The Future of Cybersecurity: 2021 Trends According to the Experts

• TechRound has collected 2021 trends for the future of cybersecurity from industry experts. 

• Protect your business from the growing risk of cyber-attacks.

• Experts give their idea of what the next major cyber threat will be.

 

Cyber-attacks have been on the rise, with millions of users personal details and sensitive data being exposed. This is in addition to the growing number of ransomware attacks. As the number continues to rise, it is important to understand why businesses should protect themselves from cyberattacks.

The cost of breach can be huge and this has been increasing since the start of the COVID-19 pandemic. This is because more people are working from home, online, where they are less protected from cyberattacks and as a result, cyber criminals are adapting their attack methods. Many businesses have changed to cloud-based SaaS as part of their business strategy in handling the move to working from home. On the other hand, this has resulted in the SaaS market and industry growing massively.

It is extremely important to understand the future of cybersecurity, in particular watching out for the trends to expect this coming year. This will show you how to make the best use of your resources and, more importantly, showing you how to stay safe at all times. We spoke to 22 experts to hear what their views on the future of cybersecurity is.

 

Our Panel of Experts:

• Sergio Loureiro – Cloud Security Director – Outpost24
• Martin Jartelius – CSO – Outpost24
• Kevin Mitnick – Chief Hacking Officer – KnowBe4
• Perry Carpenter – Chief evangelist and strategy officer – KnowBe4
• Tom Hegel – Sr. Security Researcher | Threat Intelligence | Adversary Hunting – AT&T Cybersecurity
• Bindu Sundaresan – Director, AT&T Cybersecurity – AT&T Cybersecurity
• Theresa Lanowitz – Head Evangelism and Communications – AT&T Cybersecurity
• Jason Schmitt – General Manager – Synopsys Software Integrity Group
• Thomas Richards – Principal Consultant – Synopsys
• Meera Rao – Sr. Director of Product Management (DevOps Solutions) – Synopsys
• Jonathan Knudsen – Senior Security Strategist – Synopsys
• Dennis Kengo Oka – Principal Automotive Security Strategist – Synopsys
• Asma Zubair – Senior Manager of IAST Product Management – Synopsys
• Roger Grimes – Data Driven Defense Evangelist – KnowBe4
• Jose Caldera – Chief Product Officer – Acuant
• Rich Armour – Nozomi Networks Advisor and Retired General Motors CISO
• Darrell Long – VP of product management – One Identity
• Andy Renshaw – VP, payment solutions and strategy – Feedzai
• Tim Helming – Security evangelist – DomainTools
• Jamie Akhtar – CEO and Co-Founder – CyberSmart
• Stuart Sharp – VP of Technical Services – OneLogin
• Niamh Muldoon – Global Data Protection Officer – OneLogin

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Sergio Loureiro – Cloud Security Director – Outpost24

 

 

“Cloud Misconfigurations continue – Covid-19 has accelerated a movement in cloud computing, which was already going fast before the pandemic. Now that enterprises have experienced the advantages in terms of flexibility, agility, pay per use – cloud adoption will increase pace. Of course, some hurdles remain such as security, compliance, sometimes cost controls and hard migrations of legacy applications, however, with uncertainty rising enterprises need to adapt in an agile way. There is no better solution than adoption of new technologies such as cloud native in 2021 to support this shift.

However with the push towards cloud computing and the availability of huge compute power, we predict that attacks that compromise cloud instances and containers like crypto mining will accelerate in 2021. In 2020, we’ve seen the beginning of clever attacks on Docker containers, Kubernetes and elastic search clusters in order to crypto-mine and with the current price of crypto currencies this brings instant ROI for hackers.

Also, the speed required to set up clouds quickly during the pandemic leaves buckets and databases more exposed as many are deployed too fast and with little security insight and threat of misconfiguration. We have matured to a state where it is too easy to quickly make a poor deployment, and auditing and security is still sub-par for cloud in many organisations.”

 

Martin Jartelius – CSO – Outpost24

 

 

“Endpoint Security Issues with Remote Working – Remote working means that a lot of edge and network protection is not present protecting individual employees. It also means that simple collegial support combating fraud is no longer as easy as turning to your co-workers and asking for a second opinion.

Depending on the VPN setups, for those not tunnelling all traffic the perimeter in many cases is now also including home equipment’s and involves members of the family. Of course, this is a very different risk exposure and as the demands on bandwidth for full tunnel setups increases, organizations may be pushed towards less secure options due to the demands and pace of business change. One of the current top priorities is Zero Trust implementation and Gartner SASE and organizations need to secure the endpoints and restrict the access (zero trust) to be resilient to a compromised endpoint, thus reducing business risk.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Kevin Mitnick – Chief Hacking Officer – KnowBe4

 

 

Remote working security — “We’ve already seen how coronavirus has forced organizations to move their workforce remotely,” said Javvad Malik, security awareness advocate, KnowBe4 (UK).

“Next year, we’ll see a larger investment in remote workers’ security. This will probably be a bigger task than most anticipate, with a bottom-up review of which security controls are working, and which are not. We’ll likely see better communication channels settled on, better training and security tools that are less obtrusive to productivity.” “Cleverly designed supply chain attacks will target employees working at home,” said Kevin Mitnick, chief hacking officer, KnowBe4. “For example, the ‘cable company’ sending the target a ‘new, faster router’ that has been covertly backdoored.”

 

Perry Carpenter – Chief evangelist and strategy officer – KnowBe4

 

 

“QR code phishing will become a normalized and very serious attack vector – said Perry Carpenter, chief evangelist and strategy officer, KnowBe4 (U.S.). “This is something that has been more of a theoretical threat ever since the creation of QR codes. But during 2020, we saw the rise of QR codes showing up more and more often. As the ubiquity of QR codes continues to increase and our smartphone cameras automatically detect and browse to the websites embedded in the QR code, we can see that this will become an attractive and lucrative threat vector.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Tom Hegel – Sr. Security Researcher | Threat Intelligence | Adversary Hunting – AT&T Cybersecurity

 

 

“When it comes to addressing the overall threat landscape, what security preparations do companies need to make in 2021? Even if your business plans to return to the office in 2021, companies should make long-term cybersecurity plans for supporting a remote workforce. As we saw in 2020, the shift to a remote workforce introduced new cyber risks and vulnerabilities. As part of security considerations for 2021, threat detection and response capabilities need to provide for defending against ransomware.

What do you expect will be the major concerns/challenges for security research teams in 2021? The number one concern for 2021 is the increase of ransomware and extortion-centric intrusions.

How would you summarize the advancements or setbacks of the security industry from this past year? As we look at setbacks, the increased availability of open-source offensive security tools has lowered the bar for many adversaries to enter the game. As far as advancements, the push towards remote workforce enables many security teams to hire people outside of their area, which benefits the security talent pool for years to come.

What will be the biggest security challenges and threats for the remote and distributed workforce in 2021? A remote workforce means workers will be on untrusted networks, potentially more easily engaging in ill-advised activities online and introducing new risks for the business. Organizations will continue to be challenged with implementing technology to help protect and detect malicious activity for remote workers.

How will digital transformation pressures accelerate in the aftermath of COVID’s onset in 2020? With this in mind, how should security leaders and researchers prepare for 2021? The remote workforce is here for good. Many people around the country are now more likely to find new jobs which are fully remote. To continue to attract talent, working remotely has to be an option. The biggest challenge in 2021 will be how companies provide the right remote-friendly technology and security to help protect the new workforce. For many security teams, supporting a full remote workforce could be a major shift in enterprise security for years.”

 

Bindu Sundaresan – Director, AT&T Cybersecurity – AT&T Cybersecurity

 

 

Weaponization of tools

“The security landscape is growing increasingly treacherous as hackers of every type continue to evolve their attack strategies to evade detection while maximizing profit from their time and effort. It doesn’t matter if it’s an organized criminal group looking to make money from ransomware schemes, covert state-sponsored groups attempting to steal data and disrupt operations, or just malevolent individuals trying to impress others in the hacker community—every bad actor is smarter than they were the previous year, and better equipped to wreak havoc.

It’s not just that bad actors have become smarter – cybercrime has become commercialized. This means that many of the components of an attack are sold on the dark web and criminals can now launch cyberattacks without needing knowledge around coding. Attacks can also be launched more quickly and relaunched very easily with just a slight change, allowing criminals to be more persistent than ever when trying to breach a network.

IT staff will need to be increasingly proactive in their approach to cybersecurity to keep up with constantly evolving threats. Even the most sophisticated defense strategies will become ineffective if they’re not regularly tested and kept current. While able to mimic human behavior with artificial intelligence, hackers are outpacing many organizations when it comes to the technology and hacking techniques used to attack them.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Theresa Lanowitz – Head Evangelism and Communications – AT&T Cybersecurity

 

 

Are organizations underestimating/overestimating the impact 5G will have on their networks in 2021?

“5G is the foundation for the next revolution of technology. We will see a new ecosystem of hardware and software to support this underlying technology, and more 5G compatible devices in the marketplace as new applications and use cases emerge.

The big prediction for cybersecurity is that everything old is new again. With the 5G ecosystem being built out, we should be prepared to see two big cybersecurity issues:

• Shared responsibility model for 5G and the security of attached network devices, applications, and data.
• Software applications as a target for adversaries through un-remediated vulnerabilities.

Standalone 5G will be more secure than any previous network generations. Yet, expanded attack surfaces mean opportunity for new threats as well as proliferation of unpatched existing threats. With 5G, a shared security model, similar to that of the public cloud, is likely to emerge. This should enable enterprises to shift certain functions to carriers and ultimately heighten enterprise security.

From the application perspective, there should be a focus on advanced software engineering practices. This means an increased emphasis on software quality should be a critical part of the pre-deployment development process. Without a critical focus on software quality, we can expect to see older software vulnerabilities such as cross-site scripting and SQL injection re-emerge as favorite targets for adversaries.”

 

Jason Schmitt – General Manager – Synopsys Software Integrity Group

 

 

“As profound of an impact as DevOps has had on application security programs and practices in the past few years, the acceleration of cloud adoption during this pandemic year is shifting the software security landscape even more dramatically. While DevOps represents a clear evolution in the way that software is built, delivered and operated, the architecture, composition and very definition of applications are changing rapidly and leading to a rethink of software security approaches. These dual pressures of delivery velocity and cloud transformation will have a big impact on the software security market in the next 1-2 years.

Software security evolved over the last 5-10 years from a scan-and-report audit mindset to more of an assurance practice designed to improve security without inhibiting speed and innovation. Software composition analysis became an essential part of security assurance programs as the use of open source rose, significantly increasing the risk from license misuse and security vulnerabilities of open source and third-party components. With the adoption of cloud infrastructure, microservices and API’s for everything, we’re seeing a similar and even bigger shift in the very definition of an application. They’re more often than not composed of a collection of third-party services, APIs, microservices and cloud-native components and services orchestrated via cloud providers or managed orchestration platforms like Kubernetes.

To get ahead of this cloud transformation, software security will evolve again into a risk-based vulnerability management service that seeks to automate and orchestrate security services as part of the software build and delivery pipeline. Security teams will arm developers with “point of capture” tools and coaching to eliminate vulnerabilities during development and provide policy guardrails for enabling speed. Throughout the pipeline, orchestrated security services will automatically reinforce the policy guardrails and enable risk-based vulnerability management for overburdened, under-resourced security teams that are challenged to get in front of cloud adoption. As a result, we’ll see increased demand for API security, cloud application security, application security orchestration services and consolidated risk-based vulnerability management approaches to software risk reduction.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Thomas Richards – Principal Consultant – Synopsys

 

 

“For the past several years, social engineering has been the primary attack vector used to breach organizations. While we have seen organizations implement increasingly rigorous social engineering testing programs to increase awareness and lower the chances of a successful attack, humans will continue to be a popular target for cyber-criminals. Ransomware attacks will most likely continue to cause havoc for companies as the attackers get more sophisticated in their approach.”

 

Meera Rao – Sr. Director of Product Management (DevOps Solutions) – Synopsys

 

 

Over the past year, we’ve seen organizations rapidly building applications using Low-code/No-code platforms—an emerging trend. Application security testing (AST) tools, particularly static application security testing (SAST) tools, work best when there is code to scan. The way in which SAST tools work may require alterations in the not-so-distant future to accommodate these platforms.

I also envision a change in how we build security into software. More and more AST tools will move towards providing the same experience as Low-code/No-code platforms. By providing a few inputs to the tool, they will be able to generate all the integrations required to run the tool either on-prem or in the cloud seamlessly, just like Low-code/No-code platforms.

My prediction for 2021 is Low-code/No-code platforms for application security and truly building that ‘Sec’ into DevOps with Low-code or No-Code.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Jonathan Knudsen – Senior Security Strategist – Synopsys

 

 

“2020 has been a year filled with unpredictability, making predictions for the year ahead seem foolhardy. However, in the world of software application security, several trends are clear.

Some things will certainly not change in 2021. Massive amounts of valuable data will continue to be placed online in public places with no protections. People will continue to choose easily guessed passwords that they use across multiple accounts and continue to click on sketchy links in emails. Organizations will continue to not keep up to date with software patches and versions. Organizations will continue to ignore more than a half-century of accumulated wisdom about defense in depth, least privilege, and all the other lessons about software development that organizations have learned the hard way.

In 2020 we saw attacks on unlikely-seeming targets, from Jack Daniels to tugboats. Looking ahead, attackers will continue to profit from the asymmetric advantage of software exploits, delivering punishing attacks on organizations of all types.

On a more hopeful note, 2021 should be the year where we officially bury the centralized, isolated model of software application security. This was the somewhat naïve approach many organizations first adopted, where a single group would have responsibility for the security of all applications the organization was building. Time has shown that this approach results in a slow, frustrating process. Security and development organizations end up at loggerheads, and the end result is applications that are hardly more secure and are slower to market.

In the new model, what we might call Application Security 2.0, security is inseparable from software development. It is baked into every phase, from design through implementation all the way to maintenance. Security teams can provide expertise and support, but security is automated and integrated with the software development process, a seamless addition that results in safer, more secure, better products.

As 2021 progresses, I predict more and more application teams will take full responsibility for their own security, with appropriate support from the security team. As responsibility and budgets shift, application teams will increasingly adopt a DevSecOps process, in which automation is fully leveraged to maximize velocity, and a culture of continuous improvement allows each team to tune and optimize their processes.”

 

Dennis Kengo Oka – Principal Automotive Security Strategist – Synopsys

 

 

“In 2020, a draft standard of the ISO/SAE 21434 Cybersecurity Engineering was released and WP.29 UN regulations on Cybersecurity and Software Updates were adopted. These standards and regulations put higher emphasis on cybersecurity for the automotive industry and will drastically affect auto manufacturers and suppliers especially in the next few years. Cybersecurity needs to be considered not only on a technical level but on an organizational level. This includes creating a cybersecurity culture and awareness, and enabling cybersecurity management and training.

Moreover, in the year ahead, automotive organizations need to employ a cybersecurity engineering process including a secure software development process. As more software is used in automotive systems it becomes even more important for automotive organizations to deploy automated solutions to help find and fix software vulnerabilities and weaknesses earlier in the software development.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Asma Zubair – Senior Manager of IAST Product Management – Synopsys

 

 

“The global pandemic has dramatically increased online interactions and digital transactions. It has also dramatically expanded the overall attack surfaces of organizations to cyberattack.

While the advanced warning for most organizations to prepare was little to none, in order to weather the storm, businesses must transform their processes, services, and technologies to meet customer expectations. They must be nimble without compromising the security and privacy of their organizational and customer data as well.

As a result, I expect that more and more organizations will embrace concepts such as DevSecOps in coming months. DevSecOps describes an organizational culture whereby software development, testing and deployment practices compress the release cycle and deliver software continuously.

Interactive application security testing (IAST) is an agent-based technology that detects vulnerabilities in web applications that I anticipate will grow in adoption in the year ahead as well. Because IAST monitors data flow, logic and values in memory to report application security vulnerabilities during functional testing, it yields very accurate results and doesn’t require application or source code scanning. Therefore, it doesn’t slow down the pipeline. Due to its accuracy and speed, IAST suits the DevSecOps process. This method of testing also offers full context around vulnerabilities, making it easy for developers to reproduce and remediate them.”

 

Roger Grimes – Data Driven Defense Evangelist – KnowBe4

 

 

Nuclear Ransomware

“Starting the end of 2019 and certainly strengthened during 2020 was ransomware exfiltrating a victim’s private data and asking for a ransom in exchange for that information not to be shared publicly. It happened to organizations of all sizes and they paid a lot more, more often. Average ransoms went from the tens of thousands of dollars to a quarter of a million dollars. And those larger amounts are being paid far more often. In the past, somewhere around 40% of ransomware victims paid the ransom.

Now, because of the threat of their stolen data being released publicly or to hackers, the percentage of victims paying has doubled. Individuals, themselves, are being personally targeted by data exfiltration as well. Ransomware criminals have shown no ethical problem with stealing people’s personal information, including medical histories, plastic surgery pictures, and mental health therapist notes, and asking for ransom not to release that potentially embarrassing information to the public. It wasn’t a bluff. When individuals didn’t pay, the hackers released their information for all to see. What is changing this year is the frequency of data exfiltration being used by ransomware as a primary threat.

In 2019, it was almost not even a measurable percentage of the ransomware. But by the end of 2020, data exfiltration was used in almost 50% of all ransomware attacks. In 2021, we can expect it to become 80% to 90% of ransomware attacks, with it becoming the odd occurrence if you only get your files locked up. A lot of people think they won’t pay the ransom if they get hit by ransomware, but that’s because they think they have a good, tested, secure offline backup. Ransomware’s new strategy does not care about the validity of your backup. Educate senior management about the changing tactics and prepare accordingly.”

 

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Jose Caldera – Chief Product Officer – Acuant

 

 

“2021 will continue to accelerate services shifting to online with less direct interaction. Safety measures will further rely on robust identity proofing and monitoring technologies that include document verification, biometric authentication and continuous risk monitoring of identities to address the increasing fraud in remote and mobile transactions.”

 

Rich Armour – Nozomi Networks Advisor and Retired General Motors CISO

 

 

• “Ransomware will undoubtedly continue to ravage enterprises and organizations that have failed to implement adequate security controls and developed a strong cybersecurity culture. These attacks are easy and inexpensive to execute and can yield significant rewards for the perpetrators. As ransomware countermeasures and defenses become more prevalent and more effective, organizations that fail to adopt these technologies will be doomed to become stragglers and victims of ransomware predators.
• IOT systems have already become ubiquitous in consumer and enterprise environments. Latent vulnerabilities, default credentials and other configuration deficiencies make these systems attractive targets. Expect the population of these systems across all networked environments to dramatically increase bringing extreme cybersecurity risks along. These systems provide beachheads for attackers targeting the larger enterprise in which they reside or as members of large-scale botnets that can be used against other targets across the Internet.
• Expect attackers to focus on the enterprise ecosystem, including the supply chain, to find the weakest and most vulnerable targets where a successful attack can damage the core enterprise. Attacks on the broader ecosystem can disrupt even the well-defended enterprise by disrupting the supply chain or leveraging supplier access to penetrate the core network.
• The continued convergence of mainstream information technology and Industrial Control Systems (ICS) will drive an associated increase in the widely understood vulnerabilities and associated attacks in these critical environments. Major attacks on power generation, power grids, oil & gas infrastructure, manufacturing will likely rise in frequency and magnitude with associated physical damage to critical infrastructure.
• For well-defended enterprises, expect insider threats to become an area of increased risk. Organizations that focus exclusively on external threats will leave themselves open to rogue employees or consultants with authorized or purloined access to sensitive systems and capabilities that can be used to inflict extensive damage on critical information systems and ICS environments.
• Attackers will certainly begin to leverage artificial intelligence technologies to assess attack surfaces and formulate & execute attack strategies. Effectively detecting and defending against such attacks will almost certainly require use of sophisticate AI-driven countermeasures that can respond in real time to these events.
• Expect the continued rise in threat levels from nation state threat actors such as Russia, China and North Korea. These risks will likely be realized through a combination of insider threat activities and external attack strategies as well as supply chain compromises. Objectives will likely include theft of intellectual property, destruction of critical infrastructure.
• The combination of rising threat levels in the enterprise, supply chain and industrial control space translate to increased risk of compromised or defective products. Expect cyber attackers to successfully inject defects into complex products in the software, hardware and industrial space through the development or manufacturing process or the underly supply chain.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Darrell Long – VP of product management – One Identity

 

 

“Over the next year, the apparent complexities of identity governance and administration (IGA) will evaporate. Traditionally, to achieve a complete IGA program, organizations must adopt a relatively heavy framework within its identity and access management strategy. However, according to Gartner, IGA deployment efforts are about 80% of business process automation, yet organizations continue to use tool-centric implementation approaches. In 2021, the complexities around IGA platforms will diminish. By leveraging their existing investments, such as Active Directory and ServiceNow with IGA-delivered services, enterprises will be able to achieve a more complete level of coverage. This allows organizations a more cost-conscious and effective way to manage security and compliance risks.”

 

Andy Renshaw – VP, payment solutions and strategy – Feedzai

 

 

Digital banking newcomers become targets

“Lawmakers in the U.S. approved a $900 billion stimulus deal in December 2020 to help households struggling with unemployment. Across the pond, U.K. officials are pondering whether or not to take up a stimulus measure to prevent hundreds of thousands of families from falling into poverty. At this time, additional stimulus packages seem unlikely. This means fraudsters will target the next lowest-hanging fruit: digital banking newcomers.

When the pandemic first unfolded, millions of consumers were unable to visit a physical bank branch and had to adjust to a “new normal” routine by adopting digital banking channels for the first time. A recent report by Feedzai and PYMNTS found these shifts are going to remain in place even after the pandemic ends. Roughly 75% of respondents said they plan to maintain the banking habits they adopted during the pandemic. Unfortunately, many consumers who shifted to digital banking channels because of the pandemic to adjust to this “new normal” are still learning the ropes. This makes them easy targets for fraudsters and cybercrime activities that prey on their lack of experience. Expect fraudsters to target these customers with fake investment opportunities and authorized push payment scams, to name just a few.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Tim Helming – Security evangelist – DomainTools

 

 

“The security industry should certainly rethink how it attracts and retains talent. The biggest mistake that was made in the past was that of not making a conscious effort towards inclusivity: in an industry that requires to predict and anticipate threats, diversity allows us to overcome blind spots and is an asset that should have been recognised sooner.

The skills we require the most are lateral thinking, problem-solving, the ability to think out of the box and adaptability, as we are working with threats that haven’t materialised yet, in an ever-changing threat landscape. Furthermore, soft skills such as the ability to communicate with internal teams effectively are increasingly essential for cybersecurity professionals and should be part of how we evaluate candidates’ competence. Security positions are only going to become harder to fill as the threat landscape develops and we become more and more reliant on the digital world. In order to stand a chance of meeting these demands, a radical rethink in cybersecurity hiring is needed.”

 

Jamie Akhtar – CEO and Co-Founder – CyberSmart

 

 

“SMEs are likely to find 2021 a struggle for a variety of reasons. Firstly, those businesses who do not have millions in liquidity to fall back on are those who are more likely to fall victim to the current economic woes.

They are also likely to see a continuation of the worrying trend which places them directly in the crosshairs of cybercriminals: According to one of the UK’s largest insurers, 65,000 cybersecurity attacks target SMEs every single day; more specifically, a small business in the UK is hacked about every 19 seconds.

It’s important that SMEs understand that security is no longer something they can ignore and hope they don’t fall foul of: The failure to undertake regular security audits, provide up to date and dynamic user training, and ensure compliance with all relevant regulatory standards, the resulting security incidents could move beyond the realms of inconvenience and become an existential threat to the survival of your business: Take your security seriously and give yourself one less thing to worry about in 2021.”

 

 

For any questions, comments or features, please contact us directly.

 

 

 

Stuart Sharp – VP of Technical Services – OneLogin

 

 

“What we’ve seen this year reinforces the inadequacy of passwords in maintaining the security of online services. All too often individuals reuse passwords across accounts and it takes just one breach for one or more accounts to be hijacked. In their defence, our growing dependency on the internet has meant a surge in the number of accounts we need to subscribe to. While the employment of a password goes some way in helping to deal with the complexity, a long term solution requires applications to offer multi factor authentication. In particular, I believe the next year will see an increasing number of applications following the trend towards a passwordless future, where authentication can be achieved through device-based biometric solutions. The more simplistic methods, such as authentication by way of text messages, are better than nothing, but they are too susceptible to the malicious schemes of bad actors who can manipulate telco-based communications for their own benefit. Biometrics, however, is based on ‘who you are’, and when used with the FIDO2 WebAuthn standard, something you have is much tougher to subvert. In light of Covid-19 and the increased reliance on all things internet, it will be interesting to see is if this trend towards a passwordless world rapidly accelerates.”

 

Niamh Muldoon – Global Data Protection Officer – OneLogin

 

 

Prediction 1: “A further development which is likely to affect security moving into 2021 is the upcoming PSD2 Directive. This new EU Law will soon change how Payment Service Providers authenticate customers making payments online, meaning that strong authentication (multi-factor authentication) will need to be in place for all online payments within the EUs/UK or EEA’s regulatory control. Unlike GDPR, which made a huge splash in advance of the deadline in the security community, the awareness of this new directive (outside of the financial services and banking industries) is still extremely low, and as this deadline for SCA (strong customer authentication) has already been extended once, it is unlikely to be extended again: The current deadline of December 31st 2020 is likely to stand, which means we are likely to see a huge spike in the importance of MFA from a regulatory perspective.”

Prediction 2: “While this may be something of a hopeful prediction, I would love to see governments take more initiative, working to encourage more online protection for the most vulnerable in society, especially young people. Prior to operating on the internet, every individual should be made to take a course in Cybersecurity awareness and how they can protect their digital identity. If they pass the course, they should be awarded with something like a driver’s license for their digital identity to operate online. There are means through mobile phone providers, gaming providers and email providers to support this initiative. I truly believe this is a fundamental requirement to support the global fight against cybercrime. Additionally, encouraging this kind of engagement with security at an early age is likely to draw a wider variety of people into the cybersecurity sector, helping to secure a more diverse security workforce, and to alleviate some of the damage that our current skills shortage is causing.

Prediction 3: “Brexit is coming, and my observation is many organizations are still struggling to understand the impact that this seismic legislative change will have on their businesses, and are failing to understand the data privacy implications for both UK and EU citizens. In summary if you are transferring personal data to the UK via services then your business may need to make some changes to allow you to continue to share personal data with businesses or other organizations in the UK. A review of your data protection agreements and data transfers is needed. The recommendation is to speak to your data protection officer/regulator for guidance. 2021 will see customer privacy expectations increase for data privacy as a result of Brexit: EU citizens will continue to expect their data to be accessed, processed by EU citizens and stored within the EU region. I think we will see independent IAM platform providers headquartered in the EU being deployed as part of cloud technology architectures to support and provide this Trust Assurance.”

 

 

For any questions, comments or features, please contact us directly.