Encryption, zero trust and the quantum threat -- security predictions for 2021
We've already looked at the possible cybercrime landscape for 2021, but what about the other side of the coin? How are businesses going to set about ensuring they are properly protected next year?
Josh Bregman, COO of CyGlass thinks security needs to put people first, "2020 has been incredibly stressful. Organizations should therefore look to put people first in 2021. Cybersecurity teams are especially stressed. They've been tasked with securing a changing environment where more people than ever before are working remotely. They've also faced new threats as cyber criminals have looked to take advantage of the pandemic: whether through phishing attacks or exploiting weaknesses in corporate infrastructure. Being proactive, encouraging good cyber hygiene and executing a well thought out cyber program will go a long way towards promoting a peaceful and productive 2021, not least because it will build resiliency."
Mary Writz, VP of product management at ForgeRock thinks quantum computing will change how we think about secure access, "When quantum becomes an everyday reality, certain types of encryption and thereby authentication (using encrypted tokens) will be invalidated. Public Key Infrastructure (PKI) and digital signatures will no longer be considered secure. Organizations will need to be nimble to modernize identity and access technology."
Gaurav Banga, CEO and founder of Balbix, also has concerns over quantum computing's effect on encryption, "Quantum computing is likely to become practical soon, with the capability to break many encryption algorithms. Organizations should plan to upgrade to TLS 1.3 and quantum-safe cryptographic ciphers soon. Big Tech vendors Google and Microsoft will make updates to web browsers, but the server-side is for your organization to review and change. Kick off a Y2K-like project to identify and fix your organization's encryption before it is too late."
Sharon Wagner, CEO of Sixgill predicts greater automation, "We'll see organizations ramp up investment in security tools that automate tasks. The security industry has long been plagued by talent shortages, and companies will look toward automation to even the playing field. While many of these automated tools were previously only accessible to large enterprises, much of this technology is becoming available to businesses of all sizes. With this, security teams will be able to cover more assets, eliminate blindspots at scale, and focus more on the most pressing security issues."
Michael Rezek, VP of cybersecurity strategy at Accedian sees room for a blend of tools and education, "As IT teams build out their 2021 cybersecurity strategy, they should look most critically to network detection & response solutions (NDR), and other complementary solutions like endpoint security platforms that can detect advanced persistent threats (APT) and malware. For smaller companies, managed security services such as managed defense and response are also good options. However, a comprehensive security strategy must also include educating all employees about these threats and what to watch out for. Simple cybersecurity practices like varying and updating passwords and not clicking on suspicious links can go a long way in defending against ransomware. Perhaps most importantly, since no security plan is foolproof, companies should have a plan in the event of a ransomware attack. This is especially important since attackers might perform months of reconnaissance before actually striking. Once they have enough data, they'll typically move laterally inside the network in search of other prized data. Many cybercrime gangs will then install ransomware and use the stolen data as a back-up plan in case the organization refuses to pay. The more rapidly you can detect a breach and identify what information was exploited, the better your changes of mitigating this type of loss. Having a plan and the forensic data to back it up will ensure your organization and its reputation are protected."
Amir Jerbi, CTO at Aqua Security, sees more automation too, "As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets."
Marlys Rodgers, chief information security officer and head of technology oversight at CSAA Insurance Group, inaugural member of the AttackIQ Informed Defenders Council says, "Despite the global COVID-19 pandemic, businesses still have to function and deliver on their promises to customers. This means adapting and finding new ways to enable employees to be productive from the safety of their homes. As CISO and Head of Technology Oversight for my company, I am dedicated to structuring and sustaining a security program that enables the business, as opposed to restricting capabilities in the name of minimizing risk. Additionally, I believe in complete transparency regarding the company's security posture across all levels, including the C-suite and board, so that we may work together to understand our risk and prioritize security investments accordingly. These two guiding principles have served me well throughout my career, but in 2020 especially, they allowed my company to innovate to better serve our customers while simultaneously scaling the security program."
Devin Redmond CEO and co-founder of Theta Lake believes we'll see more focus on the security of collaboration tools, "Incumbent collaboration tools (Zoom, Teams, Webex) are going to get dragged into conversations about privacy law and big tech, further pressuring them to stay on top of security and compliance capabilities. At least two regulatory agencies will make explicit statements about regulatory obligations to retain and supervise collaboration conversations. Additionally, collaboration tools will replace many call center interactions and force organizations on related compliance, privacy, and security risks."
Cybersecurity needs to become 'baked in' according to Charles Eagan, CTO at BlackBerry:
Cybersecurity is, in all too many ways, an after-market add-on. But this kind of model can become a roadblock to comprehensive security -- like plugging the sink while the faucet is already on.
Take, for instance, the connected vehicle market: vehicles continue to make use of data-rich sensors to deliver safety and comfort features to the driver. But if these platforms aren't built with security as a prerequisite, it's easy to open up a new cyberattack vector with each new feature. In many cases, the data that drives Machine Learning and AI is only useful -- and safe -- if it cannot be compromised. Cybersecurity must become a pillar of product and platform development from day one, instead of added on after the architecture is established.
Tony Lauro, Akamai's director of security technology and strategy thinks multi-factor authentication must become the norm, "Over the past 12 months, attacks against remote workers have increased dramatically, and the techniques used to do so have also increased in complexity. In 2021 security-conscious organizations will be compelled to re-evaluate their requirements for using multi-factor authentication (MFA) technology for solutions that incorporate a strong crypto component to defend against man in the middle and phishing-based 2FA bypasses."
Jerry Ray, COO of enterprise data security and encryption company SecureAge, thinks we'll see greater use of encryption, "Throughout most of 2020, VPNs, access controls, and zero trust user authentication became all the rage in the immediate push to allow employees to work from home. As the year ends and 2021 unfolds, though, a greater appreciation for data encryption has been slowly coming to life. As work from home will continue throughout 2021 and the ploys used by hackers to get into the untamed endpoints become more refined and clever, data that can't be used even if stolen or lost will prove the last, best line of defense."
Mike Riemer, global chief technology officer of Ivanti thinks organizations must adopt zero trust, "As employees continue to work from home, enterprises must come to terms with the reality that it may not be just the employee accessing a company device. Other people, such as a child or spouse, may use a laptop, phone, or tablet and inadvertently download ransomware or other types of software malware. Then, when the employee starts using the device to access a corporate network or specific corporate cloud application, it becomes a rogue device. Without having eyes on employees, how do businesses ensure the user and device are trusted? And what about the application, data and infrastructure? All of these components must be verified on a continual basis every few minutes to maintain a superior secure access posture. That is why organizations must adopt a Zero Trust Access solution capable of handling the hyper-converged technology and infrastructure within today's digital workplace by providing a unified, cloud-based service that enables greater accessibility, efficiency, and risk reduction."
Casey Ellis, CTO, founder, and chairman of Bugcrowd thinks more governments around the world will adopt vulnerability disclosure as a default:
Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense.
Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.