2020: IT Security Lessons to Learn

The year 2020 reshaped business processes and accelerated changes in the way we work, communicate and live. The shift to remote work put a lot of strain on business processes, IT departments and security teams, and cybercriminals used panic and chaos to exploit the situation.

Here, we analyze the experiences of the past year and explore the most important challenges we should be prepared for in 2021, as well as share some comments from IT security pros.

Digitalization of the hybrid workforce will continue; insider threats are not going away.

In 2020, the corporate perimeter went from fluid to non-existent. With the need to quickly meet the demands of a newly remote workforce, companies had to transform the way they operate, even while they had reduced teams, less investments in security and more cyberattacks. Cloud security became a new challenge for the many businesses that were not prepared to shift to a secure online environment. The speed of the transition, coupled with prioritizing productivity over security, made cloud security misconfigurations inevitable. “Those organizations that were already modernizing to support a flexible workforce were in good shape for the shift to remote working — but from our recent survey, 50% of organizations still aren’t ready to support and secure the flexible workforce,” says Todd Gifford, CTO at Optimising IT.

71% of companies believe that remote workers put their organizations at risk of data breach.

Ponemon, Cybersecurity in the Remote Work Era (2020)

60% of organizations found new security gaps as a result of the transition to remote work.

Netwrix, 2020 Cyber Threats Report

In 2021, businesses will continue learn how to navigate hybrid work scenarios and adopt more technologies to enable workforce connections across physical locations. Companies will be normalizing policies to replace the stop-gap measures that were quickly deployed when they had to quickly pivot to work-from-home. Otherwise, the security gaps caused by the inevitable mistakes during this rapid transition will be exploited, and we will see new cloud security breaches linked to reduced security standards.

To combat these threats, companies will have to accelerate their plans for automation and security. Torsten George, cybersecurity evangelist at Centrify, expects that even the most sophisticated solutions might not be effective until they re-learn how to spot insider threats. “A lot of attention is paid to insider threat awareness but not always to the remedies. Fortunately, more tools are relying on AI technology to address this challenge, such as data loss prevention (DLP) and user and entity behavior analytics (UEBA). However, these tools have to establish a behavioral baseline first, because those baselines basically need to be redone to make those tools effective again.”

“2021 will be a time to take stock and retrospectively apply due diligence to all cloud applications and services brought online to support remote working in 2020. This means ensuring that security controls meet at least pre-COVID standards — with visibility, detection and response capabilities across cloud services, applications and infrastructure — across both current and ‘old normal’ cloud applications and services,” says Sam Humphries, security strategist, Exabeam.

The “ransomware-turned-data-breach” trend will cause more problems than ever.

In 2021, ransomware should top the list of concerns for every company. While it used to target specific industries, now it is everywhere, targeting big and small companies alike. BitDefender’s Mid-Year Threat Landscape Report (2020) revealed a 715% increase in ransomware attack frequency in 2020.

With ransomware variants continuing to evolve into more sophisticated threats, organizations will need a data protection strategy to outsmart them. “2021 will be our most challenging year yet in combating ransomware in the enterprise. The attacks don’t just attempt to execute a lockout or encrypt data anymore, but are increasingly aimed at extracting or stealing data from organizations. While some cybercriminals may sell the data on the dark web, others may threaten to leak the data for a higher payout on the ransom. We predict that this will become hackers’ ransomware end game — though the risk of detection rises along with the potential payday,” commented Flint Brenton, CEO of Centrify.

The average ransom amount is close to 1 million USD.

Kroll, A Deep Dive Into the Latest Maze Ransomware TTPs

Every fourth organization suffered a ransomware or other malware attack in the early months of 2020.

Netwrix, 2020 Cyber Threats Report

Some experts expect regulatory groups to impose stricter and larger fines as a way to encourage companies to proactively fight ransomware. Therefore, businesses will invest more in cybersecurity to tackle ransomware attacks and avoid legal penalties. Trevor Bidle, Chief Information Security Officer at US Signal, says: “This is especially critical following the announcement by the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (OFAC) that paying ransom will not only encourage hackers to continue these attacks — but could now go against OFAC regulations.”

Avi Raichel, CIO at Zerto, says it’s smarter to prepare to recover than to pay ransom: “2021 will be the year of what I like to call ‘recoverware.’ The ability to recover is just as critical as all the protection walls companies are building. Companies need to invest in recovery solutions that are very fast and affordable, as this will save money in the long run as opposed to paying a ransom. Paying ransom makes you a target, but being able to recover and avoid downtime following an attack makes you wasted effort for those who want to profit from harming companies. After all, ransom doesn’t work if the target doesn’t have to pay it.”

Privacy regulations will increase; adopting a privacy-confident approach will help scale the business.

Organizations still face the challenge of handling data, securing it and developing privacy by design. With the growing value of privacy, stringent data privacy laws have been paralyzing some businesses for the last few years. However, some businesses are already getting more privacy-confident by adopting visible accountability for privacy. With a “privacy by design’ approach, it might be easier to succeed in 2021.

Phil Strazzulla, CEO & Founder of Select Software Reviews, expects that the amount of data getting passed around will shrink down to a minimum. “It’s one thing to pass around packets of PII when it’s all on your secure corporate network, but as that network becomes less physical and more virtual, that data becomes a liability.”

Patrick Walsh, CEO at IronCore Labs, predicts that cloud providers will start offering more advanced data privacy features. “Privacy regulations in California and Europe have made it risky and expensive to hold the personal information of customers without proper protection. As a result, we expect the trend toward stronger data controls for SaaS customers to accelerate with more ‘bring your own key’ and ‘customer-held encryption key’ offerings and wider adoption of end-to-end encryption.”

In 2021, we will also see an increase in legislation around privacy. In the US, California, Nevada, and Maine led the way, but now 23 states have adopted similar regulations. Jay Ryerse, VP Cybersecurity Initiatives at ConnectWise, said that as soon as we see legislation regulating MSPs on its way, “we may see a lot of forward-thinking MSPs investing in education and attracting talent to close their cybersecurity skills gap and leverage that legislation as a competitive differentiator in the market.”

Elena has more than 8 years of experience in the IT industry. She started as a Public Relations Specialist at Netwrix, working on PR materials such as commentaries, articles and customer success stories. Then she transitioned to Content Marketing, where she is now responsible for delivering informative blogs and whitepapers. Elena also serves on the editorial teams for both the Netwrix Cyber Chief and SysAdmin magazines.