Cybersecurity is not a static world. You can say that it is a social system, it affects and is affected by its surrounding environment. For example, back in 2018, it was the GDPR that shook the foundations of security and privacy by making the protection of our personal data a fundamental human right. But that was then. What is shaping today’s cybersecurity?
This is the question that the Infosecurity Magazine State of Cybersecurity 2020 report investigates. And it is not surprising that the COVID-19 pandemic has taken by force not only the public health systems and the world economy but also the cybersecurity. It is the trend that has the most profound impact on this industry.
According to the report, the other top trends shaping the sector were the cloud, artificial intelligence and machine learning, the human element, and phishing attacks.
Dan Raywood, the deputy editor of the Infosecurity Magazine and author of the report, said: “It’s always interesting to see how the trends form as we have more and more conversations, and it was clear this year that COVID-19 was going to be the dominant trend. Much like in 2018, when the introduction of GDPR was the dominant trend, I suspect that when we do this in 2021 COVID-19 will not be the main trend.”
The survey respondents this year include professionals from entrepreneurs and investors, practitioners, and education and academia. This allows greater visibility of the impact of different factors in different facets of the infosec industry. “We decided to do the research with clear verticals after a response to our 2019 report about the verticals we had surveyed. Last year we focused on cybersecurity practitioners and vendors, so this year we kept that vertical as well as including those teaching and learning about cybersecurity, as well as those investing in the future,” commented Raywood.
Cited by 30% of the survey respondents, the COVID-19 pandemic brought vast changes in the way people work and how we need to secure remote workforces.
Although digital transformation initiatives have made businesses capable of supporting workforce mobility, it was the pandemic that accelerated working from home schemes. The proliferation of remote working brought new security challenges that needed urgent answers: how do you secure your remote workforce and how do you authenticate users and their privately owned devices?
If these challenges were left unanswered, the business attack surface would expand, and their employees would fall prey to the malicious devours of cybercriminals. As David Bisson reported, over the last few months, cyber-attacks against the healthcare industry have risen by 150% with criminals exploiting the pandemic and people’s need for timely and accurate information through various attack vectors.
However, there are some potential positives to come out of this unprecedented crisis. Based on their experience, companies should adopt practices to better enforce the capability for workforces to work remotely and greater focus should be put on implementing stronger security controls to reduce cyber-risks.
Organizations have accelerated the adoption of multi-cloud environments as part of their digital transformation efforts. Cloud adoption allowed businesses to have cost benefits and the ability to support distributed workforces, vital for coping with emergencies like COVID-19. Hence, it is no wonder that cloud is the second most important trend affecting the cybersecurity industry.
Cloud adoption, despite the obvious benefits of changing the way businesses work and collaborate, presents companies with new security challenges and risks. With the traditional perimeter disappearing and identity becoming the new perimeter, it is important to develop and implement identity-centric solutions that balance user experience and security.
Another point for consideration is that some businesses still struggle to understand how cloud-dependent and widely distributed their cloud apps and environments are because they do not have full visibility into their cloud architectures. As a result, they tend to overly trust cloud-native security services. The assumption that security is enabled by default is a mistake that can leave industries and companies into severe trouble.
To mitigate these challenges, companies need to focus and invest on cloud agnostic solutions that secure the data in the cloud and prevent these challenges from becoming threats.
Artificial Intelligence and Machine Learning
Artificial Intelligence (AI) and Machine Learning (ML) are an important part of research and drive innovation in the industry. Hence, it is not a surprise that they make the top 5 for three consecutive years.
Propelled by the increased computing power, the “smart” use of big data sets has become the norm for companies to automate routine, time-consuming tasks through advanced automation, orchestration, and analysis. Both concepts have huge potentials in threat intelligence and intrusion detection. Focusing on cybersecurity, AI and ML can assist security teams to cope with a huge number of tasks and data sets and to make more informed decisions.
However, the human factor remains an important element of the evolution of AI and ML. The use of AI to develop autonomous and semi-autonomous systems should not be done without an understanding of the human-AI interface. Failure to do so will decrease any gains in cybersecurity.
On the flip side, these concepts are not being used only for good purposes. Cybercriminals also take advantage of this technology and adversarial machine learning is being used more frequently in cyber-attacks. It is evident that the future will bring more complex attacks as attackers are leveraging automation and AI. Therefore, using the same technology to fight adversaries is more critical now than ever before.
The Human Element
The human element in cybersecurity is a much-debated topic and was the fourth most popular trend according to the survey’s respondents.
The changing cybersecurity environment and the increased attention businesses pay at mitigating cyber risks has led to a recognition of the importance of the cybersecurity profession. However, the ongoing discussion about skills shortage is more related to realizing the skills required to satisfy the business specific needs rather than facing difficulties in recruiting cybersecurity professionals. Finally, the fact the people make poor decisions that lead to data breaches is an indication that employees lack cybersecurity literacy.
According to the report, there are many areas of concern surrounding the human element of cybersecurity. The lack of engaging and current educational content can lead to misperceptions about the actual security threats, such as the constant use of bad passwords. Further, although companies are developing security awareness programs, these do not lead into building a corporate-wide security culture. In the absence of culture, the executive board and the security practitioners seem like they are “lost in translation” amplifying the communication gap and resulting in poor decision making.
The report concludes that it is wrong to blame the users as being the “weakest link” in cybersecurity, when we constantly fail to provide them with meaningful training that works for everyone. It is about time to invest seriously in a continuous cyber-education.
Phishing is the only malicious trend that made the top five in this year’s report. Phishing attacks are playing a key role in the cybersecurity landscape because they are too easy to carry out and manipulate human decision making. If you have a look at the current situation regarding the COVID-19 pandemic, you will realize why phishing made the charts.
With businesses being too dependent on email traffic, social engineers have an easy way to compromise the business infrastructure, gain access to user credentials and then move laterally within the corporate networks. According to the recent Verizon DBIR 2020 report, phishing is the preferred weapon of choice used by attackers when they decide to launch an attack.
With more and more attacks being financially motivated, the attackers are employing more sophisticated phishing methods to impersonate a known contact and target large numbers of employees, especially in financial institutions. The goal is to infect and compromise enough users so that the attacker can get control of financial transaction approval systems, allowing them to initiate and approve transactions that appear to be properly authorized.
Mitigating phishing attacks rely heavily on end-user decision making. Although there are in place mechanisms that determine which emails are legitimate, sophisticated phishing attacks can bypass these rules. We need therefore to empower the employee to take the correct decision. And this can be done only through proper education.
What About Compliance?
It came as a surprise that compliance did not make it to the top five, even though significant, new regulatory frameworks, like the California Consumer Privacy Act, will be enforced this year. One possible explanation is that the lack of fines for data security and privacy breaches since the enforcement of GDPR has played a significant role in this evolution of mindset.
With regard to compliance not appearing in the top five, Raywood said: “It is surprising that compliance fell away from the top five, we did get a number of responses citing data privacy which for me, felt distinctly different from overall compliance so that split in the vote caused neither to appear in the top five. This doesn’t mean that compliance is any less important though, in fact, I suspect the remote workforce will have caused many IT departments to review their data protection and risk management strategies.”
It will be interesting to see what the total impact of COVID-19 to the cybersecurity world will be. Considering the pandemic to be an anomaly, it is worth noting that the other top four trends are recurring. Are we struggling with ghosts or is this a moment to sit back and reflect on what we are doing? How can we face future challenges, like quantum computing, if we haven’t solved these issues?