This time last year, no one predicted the events that have unfolded in 2020. We didn’t anticipate the world plunging into lockdown, economies collapsing, businesses closing their offices, and employees working from home.
It’s been a year of huge change and – I’ll say it – uncertainty.
It might, then, seem odd that we’re thinking about predictions once again.
But predictions are important. They help us focus on the areas that will bring the biggest opportunities and challenges for our businesses and, from that, build strategies. Of course, there’s also the fact that the events of 2020 have undeniably impacted the ways we work and how organizations are run – particularly from a security perspective.
So, what do we think will be top-of-mind for IT and security teams as we approach the new year? Here are Tessian’s top four predictions.
1. The corporate network (as you probably guessed) will disappear
Remote work – or hybrid work – will stay.
Businesses simply can’t go back to the “old” ways of working. Why? Because employees expect to work both from home and in the office. In fact, 89% of employees said they no longer want to work exclusively from the office every day of the week.
This shift will completely transform the concept of a network, at least as we’ve come to know it in the traditional workplace. Today, company security is very much in the hands of the employees.
That’s why CISOs need to consider how their 2021 security strategies will protect and secure their people – not just endpoints and networks. This is especially important because people make mistakes, break the rules, and can be tricked or deceived by cybercriminals.
To put it simply: Not protecting people means that company data and systems are at risk. But it’s important that security doesn’t impede employee productivity or interrupt their daily workflow.
According to Tessian research, 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job and 51% say security tools and software impede their productivity.
So, what can you do to protect your people, without getting in their way? Remove the sharp objects, protect them wherever (and however) they work, and make sure your security solutions stop threats and not business.
This is what we call Human Layer Security.
2. Account takeover attacks will spike
Account takeover (ATO) – a type of attack where a hacker gains access to the email account of a trusted person or organization and impersonates them to conduct fraudulent activities – will surge in 2021 as cybercriminals look for more ways to bypass secure email gateways (SEGs) and deceive people with phishing and spear phishing attacks.
Not sure what the difference between phishing and spear phishing is? Read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.
The problem is, despite training employees on how to spot phishing attacks, targets of ATO attacks will have no idea that the person in their trusted network has been compromised. Why? Because the emails appear genuine; the domain name and display name appear as usual. There are no “red flags” which means even the most tech-savvy employee wouldn’t question its legitimacy.
ATO attacks will erode people’s trust in email in 2021, rendering IT teams powerless in stopping people from falling for the scams. This is why we predict that more businesses will adopt a zero-trust model of email security and look for solutions that address threats from their extended network.
IT teams should be looking for advanced inbound email security solutions that use behavioral analysis, natural language processing, and machine learning to:
- Understand communication patterns
- Spot anomalous email sending patterns
- Accurately detect incidents of account takeover, before they turn into breaches.
3. The supply chain will become an even weaker link in security
No company has control over the security behaviors of its vendors, partners, or suppliers, nor do they have visibility into breaches that happened outside of their organization and across their network.
Cybercriminals use this to their advantage.
By infiltrating smaller companies connected to a company network — either with malware, phishing attacks, or account takeover — they can impersonate the third-party, target a larger company’s employees, and access valuable systems and data. And, the aftermath of the COVID-19 pandemic will only heighten the risks associated with third-parties.
First, people will continue to work remotely which, according to various reports this year which not only makes them more vulnerable to phishing attacks, but also makes it more difficult for them to verify requests. For example, a wire transfer.
Second, financial uncertainty in 2021 may mean IT budgets are cut. CISOs have no way of knowing whether this is the case with their company’s own suppliers or partners and whether or not they are prioritizing security.
Once again, addressing the threats from your company’s extended network will need to be a priority in 2021, as will securing the entire email ecosystem.
4. We’ll get real when it comes to AI
The AI hype cycle has left some companies burned by the false promise of AI and ML.
In 2021, however, we predict that the hype will die down. We’ll see less marketing claims and industry conversations around the technology. This is great news for true AI and ML innovators.
It will allow the real AI and ML use cases to shine through and companies will start to see how the technology can benefit their business.
But, we should also consider how AI will be used for malicious purposes. We think that we’ll continue to see cybercriminals leveraging AI to make their deceptions and impersonations – either on email or in the form of deepfakes – more convincing and believable.
Likewise, advancements in NLP will lead to more sophisticated attacks that closely mirror the language and tone of the person being impersonated. This will make it more difficult for people to determine what’s real and what’s fake.
This is where automated security solutions will prove invaluable to security teams.
Elvis M Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, took a deep dive into deepfakes at Tessian Human Layer Security Summit in September. And, according to Nina, “This is not an emerging threat. This threat is here. Now.”
Learn more about this type of threat and how AI is being used both in the creation of and defense against deepfakes by watching the full session on-demand.
“It’s worth noting that at the heart of the challenges businesses and security teams have faced over the past year - and will continue to face as we head into 2021 - is people. Businesses must prioritize people’s wellbeing and their security to succeed.
Looking ahead to 2021
The uncertainty from 2020 won’t disappear come January. There’s still a lot for businesses to figure out, and IT leaders will be under pressure to deliver a seamless and secure working environment for employees, despite budget cuts and under-resourced teams.
But it’s worth noting that at the heart of the challenges businesses and security teams have faced over the past year – and will continue to face as we head into 2021 – is people.
Businesses must prioritize people’s wellbeing and their security to succeed.
Greater visibility into the human layer of an organization gives IT teams insight into their riskiest and most at-risk employees, allowing them to focus and address the areas in which their company is most vulnerable.
Automated security alerts ensure that every employee is made aware of threats in their inbox – no matter where they choose to work – and real-time alerts can help people make smarter security decisions. That’s why we predict that 2021 will be the year that businesses realize the power of Human Layer Security.