2020 was a tumultuous and eventful year, and the major security events will continue to impact us well into 2021 as their second and third order effects cascade through the market. In no particular order, these events were:
The COVID-19 Pandemic
The pandemic drove adoption of remote and distributed work, accelerating a trend that was already underway, especially in the small and mid-sized technology firms that Kobalt.io supports. In many cases remote work is shifting into distributed work – the distinction being that remote work is remote from a central core or head office, whereas distributed is office-less and aims to create productivity and equality for employees regardless of location. I strongly recommend Matt Mullenweg’s podcast interview here: https://distributed.blog/podcast/.
With remote and distributed employees, we ran into new security challenges. Phishing attacks and business email fraud scams rose significantly. Organizations opening up to cloud services such as O365 saw account compromises through stuffing attacks rise when strong password controls and multi-factor authentication was not in place. And the protections of a head office – firewalls and web filtering, local IT staff to ask for assistance – have shifted to cloud offerings and Slack support channels.
With this shift we need to more closely consider the security of home networks, which are overloaded with kids, partners and others all sharing a single network and security risks from one flooding over to others.
The Solarwinds Breach
As organizations have increasingly grown reliant on third-parties for SaaS services, data hosting and other key applications involving their sensitive data, supply chain security has become increasingly important. The Solarwinds breach reminds us that not only cloud providers but also suppliers closely integrated into our networks and workflows also represent a significant risk.
The impact of this particular breach – hundreds of Fortune 500 accounts, dozens of government departments, other key vendors like FireEye and Microsoft – will cause an intense focus on third- party risk, with an expected uptick in the volume of security questionnaires, the demand for compliance programs like SOC2 and possibly even increases to audit activities.
We’ve already seen this activity move further and further down market, and expect the net to widen from a few key vendors to many smaller SaaS companies and even others in large organization’s supply chains.
Fake News and Misinformation
Conspiracy theories, a global pandemic, a tightly contested election have caused a rampant spread of misinformation in 2020, and unfortunately, appears to be continuing in 2021. Fed by social media algorithms designed to promote engagement and unscrupulous individuals seeking to profit off of attention and advertising, sensation rather than sense is at the centre of discourse.
This bleeds over into security because our users have been trained to click on headlines, videos, social posts that are designed to appeal to urgency, fear, doubt and outrage. Social engineers and those who write phishing campaigns have long adopted news of the moment to feed their campaigns, and their use of sophisticated engagement techniques is rising.
Educating your users to break the habit. Pause and think before responding will be more and more critical in 2021. The fact that these attacks and fraud can hit users on email, web, mobile, social and phone vectors increase the demand for intensive training to protect your users and your corporate assets.
The rise of Deep Fakes, generative adversarial networks (GAN) and machine learning for attackers, automation for defenders
Video and audio deep fakes are becoming increasingly convincing, with numerous examples of faked video and audio content shared widely on social networks in 2020. GAN technologies allow studios and criminals to create entirely fake personas that are difficult to distinguish from real humans, making historic techniques like reverse image searches less credible to validate identity of everything from random LinkedIn connections to cat phishers.
Attackers are only now starting to combine these techniques with other social engineering mechanisms, which will challenge traditional authentication mechanisms like voice calls/audio recognition. Combined with misinformation it can be used to spread panic, impact stock prices and move markets.
Defenders also need to apply automation techniques to help themselves scale – whether that is analytics and machine learning to help detect attacks on their defences, or leveraging endpoint security that automatically responds and quarantines devices when they are found to be compromised. At Kobalt.io, we are always looking at ways to simplify and use repeatable building blocks to allow security to scale to the needs of large numbers of small businesses with limited resources.
These four trends are having an increased impact on those in charge of security programs at companies of all sizes. Let us know what are the trends you’re seeing that we haven’t covered – engage us on Twitter and LinkedIn.
Kobalt.io assesses, develops and runs cyber security programs for small and mid-sized business. We provide security operations and advisory services to your business – to empower your ability to embrace cloud infrastructure; protect data stored in critical SaaS applications and your corporate environments, and ensure confidence in your security visibility.