We spoke to the cybersecurity experts in the UK to get their predictions for 2021.
In 2020, the pandemic resulted in many breaches with cyberattacks on many healthcare facilities in particular. As people continue to work from home, there is a continuing threat, with cyberattacks accelerating. We spoke to 16 different experts to hear their views and understand what they believe will happen in 2021 and what people can do to prevent cyberattacks.
Our Panel of Experts:
- Mark Nutburn – Group IT Director at AMTIVO Group
- Jason Maude – Head of Technology Advocacy at Starling Bank
- Michael Van Gestel – Global Head of Fraud at Onfido
- John Fitzpatrick – CTO of JUMPSEC
- Russell Haworth – CEO of Nominet
- Richard Walters – CTO of Censornet
- Dmitry Kurbatov – CTO of Positive Technologies
- Max Heinemeyer, Director of Threat Hunting of Darktrace
- Philip Bridge – President of Ontrack
- Tony Pepper – CEO 0f Egress
- Bob Thomas – Principal Investor at Oxx
- Jamal Ahmed – Founder of Kazient Privacy Experts
- Kevin Timms – Chairman and CEO of eacs
- Hatem Naguib – COO of Barracuda Networks
- Sam Crowther – Founder of Kasada
- Idan Ninyo – Co-Founder and CEO of Bionic
For any questions, comments or features, please contact us directly.
Mark Nutburn – Group IT Director at AMTIVO Group
“2020 saw many big brands hit with ransomware attacks, including the likes of Honda, Canon, and even Manchester United FC. We expect the rate of such attacks will only increase. This increase will be fuelled by a combination of an emerging ransomware-as-a-service – a model which allows mainstream criminals to rent malware – and by the increasing profitability of ransomware attacks.
Sadly, ransomware attacks are undeniably lucrative for attackers. Where global damages from ransomware attacks in 2015 totalled £262m, some predictions calculate that this figure could reach a staggering £15 billion as companies cave to attackers’ demands for cash in return for unlocking and/or not releasing their data.
The continued reliance on home working means increased vulnerability to such attacks, as well as questions of liability; if a worker’s home setup enables a ransomware attack, is it the worker’s fault for not securing their connection, or the employer’s for not giving the worker the tools they need?
While we don’t expect questions of liability to result in individual workers facing lawsuits, organisations need to think not only about the risks inherent in home working, but also of the effect on their reputation. It will be a double blow for news to surface that the organisation hasn’t just been the victim of a ransomware attack, but also that it fails to furnish its employees with the tools necessary to protect its data.
2021, then, needs to be the year that organisations get serious about cyber security. This doesn’t mean that every worker’s home needs to be a digital Fort Knox, but organisations need to provide their employees with the resources to maintain their own security. This includes data protection policies and guides to checking their home security, as well as clear policies to follow should they suspect their security has been compromised.
We have produced a whitepaper that explores the biggest risks facing businesses and, not surprisingly, the key risk factor is not hackers, but in fact staff. We recommend that business leaders do not overlook these internal factors when looking to protect their businesses.”
Jason Maude – Head of Technology Advocacy at Starling Bank
“In 2021 many of the cyber-security changes we see will be driven by trends that have been developing for a while that have been accelerated by COVID. Fully online logins will become a standard for banks and other financial services. Multi-factor authentication will become standard for most customer logins and substantial interactions.
The next big consumer security problem to solve is establishing mutual authentication between businesses and their customers no matter who initiates the contact. A business phoning up a customer and then asking the customer to authenticate themselves by giving their name, date of birth, postcode etc is a big vector for fraud and identity theft as it is easily replicable by criminals. Businesses need to come up with a method of identifying themselves to the customer if they initiate the contact in order to close down this vector.”
Michael Van Gestel – Global Head of Fraud at Onfido
Deepfake Sophistication Continues to Rise
“Amateur hobbyists continue to use deepfakes as a form of entertainment, for instance on social media, but sophisticated efforts are less prevalent in real-world applications due to the complexity, high-cost, and time-consuming efforts. However, open source in code by the few elite professionals may open it up to others.
As increasingly sophisticated fraud attacks rise, it’s something businesses should be aware of going forward. It is pushing businesses and regulators from passive methods (a still photo for biometric analysis) to more active methods (a video or dynamic video with multi-frames). For example, we’ve seen this in the age verification requirements that form a large part of the new German gaming regulations coming into force in July 2021.
Active methods are more sophisticated solutions in identity verification as a way to combat more sophisticated attacks. Businesses need to be aware that improvements in anti-fraud technologies will be accompanied by increasingly sophisticated and intelligent criminal attacks, so they should start putting in defenses now to stay on the offensive against outside hackers.”
For any questions, comments or features, please contact us directly.
John Fitzpatrick – CTO of JUMPSEC
Ransomware & Insider Threats
Ransomware will continue to be a significant threat throughout 2021. We will see increased targeting of larger organisations. As well as more creativity when it comes to initial access, potentially with insiders or Azure Active Directory being used to bypass the perimeter and get the ransomware in. The current ransomware model of publishing part of the sensitive data stolen to pressure the affected organisation to pay the ransom means we should expect the quantity of reported data breaches to continue in an upwards trajectory too.
Alternate Phishing Approaches
We will see a surge in non-email based phishing (e.g. SMS and other mobile messaging services). Email phishing will definitely remain, however, the lifetime for a phishing website is now relatively short. This is not the case for non-email based phishing where limited detection capability hinders a response.
Greater Scrutiny Over Security Spend
The biggest, but probably least visible, change that we will see this year is much greater scrutiny over security spend. A lot has been spent on “silver bullet” tooling that has not really delivered in line with its price tag. Consequently, we will see organisations starting to approach things a little differently, a confidence to focus on getting their security posture right rather than being swept along with what everyone else is doing in order to be seen to be doing security.
Predictions aside, what we would really love to see more of this year is organisations talking publicly about security incidents and challenges in detail. Removing the pretence that they do not happen, pooling knowledge, lessons learned, and effective countermeasures will do more to boost security than all of the products about to hit the cyber security market this year.
Russell Haworth – CEO of Nominet
“This year saw governments across the world take on greater powers and responsibility for the cyber security of their citizens, which is a trend that I predict will become more prominent next year as the lines between cyber security and national defence become increasingly blurred. The recent establishment of a national cyber force and increased funding towards the UK’s cyber defence is the beginning of a new era. Besides the arenas of land, sea and air, cyber has been officially recognised as a new battleground. Warfare in cyberspace is of a fundamentally different nature and will require new tools and collaborations to combat aggressive nation-backed activity.
“Decisive action is being taken by governments around the world to tackle cyber crime and much of this is already in collaboration with the security industry. This is a positive step, which may decrease the volume of nation-backed activity perpetrated by known APT groups. It would be too much to hope that attacks will cease but we might expect less disruptive techniques and more ‘stealth’ cyber attacks, utilising espionage techniques and bringing in a number of different tactics to execute an attack. It is in this area we must next look to evolve cyber defence and for that we will need a multi-faceted, coordinated approach across government, industry and society.”
Richard Walters – CTO of Censornet
“Cyber criminals will continue to try and take advantage of the isolated remote worker, as the world gets used to ‘not another day at the office’. The attack techniques we have seen increase over the past year – phishing, email scams, social engineering – will persevere while regular communication channels remain disrupted. Without the ability for an employee to easily double check that an email is actually from the finance department or their boss, there is a risk they will just click the link or enter their details because it is the path of least resistance.
“However, organisations will respond by strengthening their defences. Remote Access solutions adopted in haste at the start of the pandemic will be risk assessed and improved to become Secure Remote Access solutions. Zero Trust – the idea that you should assume by default that those accessing your network cannot be trusted – has been long discussed in the security community but will now become the norm. The traditional model of ‘connect then authenticate’ will shift to ‘authenticate then connect’.
“Context – where an employee is, what device they are using, on what day and at what time – will also play an increasingly important role in authentication alongside traditional identity checks. In fact, with the move to the cloud, a combination of identity and context will effectively become the new perimeter, as the traditional enterprise firewall becomes less and less relevant. Because of the more fluid nature of the perimeter, user and entity behaviour analytics will also increase in importance as identifying patterns outside of normal will be vital for enterprises trying to spot potentially harmful activity.”
For any questions, comments or features, please contact us directly.
Dmitry Kurbatov – CTO of Positive Technologies
“Security vulnerabilities in older generations of mobile networks will continue to affect current users. In 2021, the vast majority of people will use LTE networks, which means that all the security holes of these networks will remain relevant. 5G networks interwork with other mobile networks. Therefore, hackers can perform cross-protocol attacks by exploiting vulnerabilities in multiple protocols as part of a single attack. For example, an attack on a 5G network can begin with exploitation of vulnerabilities in 3G to obtain subscriber identifiers. That is why protecting previous generations of networks is essential for 5G security.
“Security issues present in GTP, the communications protocol used to transmit user data and control traffic on 2G, 3G, and 4G networks, will not go away completely even after the transition to 5G Standalone: GTP is planned for use on Standalone networks, too (including roaming), even if only to transmit user data over the GTP-U protocol. Attacks on GTP-U allow encapsulating management protocol packets in the user session or obtaining data about the subscriber’s connection (TEID). This is why, when 5G SA networks arrive, additional research will be required to see if the new management protocols remain vulnerable”
Max Heinemeyer, Director of Threat Hunting of Darktrace
Cyber attacks take off in space
“The threat of cyber-attacks to satellites and other space-based assets has been bubbling up over the past decade with more countries and private actors investing in their ability to defend, and target, this technology.
“In September of last year, the White House released a new space policy directive detailing principles to help defend American space systems from cyber-threats, but it won’t stop hackers from trying to exploit vulnerabilities in increasingly digitised critical infrastructure in space. These cyber vulnerabilities pose serious risks not just for space-based assets themselves but also for ground-based critical infrastructure. If not contained, these threats could interfere with global economic development and, by extension, international security.
“A growing number of space organisations have adopted AI to autonomously defend their space infrastructure, and we will see this trend grow in 2021 as cyber-attacks in space take off.”
Hackers target trust
“Secondly, 2020 was the year in which information and disinformation were pitted against each other, fuelled by deepfakes that both entertained and also distorted political discourse. Nation-state attackers were blamed for attacks targeting COVID-19 vaccine research.
“This year will see more so-called ‘trust attacks’ where sophisticated hackers use illegitimate access to computer networks not to steal data, but to subtly alter information and undermine its integrity. These attacks seek to erode trust in the data, and thereby in the institutions and organisations that are guardians of that data. We can expect attackers to launch trust attacks against businesses as well as national governments, as attackers seek to smear businesses’ reputations or disrupt economic activity.”
Philip Bridge – President of Ontrack
“Cyber insurance will become increasingly commonplace for businesses in 2021. I would expect to see the entire value chain, led by insurance panels and breach coaches, to add additional aspects into their incident response next year, most notably data recovery. The experts in the field are beginning to learn that if the right initial action is taken after a ransomware incident; data recovery is possible. Those companies who have the expertise and tools to understand every level of the enterprise data stack to be able to reconstruct data after a ransomware cyber-attack will, therefore, be the real winners of 2021.”
For any questions, comments or features, please contact us directly.
Tony Pepper – CEO 0f Egress
2021: A rise in insider incidents and the year we secure the human layer
“As technology changed the ways we work, organisations first looked to secure their network layer and then their application layer. 2021 will be the year we secure the human layer.
“Remote working has amplified insider risk in 2020. Most organisations rapidly went from centralised office locations that were people’s primary place of work, to their employees being scattered across counties and even countries, and operating from dining tables, spare bedrooms and, for the lucky few, home offices. Overnight, this magnified the risk that each individual poses to sensitive personal and privileged information. At the end of the day, most people are simply trying to do their jobs well and effectively – but we all make mistakes, like sending an email to wrong person or forgetting to redact non-pertinent data from a file. When the pandemic passes, we won’t return to the old ways of working from single office locations – and securing individuals will remain a top priority for organisations in 2021 and beyond as they support flexible hybrid working between offices and homes for the foreseeable future.”
Machine learning to mitigate insider risk
“If 2020 has taught us anything, it’s the importance of securing the individuals within our organisation’s human layer. Our centralised workplaces closed overnight, amplifying the role of individuals within our security strategies and the risks they each bring. Advanced machine learning technologies that examine the context within which individuals make decisions and alert them to risky behaviour have been utilised by early adopters to tackle insider threats – but in 2021, we’re going to see this technology move to the mainstream. With growing data privacy awareness has come greater scrutiny from clients and consumers, who demand their sensitive information be kept safe. Legacy technologies that are built on static rules simply can’t stand up this pressure, and we’re instead going to see even greater adoption of intelligent security technologies that use contextual machine learning to keep data safe.”
The future of work and cybersecurity
“The “new normal” of remote working in 2020 rapidly became just “normal” as the pandemic continued throughout the year. We might not have loved it all the time, but we’ve certainly had to accept a work life that relies on Zoom meetings, Teams chats and sending more emails! With a vaccine on the near horizon, it’s likely we’ll soon be resurrecting the phrase “new normal” as we talk about implementing flexible working across homes and offices worldwide.
“This change is likely to cause disruption and we’ll no doubt see a surge in phishing attacks related to the COVID vaccine imminently and continuing in 2021. Another prime topic will be communications about returning to the office, for example desk-booking or needing to re-authorise access keys. As well as inbound security incidents, we’re also going to continue to see the rise in outbound email data breaches that’s been a hallmark of remote working. Recent research shows that over half or organisations have seen a 50% increase in outbound email traffic since March 2020 – and with that, a rise in human-activated security incidents, such as adding the wrong email address (often a result of Outlook autocomplete), attaching the wrong documents, or forgetting to use the Bcc field. Flexible working will see our reliance on email continue in 2021 and, with it, the chance for data to be put a risk.”
The conscious coupling of digital transformation and security
“The COVID-19 pandemic changed the way every organisation operates, most obviously through increased reliance on email and other digital mechanisms for communication to support remote working and distanced service delivery. Previously, many organisations have had conversations about digital transformation in silo to security; they’ve frequently been seen as completely separate. The accelerated digital transformation in 2020, however, will inevitably cause data breaches in 2021, as systems that were hastily implemented to survive a short-term pandemic now have to sustain our ongoing ‘new normal’ of flexible working and service provision.
“In 2021, we’ll see a more overt and conscious coupling between digital transformation and security, as organisations shore up new systems or replace them altogether to meet the data privacy assurances demanded by clients and global regulations. This is a union that is set to last, with more and more sensitive data being digitised now and in the future.”
A bridging of email security gaps in Microsoft 365
“Microsoft has been one of the winners in 2020. There’s no doubt about it. The pandemic significantly accelerated adoption of Microsoft 365, with organisations making heavy use of applications like Teams to facilitate remote working. This rapid migration has inevitably opened doors within the hosted environment, with more organisations moving to Outlook for Microsoft 365 as a result. As part of this move, we’ll see an increasing number of organizations augmenting Microsoft 365 email security with intelligent third-party solutions, specifically using machine learning to mitigate human-activated, and often outbound, email security threats – such as data loss through email and responses to sophisticated spear phishing attacks.”
Bob Thomas – Principal Investor at Oxx
“2020 was a fascinating year in enterprise cybersecurity, with the sudden paradigm shift towards remote work across many businesses significantly enlarging the attack surface the typical enterprise needed to secure. As a result, we’ve seen cyber threats to enterprise grow by over 20%, particularly in the context of “big game hunting”, alongside worrying trends in ransomware, for example. I expect 2021 to see a continuation of that trend, as enterprises move away from the fire fighting associated with the move and towards vendor selection to address the longer-term need of their organisation – and that need is clear: in addition to 2020 enlarging the attack surface, we also saw a growing sophistication in the malware supply chain. I expect bug bounty programs will need to grow in sophistication to realistically keep pace.
Following the disruption of 2020, there’s also a huge opportunity in 2021 for cybersecurity education. The quality of digital education has been brought centre-stage. As a consumer, I’ve been so impressed with the more gamified cybersecurity training systems (e.g. Hackthebox, TryHackMe), which have opened up the fun of a CTF and delivered to much wider audiences, including people who might be new to the space with tiered labs. This puts cybersec education in the hands of users at a much earlier stage, well before they might be looking at credentials, etc. In addition to being great fun, these platforms are exposing a new career path to people at a globally important moment.”
Jamal Ahmed – Founder of Kazient Privacy Experts
The continuation of remote working due to the Covid-19 pandemic, fear of job loss, and the ease with which data can be moved and people’s morale in general will cause a lot more data breaches. Organisations should keep in mind that trust is not a control and do everything possible to cultivate awareness and foster privacy by default mindset. Insider incidents whether accidental or malicious will be a major factor in 2021.
Kevin Timms – Chairman and CEO of eacs
“With the new national lockdown meaning staff will likely be forced to work remotely for the foreseeable future, cybersecurity will obviously continue to be a huge concern for business leaders this year. However, the key danger for businesses this year will be relating to staff, who have been working remotely since the start of the pandemic, letting down their guard when it comes to following security protocols. This could result in breaches and rates of data loss surpassing what we saw last year.
From my perspective, however, security should have already been firmly on the agenda irrespective of the nationwide shift to remote working. In particular, since the introduction of GDPR, compliance and governance have been at the top of any businesses risk register, as the consequences of not complying or falling foul of the legislation could have a devastating impact. Business leaders will, therefore, continue to look at how they can close the threat next year by introducing additional and more robust security awareness training – something that many businesses have perhaps not taken as seriously as they should have done previously.
From a technological standpoint, we expect the development and growth of Breach & Attack Simulation technology to take off, as it is a perfect example of where technology can help businesses close off risks and stay ahead of the challenges that cyber criminals are constantly posing. In addition, with more remote workers the importance of ensuring that routine patching and updates are applied cannot be underestimated. Regular patching will ensure that your estate has the latest security updates applied, while the situation we all find ourselves in at the moment means it is even more important now than it potentially has ever been.
Finally, over the coming months, as many businesses are potentially going to be facing cash flow issues, the decision to invest in new hardware and/or operating systems will leave many businesses leaders having sleepless nights. With a plethora of software and hardware items due to become End of Life during 2021 and therefore not receive any future security updates or have any associated manufacturers support available, there will be a requirement for some executives to take some tough decisions in order to balance the books. With Cyber Attacks continuing to rise, and the cybercriminals becoming more confident and overt in what they are doing, not making that decision or taking it at the right time could leave many businesses in the invidious position of having been targeted and having to deal with the associated fall-out as well the cost to their reputation that would ultimately come as a result.”
Hatem Naguib – COO of Barracuda Networks
“AI is a key tool in the arsenal against cyber attackers. The ability to leverage algorithms against massive data sources to determine aberrant patterns is one of the most important ways we determine the new type of phishing and spears phishing attacks that are based on social engineering. This is especially useful in attacks on two key email vectors, email and applications. For email, originally, AI and ML (machine learning) can be used to stop attacks that mask as inquiries and updates asking you to click or share credential information. More recently we have used AI/ML to learn patterns of email communications to determine when an email account has been hijacked and is used to send to attacks to other victims. For applications with internet-facing interfaces are constantly responding to bots to get up-to-date information on the application.
Many attackers use bots as attackers to search for unauthorized access to applications. There are millions of these bots running at all time on the internet and AI is used to determine which are malicious and which are benign.
In the coming year we will see more use of AI as many people have shifted to remote office and online services to key areas where attackers are looking for vulnerabilities.”
For any questions, comments or features, please contact us directly.
Sam Crowther – Founder of Kasada
DDoS for ransom will evolve from the network-layer to the application layer: “If the past few years have shown us anything, it’s that cybercriminals love DDoS for ransom. It would make sense that these attacks will evolve next year from the network-layer to the application-layer at a quicker pace.
With the overwhelming increase in importance of online services, spurred on by the pandemic and massive pivot to remote work and e-commerce, it would only make sense that attackers will adapt their ransom strategies and start hitting the most valuable parts of a business – their online availability.
To be successful, however, they’ll have to move from traditional DDoS strategies based on flooding the connection (which is no longer as easily accomplished given the rise of virtual data centers to detect and stop this) and attempt to flood the actual servers running the systems themselves. This is harder to detect and defend against, as attackers, for example, utilize computationally expensive and human actions such as login attempts or search queries that will slow service delivery to a crawl.”
Automated testing frameworks will be used for attacks: “Testing frameworks, such as Playwright and Puppeteer, have advanced a great deal over the past few years, enabling businesses to ensure their sites are working properly in an automated fashion.
That said, when a testing framework is in the wrong hands, it can be used to mimic a real browser interaction and make it easier for attackers to successfully take over customer accounts, scrape data and perform application DDoS attacks. These frameworks require new methods to detect and stop cybercriminals from successfully conducting malicious automation at scale.”
Idan Ninyo – Co-Founder and CEO of Bionic
“The SolarWinds supply chain attack exposed the lack of visibility enterprises have into their applications and software. The attack pushes enterprises to validate and evaluate the architecture of the software they have in production, both third-party and custom software products. You can not protect what you can not see, and modern software architecture combined with modern agile development processes are making it increasingly difficult to do just that – see and understand the application architecture, their dependencies and data flows.
Without this visibility, enterprises are at risk. They do not know if they are exposing confidential data, they do not know if the proper security controls are in place and they do not know whether developers are following the security guidelines.”
For any questions, comments or features, please contact us directly.
