enabled security departments to fine-tune their strategies as they introduce new technologies and methodologies.
Consider this: CompTIA in its September 2020 "State of Cybersecurity" report found widespread adoption of tools designed to boost in enterprise security, with 35% of respondents saying their organizations had made "dramatic" improvements to their cybersecurity infrastructures while an additional 45% made slight improvements to their security operations. (Only 9% reported their cybersecurity remained the same, with another 11% saying their security environment was deteriorating.) Additionally, CompTIA reported 90% of respondents were viewing cybersecurity more seriously, with 60% taking a more formal approach to structuring their cybersecurity practices.
Still, CISOs face more work ahead -- with one of the most important goals ensuring they have a strong security foundation built on best practices.
"My advice to CISOs, enterprise security teams and organizations is to master the basics before attempting the exotic," Okwodu at Guidehouse said. "By that I mean focus on reducing your attack surface by developing a strong cybersecurity program that focuses on -- at a minimum -- malware defense, application software security, identity and access management, data protection, incident response management and disaster recovery capabilities."
CISOs should revisit decisions they made during 2020, especially those that permitted security gaps tolerated in the rush to enable remote work as a result of the pandemic. One way to reduce that exposure is to adopt approaches that encompass zero trust, said Neil Daswani, co-director of Stanford University's Advanced Security Program and author of the upcoming book Big Breaches.
"In 2021 CISOs should continue to accelerate their zero-trust initiatives to help them claw back risk, as the zero-trust model is much more effective at managing risks due to remote workers than traditional VPNs and perimeter security models," he said.
Tools that diagnose and analyze network behavior, meantime, are also gaining traction, said Marc Vael, CISO at software vendor Esko and a past ISACA board member. Behavioral analytics software allows organizations to identify -- in real time -- normal and permissible actions even as it flags anomalies that might suggest nefarious behavior. Security, orchestration, automation and response technologies are also letting companies beef up their defenses. "That will be the big hype for next year," Vael said.
Yet even as organizations assess technologies like analytics and zero trust, companies must first understand their own risk postures before they decide which strategies to pursue, Nair at NTT said.
"[Undertaking this exercise] not only addresses the newly created risks, but opens up opportunities for people to truly consider full redesigns and other more disruptive changes that have perhaps been kicked down the road for years now because the business has change fatigue," she said. "We just proved, globally, that we are all far more resilient than we originally believed ourselves to be and people are actually looking for big changes that make their work lives easier. Now is the time step back, take stock, and decide what's next, [to] not be satisfied and stay at this current plateau."