To say that 2020 was an unexpected and unprecedented year would be an understatement. The COVID-19 pandemic has created stark new challenges for the cyber security industry around issues like remote work, an overloaded and vulnerable health care system, and a totally annihilated security perimeter.
The challenges of the pandemic year are on course to continue and even grow in 2021. What do you need to know to navigate in the new year? How can you keep your organization and data safe while facilitating work that needs to get done? What technology should you be focusing on in 2021? Read on to find answers to these and many other questions that should be on every security professional’s mind.
As the new year kicks into high gear, we’ve invited five cyber security experts and thought leaders to share their predictions, trends and must-haves for the new year.
For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of evil hackers? Isn’t it true that they’re after my medical history?”, they have asked. For years my answer has been: “No, it’s not.”
Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images.
But now I’m changing my mind.
The reason is the rise in attacks against hospitals, medical research units, and even patients that we’ve seen during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised.
The Vastaamo case is a prime example of an attacker who is motivated by money and attempting to monetizing personal data by directly blackmailing patients instead of institutions. It takes a ruthless attacker to target heath data in general, but we have only seen a handful of attackers around the world who are evil enough to target patients directly.
Going after individuals as opposed to institutions and companies is not a trend yet, but we are seeing indicators that it could become a trend in the near future. I’m worried about this. The Chief Research Officer at F-Secure is worried about this trend, so you probably should be too.
The bulk of attacks targeting the healthcare sector are still perpetrated against institutions, and most are ransom Trojans. This usually involves a disruption like shutting down operations and demanding: “Pay us money if you want to continue saving lives.” We have seen a number of ransom Trojan attacks during the pandemic, most importantly Ryuk. Ryuk attacks have hit dozens of hospitals and healthcare organizations during the pandemic, particularly across the US, where COVID-19 has pushed hospitals and health care organizations and staff to the brink of collapse.
If you’re purely looking for profit, targeting hospitals in the middle of a pandemic is a great idea because they have to continue operations no matter what. Clearly, there are people out there who are willing to capitalize on this opportunity.
When the pandemic hit in March of 2020, I posted a public message to ransomware gangs telling them “Stay away from hospitals during the pandemic.” I wasn’t expecting much of a response, but I did get a response. Five organized crime gangs went on the record saying “Ok, fair enough. We won’t go after hospitals during the pandemic.” This was a nice surprise, but you can’t really trust a response given by professional criminals. And indeed, we have seen attacks against hospitals, medical institutions and patients and patients.
Health data has always been an easy target for threat agents because it’s typically not well protected. Most medical systems are publicly funded, which means the world’s health data is often stored in old legacy systems running outdated operating systems. Attackers have always had easy access to these systems. Now that they are beginning to use it, the need to protect some of our most private and sensitive data is more urgent than ever.
So what will it take to keep the world’s health data safe in the future? Money, for starters. But it’s complicated.
In 2017, WannaCry ransomware hit the UK’s National Health Service (NHS) particularly hard. The root cause was obvious – decades of budget cuts. Most of the systems in use by the NHS were running Windows XP in 2017, which is inexcusable. As a result of WannaCry, the NHS was forced to cancel some 19,500 appointments and 600 surgeries. Hospitals, staff and, most importantly, patients suffered.
The WannaCry attack caused such massive problems that the NHS was granted a sizable budget increase to fix the biggest problems that had allowed the attack to happen. The fact that it took a huge failure for politicians to deliver the budget the NHS needed highlights one of the biggest conundrums in cyber security: Freeing up needed budgets in response to a disaster instead of as a means of preventing disasters from happening in the first place. When we do our job right as cyber security experts, our successes are invisible. When we fail, our failures are highly visible.
“It’s a hard game to play when you need to fail in order to get recognized.”
Another problem is that health data isn’t like corporate data, which is stored for a relatively short period and can then either be destroyed or made public. Health data needs to remain accessible, secure and private forever. And with limited budgets and legacy systems, this is a massive challenge that we are only now beginning to grasp.
The bottom line is that our health data is now a target for blackmail and other types of attacks. Solving this massive challenge will require a shift in attitude on many levels. And it is definitely not a problem that anyone can tackle alone. It will require both a deeper understanding of this emerging and growing threat and the willingness to address it on all possible levels.
The knowledge, insight and actions of cybersecurity professionals are a big part of the solution, but the only way to solve the problems we face is together.
“If you think about corporate emails, they become historical records in around 20 years. Health data needs to be accessible and safe forever.”
The environments, networks and technology that we use are becoming too complex for humans to manage. There are too many events, systems and things to consider, all of which lead to one of the biggest threats in cyber security: human error. As the threat landscape changes at breakneck speed, companies are having a hard time keeping up. By the time a security team takes one step forward, the threat landscape is already two steps ahead.
Creating effective cyber strategies and choosing the right technology is a big part of any CISO’s job, but so is something else: trust. While zero trust is an effective way to protect an organization against cyber threats, building trust is key to creating a company culture where cyber security is a second nature – from every end-user all the way to the C-suite.
My personal mantra is to constantly build trust – among our employees and management, as well as with our partners and peers. That trust is built on collaboration, transparency and clear communications.
As cyber security professionals, we need to be clear and understandable in how we communicate our message, especially when talking to people outside our domain. For me, that means making sure that my story to our top-level management is clear and understandable. Management should ask their organization’s CISO: “Tell me where we are now in cyber security, where do we need to be, and what are the biggest risks preventing us from getting there?” And if they don’t understand the message, the CISO or security leader has failed, it’s simple. It’s their job to make sure that the CEO and board understand the message. Clear communication builds trust and trust is a big part of effective cyber security.
As a CISO, you need to know your top management, have their trust, understand how they think and what their priorities are. And you need to be able to read the signals when they get distracted. If they start looking at their phones while you’re talking to them, it’s time to change your strategy. It’s better to talk about euros and risks than technologies and acronyms.
The cyber security competence gap is one of the biggest challenges in our industry. It’s not surprising then that it’s also one of the most pressing challenges for any CISO in 2021. The ability to retain an adequate amount of skilled cyber security experts is important on an operation level, of course. But it goes deeper than that. Having the right people on your team also builds trust and increases employee commitment to security.
Creating a company culture that lives and breathes cyber security is key to getting things done. And as the saying goes: “Culture eats strategy for breakfast.” You can build a million beautiful cyber security strategies, but if your organizational culture doesn’t live them, you won’t get very far.
As data leaks, breaches, and the security holes opened by remote work continue to wreak havoc for organizations and employees, zero trust is one of the most effective tools in any CISO’s arsenal.
The post-COVID era will increase the transition to models like zero trust and passwordless use, where every user and endpoint requires authentication. Securing the endpoints is crucial, of course, but identity protection is becoming increasingly relevant. Your organization’s data is somewhere, it’s accessed by all kinds of devices and people, and your job is to keep it all secure.
New ways of working will require new security measures. But I believe passwords will continue to be the biggest problem for companies, and they will respond by investing more heavily in identity and access management solutions that grant users access to the network from anywhere while still maintaining tight, centralized security.
There are no more internal and external networks. Because of that, it’s obvious that data leaks through various cloud services will increase and attacks through third-parties will increase, as threat actors use third parties as a way into organizations. Zero trust basically establishes the framework for minimizing the risk from third parties by examining security gaps that occur during these interactions. It unifies and consolidates security policies in-house, minimizing the vulnerabilities created by insufficient security practices of outside vendors.
"As a CISO, you need to know your top management, have their trust, understand how they think and what their priorities are."
"Don’t try to build perfect security. Build adequate security with systems that are resilient against attacks and help your team detect and respond to them rapidly."
A lot has changed since Covid-19 emerged in March of 2020. It’s easy to see the massive damage this tiny virus has done across the globe, bringing businesses, healthcare infrastructures, governments and people all over the world to their knees. For those of us working in cyber security, one of the pandemic’s most damaging effects is that it has completely annihilated the traditional security parameter.
How well organizations manage to respond will depend on two things: technology and people.
The sudden and radical shift to remote work means that everyone is working from somewhere. And organizations need to be able to trust this “somewhere” no matter where it may be. It has become obvious during the pandemic that technology needs to bridge the security gaps caused by the shift to remote work, an increasingly sophisticated threat landscape, and the shortage in competent security professionals.
The challenge for organizations is how to keep employees protected and data secure in a way that allows them to remain productive. That means security needs to run in the background and become a natural and intuitive part of employee workflows.
Now more than ever, it’s crucial to focus on the entire security chain, starting with the endpoint. And to do that, you need security vendors and partners that can build and deliver solutions that cover the entire value chain.
"Technology gives people the time, visibility and insight needed to focus on their work."
With CIOs and security teams forced to navigate an increasingly sophisticated threat landscape compounded by endpoints “going rogue” as a result of remote work, technology that delivers visibility is more important than ever.
One of the biggest shifts we’ve seen during the pandemic year is the need for both XDR (cross-layered detection and response) and RDR (rapid detection and response). Increasingly sophisticated threats mean massive amounts of alert signals that need to be picked up and analyzed. Technology that uses machine learning and AI to weed out the most critical tasks is key to preventing security teams from becoming overwhelmed. Technology like this enables you to go home at night and say to yourself: “There were 10,000 things happening today, but I was able to focus on the five real priorities.” That is a huge advantage.
If a CIO is going to invest in one thing in 2021, it should be XDR because it delivers visibility. And that visibility comes from your endpoints: employees. If you can’t see the stars, you don’t know where to steer the boat. If you can make the sky clear again, you will be able to navigate.
"Good security is an enabler that runs in the background and lets organizations focus on their core business. If you don’t have it, everything can crumble and fall apart."
The shift to remote work and the complexity of infrastructures slow companies down when it comes to their cyber security capabilities. And the risk of cyber security fatigue has never been higher. We have seen a significant increase in the number of security vendors, and managing a multi-vendor environment is one of the leading causes of fatigue. So are those thousands of daily security alerts we discussed above.
CISOs are beginning to understand the importance of focusing on a few top-tier vendors who can provide complete security chain visibility. It’s better to focus on a few comprehensive tools that you know very well than to be constantly looking for “the next big thing”.
Employee cyber fatigue is also a big problem, which is why it is crucial to build systems and solutions that integrate naturally into employee workflows, guiding them to do the right thing. If they don’t, the result is shadow IT, where employees use systems, devices, software and applications that your security team is not aware of or has not approved.
I predict that we will see a shift towards Class B cloud solutions in 2021 and beyond. You need to be able to cover varied needs of various users with security tools that keep organizations safe while enabling employees to focus on their work.
Highly skilled security experts are hard to find and expensive to hire. Even if an organization is lucky enough to have them, it’s important to focus on a few good suites and suppliers. For example, it makes much more sense for security experts to use their time to add real value to the architecture and let the technology focus on: “Is this a phishing email or not?”.
We are already seeing a shift towards companies buying security as a service, which I believe will continue in 2021 and beyond. For smaller organizations, the benefits of enhancing your own capabilities with services are clear. Buying security as a service from a trustworthy vendor with a strong infrastructure saves time, cuts costs, and significantly enhances security posture. In the best case, that vendor also offers support from top-tier specialists who can help you make rational decisions around forensics, tracking and response if and when your organization finds itself under attack.
The ability to offer customers the entire value chain as opposed to just selling technology is crucial, and I believe it will become even more crucial in the future. The era of only selling technology is over because people are no longer interested in only technology. What you are selling are trust and insurance. That is what truly differentiates a modern security vendor from all the rest.
"When your organization is under attack, it’s not the time to read the manual. You need a partner who can say: ‘This is what has happened and this is what we need to do now to fix it’."
I recommend focusing on tools that actually provide viable and actionable KPIs from a security perspective. Vendors who are open to the ecosystem and can build solutions that detect an incident and guide your response are a great example of the potential of technology to make a real difference.
The second thing CISOs should focus on in 2021 is awareness. The most common reason things go wrong is when the firewall between people’s ears fail and they click on the wrong thing. It’s crucial to teach users to become more aware of the threat landscape, how to use the tools available to them, and how to help their security department identify real threats and problems. And that’s where you really need proper endpoint protection that guides people naturally.
When COVID-19 hit in March of 2020, organizations and employees across the globe were quick to adjust to the stay-at-home pandemic world. So were cyber attackers.
During the pandemic year, we’ve seen an increase in phishing for online credentials targeting both organizations and individuals, a barrage of “urgent” COVID-themed emails, and a big jump in attacker traffic to remote desktop ports. With traditional security perimeters all but gone, security teams and end-users are scrambling to keep up.
CISOs face an incredibly difficult balancing act in 2021. Even if your organization isn’t the direct target of an attack, you will almost certainly be indirectly impacted if you use third-party software, Facebook or Google. The bottom line is to assess how much data can you afford to let go without causing too much risk to your organization or disrupting employees as they work.
Attackers have always taken advantage of current events to make their malicious emails urgent and relevant enough for users to open and click. That has definitely been the case during the pandemic and will likely continue in the new year.
The most common method attackers use to spread malware continues to be spam email, with its popularity as an infection vector jumping from 43% of attempted infections in 2019 to 51% in 2020. The spam trends we’ve seen throughout the pandemic will likely continue, including the use of “urgent” pandemic-related information as a lure, using documents as an infection vector, password protecting malicious attachments, and the use of cloud services to host malicious content.
In addition to a rise in spam, we’ve also seen a rise in phishing, particularly targeting financial institutions and information. But another big trend we have seen over the past three months is threat actors attempting to access an organization’s credentials without immediate financial gain, for example through phishing emails targeting Zoom, Office 365, Microsoft Teams, DocuSign and other collaborative software. This gives threat actors a very first step into an organization, allowing them to come in and fish around.
Email is an increasingly prevalent infection vector, and the trend is likely to continue: 51% of attempted infections in 2020, compared to 43% in 2019.
Ransomware is no longer at the forefront of the attack landscape. Because email is almost always the first way in for an attacker, ransomware is usually deployed as the second or third stage of an attack. We are seeing ransomware deployed to consumers and organizations through email, with attackers – mostly cartels – able to gain entry when someone clicks on the wrong link or opens up the malicious attachment. We have also seen email hijackings being done by malware using legitimate accounts pretending to be the actual account holder replying to an email requesting access.
The bottom line is that ransomware gangs have had no qualms about using a pandemic that’s killed millions of people worldwide to their advantage. We have even seen attacks targeting hospitals and healthcare facilities directly, as gangs saw that they were overwhelmed by patients and likely to quickly cave to anyone willing and able to disrupt their activities.
Remote desktop protocol ports are the most common point of entry for an attack, but lately, we have begun to see an increasing amount of attacks targeting software vulnerabilities. We expect this trend to continue, especially with the shift to remote work and the increased deployment of new online software with few if any security updates, leaving the software and users vulnerable to attacks. Zoom, for example, hasn’t had to release regular security updates until the pandemic hit.
It usually takes between 45 and 90 days for a ransomware or other attack to manifest within an organization, resulting in massive costs and damage. But we have also recently seen some malware cartels taking less than 24 hours to deploy. What that tells us is that the initial foothold is so strong that they’re able to get in and gain the highest possible level of access immediately.
One of the biggest security challenges of the new remote-work era is that the lines between the personal and professional use of devices, email and login credentials have become completely blurred, creating even more entry points for threat actors.
In addition to more attacks aimed at organizations, we’re also seeing an increase in attacks targeting consumers directly via mobile malware. With the shift to remote work, we anticipate a rise in threat actors entering organizations through mobile apps, third-party software, and various vendors. For example, we predict an uptick in attacks through online shopping apps, where company emails are used as login credentials.
It’s crucial for organizations to make employees aware of the serious security risks created by the convergence of technology and educate them on how to separate corporate and private use across all of their devices.
Does your CEO really need to have access to your R&D systems? Probably not. There has to be a verification process for every person at every access point.
With today’s “new normal” elevating the threat level, strengthening your security posture has become even more critical than before the pandemic. Now is the time for security teams to reassess the risks and reevaluate their defensive strategies. We recommend a zero-trust policy, which means trust no one and no systems.
Many organizations are great at protecting their firewall parameters with all the right sensors and logins, but they drop the ball when it comes to account access. A good place to start is to review and audit access within your organization, limiting it to the absolute minimum. It’s also important to make sure that verification is in place for every person and every access point – all the way up to the CEO and the rest of the C-suite. The general rule is that it’s better to block everything than to allow everything in.
At the end of the day, it’s important to understand that it’s not a question of if you will be targeted in 2021, but when – either directly or via a third-party. The challenge CISOs face is how to maximize security while minimizing the impact defensive measures have on employee workflows. It’s a delicate line that CISOs will have to continue to walk in the new year.
Protecting your organization against the threats of today isn’t an easy task. But it can be done.
One crucial thing to understand and take care of is your attack surface, which consists of the computers and devices connected to your network. These devices might have vulnerabilities for attackers to exploit, for example, outdated software.
Just a few years ago, it could take an organization weeks to patch vulnerable systems. That was ok then, but it’s no longer ok now. The time between a vulnerability being detected and exploited is getting shorter all the time, with attackers using automated tools to expose and exploit vulnerabilities in as little as minutes. Some attackers even get push notifications to their mobile phones telling them there’s a new vulnerable system ready to be exploited. And sometimes exploitations happen automatically, without any human intervention at all.
I predict that the time from vulnerability to attack will get even shorter in the near future. What do you need to know to make sure it doesn’t happen to you?
Watch the video to find out!
Chief Research Officer
Mikko Hypponen is a worldwide authority on computer security and the Chief Research Officer of F-Secure. He has written on his research for the New York Times, Wired and Scientific American and lectured at the universities of Oxford, Stanford and Cambridge. He sits on the advisory boards of EUROPOL and the Monetary Authority of Singapore.
Chief Information Security Officer, Elisa
Teemu is a business-minded cyber security leader with wide hands-on knowledge of various aspects of today’s networked systems. He believes an organization’s level of security should always be based on proper risk management and enable business by opening up opportunities. Teemu was recently named CISO of the Year by Tietoturva, Finland’s largest network of cyber security professionals.
Lead Security Architect, Atea
Anders is a senior IT professional with a passion for solving challenging business and technical problems. As Lead Security Architect at Atea, he designs IT security solutions for a range of clients and projects. He believes people and technology have the power to solve most of the cyber challenges we face.
Senior Manager, Tactical Defense Unit, F-Secure
Calvin is a security vulnerability expert and tactical defense unit manager leading a team of technical analysts and researchers. Calvin and his team run the defense services that create the rules and detections that power F-Secure security products against new and emerging threats. He also researches the threat landscape and creates reports used by security experts across the globe.
Global Technical Director, F-Secure Consulting
Tomi is known as the “InfoSec Swiss Army Knife” because when it comes to defending computers, he’s done a little bit of everything. In his more than two decades in the industry, he has taken part in breakthrough research on Windows networking and electronic voting. As F-Secure’s Head of Technical Security Consulting, he specializes in protecting enterprises – often by breaking into them before anyone else can. The founder of the t2 infosec conference, Tomi has twice been named one of the Top 100 IT Influencers in Finland.