2021 Predictions: Cybersecurity & Third-Party Risk

Prediction/Trend 1 – Attack trends – the industrialization of ransomware

Ransomware attacks are escalating quickly, both in sophistication and the amount of money being demanded. This would be a much bigger story if other global events were not dominating, but even so governments and regulators worldwide are getting worried at the financial, business interruption and collateral damage piling up. This includes the first death attributed to a cyber attack: German police are treating a ransomware attack on a hospital which resulted in a patient being diverted to another facility and dying before she got there as a potential homicide. Wide scale disruption of local government and education across western countries, along with multi-billion-dollar losses to the economy through payment of ransoms and business interruption, is focusing minds.

Governments are discussing law enforcement and policy solutions. The US Treasury’s recent advice that paying ransoms to some cybercriminal groups could lead to organizations violating economic sanctions has raised the stakes for many companies. It underlines the need for expert advice when handling ransomware attacks.

In Europe, there is a lively debate about the criminalization of ransomware. Given that international agreement and action from some of the countries hosting ransomware operations is unlikely, making ransomware attacks less lucrative for cybercriminals is the objective. There is also pressure from the insurance industry to encourage government action. Insurers feel uncomfortable about paying huge sums to cybercriminals, which, while not illegal, is an ethical grey area. Insurers are adjusting coverage and increasing premiums to reflect ransomware attacks.

There will be more insider threats in 2021, which is always common during a recession. However, these will be increasingly complex and creative – you only have to look at Tesla, where an attempt was allegedly made to deliver ransomware by bribing an employee.

The Honda ‘Snake’ ransomware attack was particularly interesting. The sophistication of the attack method, using ransomware targeting industrial control and remote management, will likely become ever more popular. In this case, ransomware spread from corporate IT to operational technology and led to global business interruption and manufacturing disruption.

It also demonstrates that criminal activity in cyber is increasing in those sectors where attackers know that the business interruption will be particularly crippling, meaning the victims are more likely to pay. The pharma and healthcare sectors have experienced exponential increases in attacks.

The methodology of ransomware attackers has now developed to include ‘doxware’: they now regularly exfiltrate as well as encrypt data so that even if a victim has backed-up, they can be blackmailed with publication of their sensitive information.

 

Prediction/Trend 2 – Accelerated cloud adoption shines the spotlight on the security of remote working

In 2021, security around remote working will continue to be on the agenda of many organizations, especially with the increasing number of unprotected endpoints, leading to an enlarged attack surface, which will stay with us for a while. This will undoubtedly lead to increased business email compromise attempts and attacks against VPNs and other remote working infrastructure.

This trend goes hand-in-hand with what I think will be the biggest non-cyber trend for next year: cloud adoption accelerating even further, following 2020’s COVID-19-driven migration. Many organizations will be looking to the cloud earlier than they had planned. Remote working is here to stay even after the pandemic as part of a more mixed approach to the workplace. IT teams are settling into this ‘new normal’ way of working as lockdowns come and go. This necessitates increased training for staff to operate remotely.

 

Prediction/Trend 3 – Growth of cybersecurity ‘as a service’

Cybersecurity solutions ‘as a service’ will grow and dominate as the cyber skills gap widens – we simply don’t have enough skills within the industry and the pandemic has underlined that. With worldwide social distancing restrictions prohibiting skilled individuals working on-site, organizations will get used to purchasing ‘as a Service’ solutions remotely.

Cloud service providers are increasingly moving into the cybersecurity market, helping to accelerate consolidation of these two areas. This is something that BlueVoyant is actively engaged in, through its technology partnerships.

The number of cybersecurity companies continues to rise. We’re witnessing a general demand within the industry, especially from CISOs, to be able to quantify and assess different products and solutions objectively. Those buying products and services often feel swamped by sales pitches and are suspicious of ‘black box’ solutions which over-claim.

 

Prediction/Trend 4 – The geopolitical threat

The Iranian attack on an Israeli water treatment facility during the pandemic is an interesting example of the tactical use of cyber weapons between nations. We should expect this to grow as more nations acquire offensive cyber capabilities, as set out in the Harvard Belfer Centre’s recent ‘Cyber Power Index’.

 

Prediction/Trend 5 – Cybersecurity in vertical sectors

There’s an obvious, increasing focus on security in healthcare and pharmaceutical, with many organizations witnessing a huge uptick in attacks as precious IP is targeted. This reflects criminal cyber attack groups continuing to target industries where there are huge financial rewards, as well as nation states attempting to steal IP; in healthcare this has been driven by the COVID-19 pandemic, and the many worldwide vaccine initiatives and trials.

Manufacturing, energy and utilities continue to be a concern and have typically been less mature than other sectors in their cyber readiness. The scale of the problem for manufacturing is elevated through the large-scale introduction of IoT to the sector. As this grows, risks common to traditional environments may expand, due to the increased pace, scale, density, and variety of devices.

Assessing risk with the IT and OT space of an enterprise will become more complex, especially when combined with escalating concern about supply chain, third party risk. Governments, including the UK, have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.

 

Prediction/Trend 6 – Outsourcing will increase in 2021 with businesses needing to take a step back to analyse cyber risk

Because some organizations do not have the resources to build up internal cyber risk teams, outsourcing risk management is an important way to address the challenges they face. Within an organization and its vendor ecosystem, risk doesn’t wait. They need a solution that can support their digital risk agenda, immediately providing a holistic view of all companies in their vendor ecosystem.

Outsourcing cyber risk is more accepted now than it was before, although CISOs haven’t always preferred this approach. However, in 2020 this has been taken out of their hands. Digital transformation initiatives have accelerated at an unprecedented rate, and at the same time, IT and cyber teams have converged, to deal with the level of risk that such transformations introduce.

To effectively deal with risk, companies must adopt the same level of due diligence that they would when making an investment, merger or acquisition, to secure their vendor ecosystem. In an era of consolidation, they must take a step back and assess how they can effectively manage risk within a business.

 

Prediction/Trend 7 – Third-party cyber risk management is at the top of the agenda for boards

Third-party cyber risk management has never been at the top of the priorities list; there were always other initiatives deemed of higher importance. In 2021, it will go firmly to the top of the pile. The third-party cyber risk agenda has been getting increased Board-level visibility in the last few years, due to increasing regulations and the number of organizations suffering data breaches through the vendor ecosystem. But now, because of the inherent risks that COVID-19 has presented to the board in 2020, third-party cyber risk has their attention; it is fast becoming one of the key risks for companies moving forward. And as the business ecosystem has digitized and expanded and organizations are working with hundreds, if not thousands, of vendors this has only amplified that risk. Today, organizations have never been more aware of the financial and operational risks of suffering a data breach or a ransomware attack through a third-party provider.

As a result, boards are now paying attention to third-party cyber risk, and they want to know what their teams are doing to mitigate any potential vulnerabilities. Similar to the speed at which the pandemic has transformed how organizations operate – and how quickly vaccines are being developed – the board wants these answers immediately.

Cyber risk has also evolved into digital risk, whereby cybersecurity is just one piece of the puzzle. It is also now clear that the board is directly responsible for the strength of the overall cyber risk posture; no longer is it solely the CIO or CISO. A top-down management ethos requires boards to take a proactive stance on cybersecurity. This is reflective of the central pillar that cyber has become within organizations and CISOs and CIOs have gone from being a domain of expertise to being advisory to the board. This rapid shift will only continue, as will the complexity of third-party cyber risk management.