Speed of change means threat landscape could outrun cybersecurity defences – with insider threats and ransomware presenting greatest risk 

Richmond, Surrey, UK, 0900 hours, 10 December 2020 – 2021 will be a year for organisations to reset, and to fortify their cybersecurity resilience, according to Infosecurity Europe’s community of security leaders. Europe’s number one information security event asked its network of CISOs and analysts to comment on the major trends and changes they foresee shaping the next 12 months. Overall, they expect companies to focus on consolidating and reinforcing their security posture as the full consequences of 2020’s rapid changes become apparent.

This is a world that Maxine Holt, Senior Research Director at Omdia, calls “the reset normal”. She says: “From a security perspective, it’s been difficult to maintain pace with the speed of change. COVID-19 accelerated cloud journeys, for instance, and security was at best an afterthought. Security functions applied temporary measures, and they will now peel back the sticking plaster and build more sustainable security for new ways of working. This should include upskilling staff in cloud security expertise, and looking at technology that can prevent, detect and respond to security incidents in these evolved environments.”

The threat landscape will continue to evolve at a speed that outpaces the cybersecurity industry, according to Becky Pinkard, CISO of Aldemore Bank. “I’d like to see companies buckle down on the ‘foundations of security’, moving into an era of never-before-seen strength on the frontline fight against cyber threats,” she says. “However, I predict we’ll see more of the same when it comes to security awareness, patching and risk prioritisation. The industry is maturing, but at a glacial pace. Until we pick up that pace, the current overall defensive posture will persist.”

Troy Hunt, Microsoft Regional Director and Founder of Have I Been Pwned, expects the world to wake up to the full impact of “doing a lot more digitally” on exposure to risk. “We’ve adapted and adjusted to being at home more, in terms of new social norms as well as digital norms. We know how to do it. However, we can’t escape the fact that doing so much more online increases the entire attack surface. The volume of data businesses are collecting and digitising has risen, and a lot of this is sitting on someone else’s cloud. We need to work differently, have conversations differently, collect data differently, and secure things differently.”

When it comes to the threats that will come to the fore in 2021, Heidi Shey, Principal Analyst serving Security and Risk Professionals with Forrester Research, believes insider incidents will be an area of increased concern. “Pandemic-related uncertainty and remote work environments have collided to create the ideal conditions,” she explains. “We expect one-third of security breaches will be caused by insider threats in the coming year, up from 25% today. These may be due to accidental or inadvertent data misuse, or malicious intent. As part of their defence, firms should add capabilities for detecting insider threats, and improve the employee experience.”

Maxine Holt anticipates that increasingly demanding and sophisticated ransomware will dominate the threat landscape. “It isn’t new, but it’s really grabbing attention right now,” she points out. “The Manchester United cyberattack is a high-profile example of what many organisations will continue to face – and depending on where the company is registered, they could be caught between a rock and a hard place when it comes to paying ransoms, potentially recovering data, and incurring fines. Compliance and privacy both need to be ramped up.”

Heidi Shey believes that customer and employee privacy will become a strategic business imperative in the next 12 months, as a key part of cyber resilience. “Consumers will increasingly prefer to engage with and entrust their data to ethical businesses, and this will drive firms to embed privacy into the customer experience. We expect regulatory and legal activity related to employee privacy will double, and employee privacy lawsuits will multiply. Companies must take a privacy-by-design approach when handling employee data, including assessing specific privacy and ethical risks, and communicating transparently.”

On the topic of building resilience, Becky Pinkard suggests that the pandemic created a proving ground for companies to evolve their understanding of business continuity and disaster recovery. “2020 forced companies to pay a lot more attention to what services customers need, and what they depend on most – and to evolve and scale digital transformation perhaps faster than they were ready for! In 2021 we’re likely to see companies looking at these exercises in business continuity, testing, poking and prodding them to make sure they’re ready for the next big challenge.”

Infosecurity Europe also probed its leader community on the new technology capabilities companies are likely to take advantage of in the coming year. “We need to start stretching and extending ourselves and understanding areas such as AI, machine learning and quantum computing before they’re upon us,” advises Becky Pinkard. “There was a sense of urgency during COVID-19, with people adopting cloud, for example, under duress…suddenly it was upon us! I hope we all learn from this and become more proactive in exploring capabilities to help us with resilience.”

Heidi Shey predicts that pressure on budgets will lead to an increased uptake of risk quantification technology. “In 2021, CISOs will have to prioritise what they do and where they invest to overcome audit issues, manage risks, and protect the enterprise,” she says. “Risk quantification solutions that provide specific insights into the criticality of assets, as well as the potential impact of an issue in real time with business context, will help security leaders determine what stays, what goes, and where limited increases should go.”

When it comes to innovation, Troy Hunt predicts there will be advances in smarter authentication schemes; but believes passwords will be around for some time yet. “We know we have problems with passwords – but we won’t be getting rid of them this year, or even this decade!” he states. “We’ve had to come up with smarter authentication schemes as the attack surface has grown – and biometrics have allowed us to authenticate in lower friction ways, using face ID and fingerprint readers for example. We’ll see authentication themes continue to get better and better. I’d make a bet with anyone that when we get to 2030 we’ll have more passwords than we do today! But better ways of authentication will mean we don’t have to use them.”

Nicole Mills, Senior Exhibition Director at Infosecurity Group, comments: “We won’t see things return to normal in 2021, but the year will mark the start of the transition back to a more stable way of working and living. The trends that have been accelerated by the pandemic will embed themselves into business and society, and new challenges and threat vectors will become evident. Security and risk professionals must adapt to the new reality, keeping up with the speed of ongoing change, while fortifying their resilience – consolidating and reinforcing their security posture.”

Infosecurity Europe, now in its 25^th year, takes place at Olympia, Hammersmith, London, from 8-10 June 2021. It brings together information security professionals attending from every segment of the industry, as well the leading industry suppliers showcasing their products and services, industry analysts, worldwide press and policy experts. Expert practitioners are lined up to take part in the free-to-attend conference, seminar and workshop programme. Find out more at https://www.infosecurityeurope.com