New challenges arose in 2020 as a result of (among other things) increased numbers of remote workers using new and untested methods to access confidential information and major upswings in eCommerce use as physical stores were closed during lockdowns. With new access procedures and increases in traffic come new attack vectors and a need for new tactics to mitigate them.
Securing your product, whether it’s a web app, intellectual property stored in a distributed cloud environment, or the user data of your customers in 2021, will look a little different as a result of these changes. At the same time, many aspects of cybersecurity will remain the same, simply requiring a more concerted effort to enforce existing rules and procedures. For 2021, here are my five picks that I expect to be of critical importance.
1. The Internet of Behavior Will Continue Growing in Importance
A term coined by industry analysis leader Gartner[1], the Internet of Behavior (IoB), is “about using data to change behaviors.”
When companies use data gathered from their IoT devices, facial recognition, wearables, smartphones, etc., begin using it to direct the behaviors of their customers, then use the additional data to continue honing the targeting process — this is the IoB.
The trick in 2021 will be finding a balance in the use of this data to maintain security. As Kim Berry, Principle Threat Intelligence Researcher at Auth0 puts it, “It’s going to come down to convenience vs. privacy. Will the use of this aggregate data, with the issues data aggregation brings with it, outweigh the best practice of keeping user data private and secure.”
We already know that a subset of this data is used, in more limited ways, to track our location, browsing habits, and social media use, among other things. In fact, Gartner predicts that “By 2024, 30% of digital businesses will mandate DNA storage trials, addressing the exponential growth of data poised to overwhelm existing storage technology.”[2]
So it’s not a technical stretch for the data already being collected to be aggregated with that provided by IoT devices, smart TVs, voice assistants, and connected cars. And from there to providing a customized shopping experience the next time we go online looking for home goods.
Personally, I’ll be watching for how companies walk that line Kim talks about, the one between convenience and privacy. How a company handles the data they collect tells you a lot about that company’s values and whether or not you can trust them with your own information.
2. 2021 Will Be the Year of the Virtual Security Team
Cybersecurity concerns can quickly outpace the ability of a smaller company to respond in a timely manner. For most SMB organizations, it’s simply not feasible to employ a CISO and a team of security specialists when the total workforce is less than 50 (for example). So what is the average SMB to do? Enter the vCISO, or virtual Chief Information Security Officer, and their virtual minions of security experts.
By bringing in such a consultant, your company can reap the benefits of having an expert on hand to review continuity plans, analyze data related to a potential breach, establish your security perimeter at the data level, and more. Using the skills of a part-time team of security pros gives you the benefits of years of collective experience going to work solving your security needs without spending on full-time salaries.
Mixed workplace environments where some employees are at the office while others are remote and componentized app development ecosystems can benefit from this hybrid approach as well. When your data is secure, it doesn’t matter which building blocks you use to develop your app. And with a virtual security team working on that, your developers can focus on building your core product without worrying about trying to also become cybersecurity experts. With such a dispersed perimeter, the distributed nature of using virtual teams just makes sense.
3. Ransomware Will Become Yet More Effective
There are several fronts to keep an eye on with this one. First, the attack methods being employed are going to continue becoming harder to parse. The teams of hackers behind ransomware attacks are constantly changing their tactics; in fact, some are now turning to call centers to follow up with their victims if they try to restore data from a backup without paying the ransom. These teams will continue adapting and adopting new techniques while governments around the world play catch up. Governments are starting to take the threat seriously, and bodies such as the US Cyber Command and the newly formed National Cyber Force (NCF) in the UK are good are bringing the fight to these groups with their stated “Defend Forward” goals. So in 2021, we expect to see them aggressively hunt down these malicious actors.
At the same time, there’s also been a shift in this attack vector. Until recently, most ransomware attacks locked down entire networks rendering the business unable to continue with their workflows until the ransom was paid and service restored. The shift is to more of a “hostageware” model, where the network is breached and data discreetly exfiltrated. This is followed by an announcement that the hackers will release the stolen data to the public if the company doesn’t pay up. While this strategy is definitely new and unique, the methods to stop it are the same — good security hygiene like ensuring all patches and updates are installed, account maintenance, and offsite backups.
4. Phishing/BEC Attacks Will Continue to Wreak Havoc
With all that shifting and morphing of the security perimeter, what are we going to see in terms of the ongoing scourge of phishing attacks? In all their forms, be it company-wide emails, targeted business email compromise (BEC) attacks, or the newest addition to the social engineering world, the vishing (voice phishing) attack — this vector is here to stay. So what are you going to do about it as your teams begin trickling back into the office later in the year?
Getting the basics right is the crucial factor that many in the security world let slide in favor of adopting the newest and shiniest piece of AI-based technology. No matter how awesome your machine learning-powered filters are, there is no stopping a well-orchestrated, eloquently-worded, and link-free email from making its way into some overworked employee’s inbox.
The basic that can, in fact, stop these attacks before they start? Security education, training, and awareness (SETA). There is simply no better way to counter a human attacker using social engineering tactics than to have a workforce trained in emotional intelligence and ready to spot the red flags. Targeted education campaigns give your people intuitive senses that will tingle at the sight of that phishing email, and know who to alert to its presence. There is no better defense for these attacks than to stop them before they start.
5. A Distributed Security Perimeter Will Be Needed to Protect a Dispersed Infrastructure
Containerization, componentization, and cloud-first architecture are the future of app development. And when you combine this reality with the hybrid work environments being implemented across sectors, you start to see why we’re so focused on bringing the perimeter in to meet the data.
Porous security perimeters have lent an unwitting assist to the types of attacks discussed above when companies found their entire workforce suddenly thrust into remote work by the COVID-19 pandemic. Personal devices, unsecured networks, and the ever-morphing nature of attack vectors have led to a new adage, “identity is the perimeter.” According to Kim Berry:
“The perimeter has moved in to surround the data itself. That means identity is a critical component, right? That’s what is used to access the data; a user account with a verified identity associated with it makes identity the true perimeter now — that is what’s protecting your data.”
Working With the Right Partners Will Set You Up for Success in Your New Hybrid Environment
We’re entering a hybrid period in the first part of 2021. On-prem, cloud, legacy, cutting-edge — often all within the same corporate environment. Add in a workforce that may or may not be remaining remote full-time, or they may be in the office part-time, or some other mix we haven’t thought of yet. Many organizations will find that the changes they made to get through the pandemic are just not sustainable and that returning to a fully colocated workforce is the right move. Others will discover that the productivity increases they saw are just too awesome to potentially lose out on and will remain remote. And yet others will find that a hybrid model will emerge that suits their needs.
However your workplace emerges as the year progresses, one overarching reality will remain constant — the need for a strong security posture that lets you maintain your core productivity without compromising your customer experience or exposing your data to malicious actors. We invite you to get in touch with our identity and access management (IAM) experts to see how partnering with Auth0 can help deliver the security you need to make the most of the systems you’ve already implemented or assist in laying the groundwork for those yet to come.
[1] Gartner Top Strategic Technology Trends for 2021, Kasey Panetta, October 19, 2020.
[2] Gartner Top 10 Strategic Predictions for 2021 and Beyond, Kasey Panetta, October 21, 2020.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.