As we get firmly into 2021 the year is already shaping up in terms of cyber risks and some themes are clearly emerging.
With 2020 being such a momentous year in terms of the pandemic and the business response to things like lockdown it is likely that we will see increased cybercriminal activity in the year to come.
So what can we expect and what can we do about cyber risk in 2021?
Non-MFA likely to come under pressure
Multi-factor Authentication(MFA) is one of the most commonly seen methods of securing system access and there can’t be many people in the world that don’t have some service or other that requires this but amazingly there are still critical services out there that don’t enforce MFA.
Cyber threat firm Watchguard have gone big on this and make a confident prediction; “We know it’s bold, but we predict that in 2021, every service that doesn’t have MFA enabled will suffer a breach or an account compromise”
Whilst it seems somewhat fantastical to think that every service will be compromised it is distinctly possible especially if you add in the threat of automation.
Automated attacks to increase
For many of us, the last few months have seemed like a form of business ‘suspended animation’ but it would be a mistake to think that cybercriminals have been idle during lockdown.
AI and bots are likely to become more prevalent in the near future and we can predict with pretty near certainty that we’ll see attacks featuring forms of AI in the next year.
One of the most commonly-used malware in 2020, Emotet, has evolved to the point where it has moved away from simply launching automated attacks on the banking sector and is now targeting other industries too.
Whilst the effect of bots and automated attacks may seem like mere science fiction there is an increasing trend of businesses who see this type of action. 81% of companies report that they often deal with malicious bots and 80% say there has been an increase in the financial loss within their organization due to the increasing sophistication of automated malicious code.
We can expect to see many more of these automated attacks in the months to come.
The more things change…
There’s an old saying that “the more things change, the more they stay the same” and to a large extent, this is true with the risks we are seeing in the new year.
As people start to come out of lockdowns around the world they are beginning to connect to unsecured public WiFi hotspots and this brings with it its own risks.
After months of sitting at home on their secured connections, people are moving out into the world and forgetting that public WiFi isn’t always as secure as you may hope and the opportunities for snooping and data interception are much greater.
The truth is that people will continue to do stupid stuff and for any business that is wanting to protect itself, education will be the key.
Be careful what you connect
The internet of things (IoT) has brought with it many wonderful convenient aspects but it is also a minefield of security risks.
Whilst it might be great to connect your washing machine to the internet and then to the manufacturer for service information, the connection itself produces risks.
Typical IoT risks include hardcoded or guessable passwords, a lack of secure updates, insecure data management & transfer and insecure default settings.
Whilst it may seem fantastical to think that hackers could access your home network using your washing machine, just think about how many devices you currently have connected and ask yourself if you have thought about the security of each of these.
The rush to the cloud has left holes
There’s no doubting that cloud-based services certainly saved many businesses during the pandemic.
Companies large and small began to migrate to the cloud in ever bigger numbers and it is a rare business indeed nowadays that doesn’t have some form of cloud services in its tech stack.
But the haste with which people had to switch over brought the inevitable corner-cutting and it would be unbelievable to think that there weren’t vulnerabilities just sitting there waiting to be exploited.
The most likely gaps will come in the form of company shortcutting to get services implemented and online but don’t discount your chosen SaaS company leaving gaps as they try to cope with the rapid influx of new subscribers.
Preparation is the best protection
The advice to companies wanting to protect themselves is simple; don’t wait until you are under attack to do something, prepare now.
It’s sensible to develop a risk-averse mindset that is based on the premise that you are already under attack. Think about a group of hackers sitting in a basement somewhere just waiting to get around to you.
Consider carefully what you connect to your systems. Yes, it’s great to have your TV, music system and even your car connected to your network but have you really thought about how secure they are?
If you have staff connecting into your company network on their travels then think about investing in a VPN that will encrypt connections whatever public WiFi service they are connected to. Make sure you choose a VPN that has a ‘no-log’ policy, a wide variety of distributed servers and offers encrypted WiFi.
Having a private VPN service like privateinternetaccess.com means that they will be able to connect into your systems, whether they are cloud-based or on-premise and transmit data in a secure, encrypted format. This stops hackers from intercepting passwords or redirecting browsers to insecure keyloggers.
Having a defined update procedure that applies system updates whenever they are released is vital if you are to maintain your protection so make sure that you or your IT person applies patches immediately, however inconvenient you may feel that to be.
Finally, think about reinforcing the security message to anyone that may connect to your network whether that be staff at work or even your family at home.
Make sure they understand the risks and the most common ways that hackers, spear phishers and bots attempt to obtain access to networks and confirm that they change their passwords regularly for difficult to crack versions.
The cybersecurity environment in 2021 will feature a combination of good old favourites like spear-phishing and some newer emerging threats like automated attack systems but with a little preparation and keeping aware, you can protect yourself and your business.