There is little doubt that 2020 has been one of the most challenging years many security professionals have encountered. The turmoil created by the COVID-19 pandemic has tested security and compliance to its absolute limits. Cybercriminals have capitalized on these times of rapid change and confusion, using COVID-19 to bombard potential victims with phishing attacks, clickbait and persistent attempts to exploit.
Security and compliance teams face an uncertain 2021, and there will no doubt be increased regulation as a result of COVID-19. But there is also data compliance uncertainty between the US, Europe and the UK as a result of the UK exiting the European Union in January 2021. Organizations will need to adopt protective security arrangements to meet the changing threat landscape, including the challenge of managing a remote workforce at scale.
Securing a remote workforce
A sudden increase in remote working started in March 2020 for parts of the world, and businesses will continue to encourage this trend in a post-COVID era. Tech giants such as Microsoft, Google and Twitter have already announced such plans despite the challenges it introduces.
VMware Carbon Black reported a 148% increase in ransomware attacks in the first few weeks of lockdown, and the Verizon Data Breach Investigation Report has identified that the number of errors “made by the remote workforce” is increasing. Now that company data is inside people’s homes, perhaps on personal laptops, any misconfiguration of newly acquired cloud services and questionable data security controls could be disastrous.
Proactive security teams will have already implemented mobile device management, mobile threat defense and endpoint device management software to minimize the risk of data from leaving authorized platforms. But the switch to mass remote working may have caught many businesses short.
Despite increased productivity and deeper employee engagement, inadequate controls over data will see auditors and regulators taking tougher action on businesses and employees as we move into 2021. Weak security controls will increase company exposure to external threats, and thorough risk analysis mitigation must continue into 2021. Remote worker habits must be monitored, and business preparedness must adapt as we hopefully enter a post-COVID dynamic.
Cloud agility and the shift to e-commerce
COVID-19 also has reinforced the necessity of business transformation and cloud migration. A cloud-first narrative was already prevalent in the majority of board rooms, but the pandemic has accelerated this desire. Businesses that already have some cloud services, such as video conferencing, telephony, and cloud-based productivity suites, have coped much better with the pandemic.
There has been a significant increase in the uptake of other cloud services. Traditional retailers have shifted focus to e-commerce, and the hospitality sector has quickly embraced table service ordering apps. This explosion in cloud uptake has increased the attack surface for cybercriminals.
There is simply a lot more infrastructure to target and more remote desktop connections to brute-force attack. It is imperative to keep training and sharing relevant knowledge into 2021. Awareness of the latest cybersecurity trends will likely reduce the chances of misconfiguration during this often hasty transition.
Compliance and enforcement
2020 has been a difficult year for compliance. We have already seen the EU-US Privacy Shield being revoked. Any businesses that handle sensitive or personal data, such as HIPAA-compliant healthcare organizations, must take extra care during this pandemic.
Each legislation is still enforceable despite the occasional relaxation of enforcement by governing bodies like the Office for Civil Rights (OCR). Other data privacy acts, such as GDPR, CCPA, and PIPEDA, will continue to take action against businesses that suffer a data breach. EasyJet, a low-cost British travel company, is one such example. It was fined £180 million for a data breach of 9 million passenger and credit card records. EasyJet is also facing an £18 billion lawsuit from the passengers impacted.
Data breaches are expected to increase into 2021, and the use of ransomware is expected to spike. Large-scale phishing campaigns are targeting individuals, playing on the reader’s emotions. Campaigns purport to have information about furlough schemes, government cash incentives for business support, or false information about vaccines.
Final thoughts
We have just scratched the surface of what to expect from security and compliance in 2021. Businesses and employees need a comprehensive security strategy, whether you use a dedicated server or cloud implementation, or use a managed cloud service to reduce the risk of misconfiguration. Remember that legislation is still enforceable, even if some of the guidelines have been relaxed.