WHEN THE World Health Organisation declared COVID-19 a global pandemic, organisations had to adapt and change the way in which they operate – and fast. As those changes took place, cyber criminals followed suit because the modern criminal is constantly evolving in line with shifts in online behaviour and trends. With all of this in mind, Simon Eyre focuses his attentions on the trends we can expect to witness across the cyber world in 2021.
The so-called ‘working-from-home economy’ will increase demand for sophisticated cyber security technology. Working from home has become a critical weapon in our fight against COVID-19. However, remote workers also provide an opportunity for skilled cyber criminals.
In 2021, we can expect those cyber criminals to fine-tune their attack strategies and adapt to the ‘working-from-home economy’, pursuing remote workers even more so than they did in 2020. Unmanaged home machines will become targets and, in turn, such easily compromised machines will be the pivot point to home-bound corporate devices allowing advanced persistent attacks.
As a direct result, we can expect to see a continued decline in the use of VPN technology as a trusted extension of the corporate network. Further, cyber security technologies will continue to move away from the edge and network applications into endpoint protection.
These changes are likely to cause a spike in demand for technology that was once reserved for trained cyber security staff and cyber security solution providers will themselves respond to the change. Businesses will begin to converge and offer software solutions for the changing workplace, launching more sophisticated technology into the market.
Services such as web-filtering, intrusion detection and more sophisticated endpoint protection will grow in the consumer market. Amid the ongoing cyber security skills gap, there will also be an increased demand for corporate cyber security staff and experts.
Security and privacy by design
Security and privacy by design will be put at risk as criminals continue to target the healthcare and financial sectors. The rapid deployment of technology in the health sector to manage track-and-trace programmes, vaccine logistics, mobile applications and other activities will lead to examples of software not adhering to the ‘security and privacy by design’ philosophy.
This deviation will likely be the cause of large-scale privacy breaches, in turn placing patients and their data at risk. Coupled with ransomware, we may well see the first Government being held to ransom by criminals demanding payment for decryption or making data leak threats.
In addition to this, and given that the pandemic triggered a spike in the volumes of online banking, we can expect to see a rise in phishing, spoofing and impersonation attacks perpetrated against consumers and businesses alike.
Schrems II will continue to affect multinational technology firms. In July last year, the Court of Justice of the European Union invalidated the EU–US Privacy Shield and confirmed the validity of the EU Standard Contractual Clauses. This was for the transfer of personal data to processors outside of the EU/EEA in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (commonly referred to as ‘Schrems II’).
The Schrems II decision means that the EU-US Privacy Shield framework is an inadequate mechanism to guarantee compliance with EU data protection requirements. This will undoubtedly have a knock-on effect when it comes to privacy rulings and requirements among countries.
In 2021, we’ll continue to see multinational technology firms being affected by these privacy rulings and an increased need for organisations to strengthen privacy protections and invest in more sophisticated cyber security measures.
Ransomware is King
Cyber criminals are motivated by money. As long as they remain economically beneficial to them, ransomware episodes will continue to rise. Today’s criminals are creative, capable and opportunistic, so they will carry on expanding their repertoire of ransomware techniques.
In 2021, ransomware attacks will include not just a demand for organisations to pay a ransom, but also threats around data being exfiltrated and leaked. These ‘double-threat’ attacks will reduce the mitigation ratings of disaster recovery and business continuity for protection against ransomware in terms of most risk assessments.
Given that organisations will be tempted to pay the cyber criminals, Governments must crack down on those who hand over any money to criminal entities that appear on sanctioned lists.
Simon Eyre is Managing Director/Head of Europe at Drawbridge
64 High Street