By Steve Durbin, CEO of the Information Security Forum, and Forbes Business Council Member
Building security awareness is vital to combat cybercriminals employing sophisticated social engineering techniques to victimize employees struggling with security policies.
Steve Durbin, CEO of the ISF
There was an inevitable uptick in cybercrime in 2020, as organizations scrambled to support a freshly remote workforce in the face of a developing pandemic. The exponential growth of data continued apace, but the way we created, shared and stored much of that data changed. The struggle to secure the newly emerging landscape required swift innovation and forward-thinking organizations seized the opportunity to reevaluate infrastructure and policy.
With the dust settling, it’s time to turn our eyes toward the year ahead. There’s a palpable need for business-savvy security strategies capable of linking security with business goals to achieve the right level of resilience. Success requires a much higher degree of engagement and involvement with the business across all corporate assets. To prepare effectively, we must have a clear picture of the major threats we face in 2021.
The pandemic provided cover for a wave of cynical ransomware attacks on healthcare organizations and government departments in 2020. Ransomware continues to evolve and develop, with criminals offering it as a service or as a bundled kit that anyone can buy on the darknet and deploy without any real technical skills. We can expect to see many more ransomware attacks in the months ahead.
A combination of increasingly sophisticated phishing techniques and growing exhaustion and mental stress among the population has enabled malware to worm its way onto more and more systems. Targeted attacks piggybacking on pandemic-related tests, alerts, medical news and government payouts, as well as partisan political debate, are enticing people to click when they shouldn’t, triggering malware downloads.
Organizations have always been at great risk from insiders. Whether malicious, negligent or accidental, insiders hold the keys to the kingdom and can do catastrophic damage to a company. Cyber fatigue, endless screen time and a pervasive climate of stress are contributing to a major upswing in accidental insider incidents. There’s no intent to do wrong, but perhaps because people have to work in an unfamiliar environment, cope with distractions, and combat stress and exhaustion, they are more prone to make costly mistakes that can lead to serious data leaks.
The trouble is that accidental insiders are hard to detect. How do you spot an individual like that ahead of time before the damage is done? We may need to take a more human-centric approach with security, measure the effectiveness of policies and work collaboratively with HR departments to nullify this threat. Any action here must be handled sensitively to ensure there’s no erosion of hard-earned trust between company and employee.
3. The Digital Generation
As the next generation comes of age and advances in a workplace that’s more distributed than ever before, we need to retool and reimagine our processes and policies. The digital generation has been encouraged to share information from an early age, communicate through social media and adopt technology readily.
Building security awareness is vital to combat cybercriminals employing sophisticated social engineering techniques to victimize employees struggling with security policies. To prevent these young workers from being exploited, we need training and awareness programs that address the way they do business and the channels they use to communicate.
4. Edge Computing
Edge computing is a really attractive architectural choice for organizations, but it’s also a key target for attackers. By supporting widespread remote working, adopting more cloud services and embracing new technologies like 5G to realize their full potential, we’re also expanding the opportunity for attackers and giving them a wider attack surface to probe and penetrate.
You need good insight into every device that is connected to your extended network, but that presents some major challenges. Rather than focusing on finding and eliminating blind spots, we need to get better at building security into the core infrastructure from the start. Preserving the integrity of data requires a carefully designed security architecture.
5. Digital Transformation
Many organizations are beginning to discuss and assess the events of 2020, and some will realize that the way they have had to work during the pandemic will become the way they choose to work going forward. That will necessitate fairly complex digital transformation, deploying a whole range of different systems, and perhaps rebuilding certain infrastructures that they’ve deployed. This transformation won’t just be internal; it will have to encompass supply chain partners and integrate data across multiple systems.
Building on a series of legacy systems in a climate where investment is in short supply could prove very risky. It will be vital that security professionals get in on the ground floor to ensure that information security is baked into every stage of digital transformation planning and resulting infrastructure rollout.
Cybercriminals will continue to attack and gain access to corporate systems whenever and wherever they can in 2021, so security must be front of mind. Redesigned security awareness and refreshed policies, combined with a supportive approach that embraces edge computing and digital transformation, can tame the major threats that lie ahead and help businesses to build real resilience.