As a tumultuous 2020 draws to a close, it’s with growing trepidation that I gaze once more into my crystal ball to predict what 2021 might bring for cyber security.
As the world reels under COVID-19’s sudden and profound disruption — and nations wonder who and what to depend on for solutions as uncertainty prevails — maintaining trust in institutions, in businesses and in technology will be crucial to a global recovery.
We’ve anxiously debated the evils of fake news and control over social media, worried about the privacy implications of tracing apps, watched conspiracy theories over 5G proliferate, and agonized over the national security of our technology supply chains.
Permeating each of these debates is the notion of trust — a theme that in 2021 will continue to dominate public sentiment everywhere as people look for leadership, comfort and reassurance of better days. Public trust will no doubt be tested along the way, particularly as the threat of costly organized-crime attacks during the pandemic continue playing on our fears and arousing doubts.
Ransomware — the cost is becoming intolerable
Organized cyber crime groups are finding ransomware all too lucrative to ignore as the pandemic undermines global economic stability. I believe there are three ongoing threats that businesses everywhere will need to anticipate and prepare for in 2021:
- The rise in ransom demands, which have soared from six-figure sums into millions of dollars.
- The dramatic rise in the cost of remediation amid the proliferation of remote working arrangements, with criminals increasingly targeting the infrastructures that support today’s distributed workforce.
- Double extortion, in which criminal groups have begun blackmailing firms with the threat of auctioning or publicizing stolen data.
Firms typically find themselves torn between the reputational risk of ‘financing’ organized crime by complying with demands and fulfilling their fiduciary duty to protect shareholder interests. More often than not, unfortunately, businesses are ‘paying up’ in order to maintain operations and avoid potentially catastrophic results.
What does this mean for insurers? We’ll likely see a trend in which insurers carry a growing burden of claims, review premiums and worry over potential exposure to future large-scale ransomware attacks. In response, we’ll see governments taking action through regulatory sanctions against organized-crime groups, and insurers brokering a middle ground between firms whose survival is on the line and the legal consequences of sanctions violations.
A positive outcome will be a highly productive heightening of collaboration between governments, law enforcement and technology firms, as they ‘circle the wagons’ to devise active defense programs and more big takedowns aimed at crippling the criminal underworld’s formidable infrastructure.
Global cyberspace suspicions and tensions are on the rise
Tensions arising over the diversity of ideological views concerning governance of cyberspace have been evident among nations for years. In 2020, we saw more government interventions aimed at localizing cloud services amid national security and privacy fears, plus controls over social media channels or steps to limit dependence on foreign, and allegedly untrustworthy, technology. COVID-19 has only exacerbated these tensions, with nervous nations increasingly accusing each other of cyber espionage and interference in their internal affairs. In 2021, I expect nations to exert increasing control over ‘their’ cyberspace ecosystems, despite little international consensus and the potential for many cyber-crime flashpoints.
To meet increasingly complex and extra-territorial privacy regulations and national-security requirements, global firms will be driven to localize how they process and handle data. In return, they will be increasingly vocal about the divergence of national approaches.
We all have our head in the clouds
COVID-19 has demanded pragmatism on behalf of CISOs and CIOs in the battle to secure today’s rapidly evolving IT environments. Suddenly, the CISO has to worry about effectively managing thousands of home-working sites, myriad personal devices and an aggressive shift to the cloud. I expect 2021 to be the year in which the CISO role changes forever, from securing corporate IT boundaries to a broader view of enterprise security.
The timescale for many cloud-migration projects has collapsed from years to mere months in the race to meet fast-changing business needs. Hyperscale cloud providers are increasingly dominant and intently focused on security, making 2021 the year in which firms are forced to truly understand what security in the cloud really means. In areas such as retail, the shift in business models has been particularly abrupt, raising concerns about criminals targeting new vulnerabilities amid the wave of new or quickly scaled online retail platforms.
To succeed, I believe security teams will need to:
- Reskill employees to reflect the split of responsibilities between enterprises and cloud-service providers
- Adapt to agile development methods and new digital channels
- Enact these innovations while cloud security skills attract a premium as the global job market competes for much-needed talent in 2021.
Budgets are tight but don’t ignore security and resilience
Security measures can be deemed a costly overhead despite substantial cyber threats inundating businesses everywhere today. Firms struggling through the pandemic are desperately looking to reduce costs and, unfortunately for many, that will even include cyber security.
We expect 2021 to be a year for rationalization in many sectors, with firms questioning whether they genuinely need the security software and devices acquired over many years — and whether their investment in the cloud during COVID-19 can unlock a very different approach to security. Automation will also be on people’s minds, with self-service becoming the order of the day as businesses look to streamline processes, slash operating costs and embed security into operations.
COVID-19 has also taught us some hard lessons about resilience. Executives were forced to get involved in securing a new digital business model and have convinced themselves, given the experiences of 2020, that their firms are now resilient. Not so fast. Regulators will remind them that they are now dependent on technology in ways that they never conceived — and that not all shocks come with the slow inevitability of a spreading pandemic.
And lastly, let’s not forget about people
Amid the convergence of technology-related security concerns, the impact of today’s troubling environment on people cannot go unrecognized. Work patterns have quickly changed for many employees, while others have been placed on furlough or found themselves suddenly unemployed. Firms will understandably be cautious about rehiring and may choose to permanently reshape their workforce models.
At the same time, people have found new ways of working and perhaps have had the time and space to consider their future employment options. Employers are worried about employee loyalty in these volatile times, while employees are worried about the loyalty of their employers. As a result of today’s uniquely turbulent workforce conditions, concerns over insider threats and fraud are growing.
That said, I believe that 2021 will be the year of the people. The best companies will reassuringly engage their teams and support them in securing their homes, families and workplaces in the radical new workforce environment – while others may drift into increasingly draconian corporate surveillance of a potentially disgruntled cadre.
For me, it would be easy to enter 2021 under a cloud of gloom and despair. But I remain an optimist, as I believe that 2020 has shown our ability to adapt and has unleashed an inspiring community spirit which I hope we retain for the future. It has been a time of unprecedented change, one that has also sowed the seeds of a bold new reality that awaits. In this unfamiliar and fast-moving new world, trust will be more important than ever.
This blog was originally published on kpmg.com by David Ferbrache, Leadership, Global Head of Cyber Futures, KPMG in the UK