16 December 2020: Instead of predicting more malware, ransomware attacks and data theft, the cyber security industry needs to stop trying to prevent access to IT systems and take a new data-centric approach, says Nigel Thorpe, technical director at SecureAge, who looks at some predictions that should come true in 2021, but probably won’t.
“Organizations should accept the reality that it is just not possible to keep all cybercriminals out, all of the time,” says Thorpe. “The attack surface is getting bigger as the remote and hybrid office provides a softer point of entry into the corporate network, while the insider threat is also extended as third-party service providers gain greater access to data and systems. But this acceptance of reality won’t happen quickly, because the traditional methodology is for organizations to add more layers of defense to stop bad actors getting in; or to accept the inevitable and have incident response plans and procedures in place to recover.”
Other things that should happen in 2021 but are unlikely, include:
The Zero Trust model will be extended to data
You can build as many micro-perimeters with authentication and access controls as you like, but if a cybercriminal – insider or external – gains user access, then data is there for the taking. And relying on full disk encryption on a running system is about as useful as a Secret Santa. What should happen is that security is built right into all data using file-level encryption. This approach ensures that even if stolen, data remains protected and unusable by the cybercriminal. This is the simplest solution that gets to the heart of the problem without disrupting the way people or applications work. However, this extension of Zero Trust into the data won’t happen because of the belief that more doors and more monitoring will keep data safe. But this is just more tinkering around the edges of the problem.
IoT devices in the home will be recognized as a back door to the corporate network
The growth of connected devices from smart light bulbs to digital assistants can give cybercriminals access to home networks. From there, the jump to an employee’s laptop and into the corporate network is relatively easy. But IoT security is still woeful and is not going to change anytime soon.
Even trusted technologies for securing remote workers such as multi-factor authentication (MFA) and Virtual Private Networks (VPNs), do not defend against a cybercriminal who has hacked their way onto the home PC.
All data will be considered equal
Cybercriminals aggregate data stolen or purchased on the dark web to build personal profiles for use in identity theft. This means that all data is a security risk and should be protected. But the traditional approach is to only protect and encrypt the ‘important’, sensitive data, which means picking and choosing – so called data classification. Others use full disk encryption, but this check-box approach to data security does not protect information on a live, running system. In a recent Ponemon report, sixty-nine percent of respondents say discovering where sensitive data resides in the organization is the number one challenge in planning and executing a data encryption strategy. Thirty-two percent say that classifying which data to encrypt is as difficult and one of the major hurdles. If this is the top concern, why not just encrypt everything?
We will stop relying on everyone being an IT security expert
More of the population now recognize a suspicious link or email attachment, but it is still too easy to click on something that releases ransomware or other malware and no amount of IT security education will eliminate this risk. Blocking all unauthorized processes is the only way to stop all malware from working; but most organizations still rely on the ‘human firewall’. The better approach is to behave like the doorman at the nightclub - if you’re not on the list, you’re not coming in.
“We can’t keep predicting more attacks and breaches every year and still approach the problem in the same way as we have always done,” says Thorpe. “It’s time we stopped simply doing all we can to prevent access to the things we want to protect and focus on the data itself.”