The cybersecurity industry continues to become more and more challenging and complex, with businesses becoming increasingly aware of their vulnerabilities and hackers becoming more creative in their plans of attack. As both the defense and offense seek to advance their skills with the latest technologies, we decided to pick the brains of some of cyber’s leading experts to get their thoughts, insights and opinions on what to expect as we embrace 2021.
Here’s the lowdown:
Healthcare cyber attacks surge as a result of COVID-19
The healthcare industry has long been a prime target for cybersecurity attacks, with healthcare records in significantly high demand and traded widely on the dark web — even more so than credit card information. COVID-19 propelled this trend even further, with hackers anxiously looking to steal statistics about the virus, intellectual property about the vaccine and ways to gain control over supply chains.
In fact, between the months of February and May of 2020, there have been 132 reported breaches, according to the U.S. Department of Health and Human Services (HHS). This is an increase of approximately 50% in reported breaches during the same time last year.
When it comes to cybersecurity, compliance is simply not enough
Due to the increasing number of cyber attacks across all industries, and healthcare in particular, countries worldwide have come out with a series of regulations and recommendations in an effort to protect connected systems. As a result, cyber compliance is playing a key role in company decision making.
While industries are aware of cyber risks, their investments in cybersecurity are often driven by compliance, rather than cyber risk management as part of a broader, crucial, business context. While industries are starting to understand the larger importance of improving their security postures, they are not yet there.
Two of the biggest challenges in the industry are attempting to create awareness that compliance is not enough and the lack of highly skilled and qualified people who understand the cyber impact on business. Many members of organizational Boards do not have backgrounds in technology or cyber and often believe that if their companies meet the necessary standards and regulations they will be secure, but that is simply not the case.
The more things change, the more they stay the same
The popular mindset is that cybersecurity is changing very rapidly, but the reality is that the types of exposures, vulnerabilities, and techniques that we saw ten years ago are still relevant today. For example, while it is often very difficult to initially breach an organization, after the initial breach, lateral attacks within the organization are usually relatively simple. The recent attack on the SolarWinds supply chain highlights this very point.
Like all people, hackers have their workflows, processes and ways of doing things, and as long as they work, the popular belief of “why fix something that is not broken” holds true. In a sense, it seems that there is a disconnect from the steps that the industry is taking to protect itself from the breaches that are occurring. Cybersecurity can actually be very simple with a “back to basics approach.” The technology, tools and methodology are there, organizations simply need to follow them and implement them correctly.
Expect the unexpected
2020 taught us all to “expect the unexpected.” COVID-19 was the most prominent factor in every aspect of human life and caused a tremendous growth in attack surfaces, with so many employees working from home. 2020 also caused an increase in cyberwarfare, which has become more robotic on the one hand, and more powerful on the other.
More and more bots with automatic scripts are flooding the net, attacking every gap that has been left open as a result of poor configuration. Like in the FireEye attack, nation-state actors with powerful capabilities managed to penetrate widely and expand to countless networks in dozens of organizations in the West.
I think 2020 taught us to “go back to basics and get your hands dirty” by updating and patching vulnerable systems and to never trust a fully-marked security checklist. Rather, the focus should be on allocating resources efficiently to ensure you protect your company’s most critical business assets.
The work from home (WFH) model is here to stay
COVID-19 completely changed the way organizations work, with employees working from home and occasionally using their own devices, thereby increasing possible attack surfaces.
As we look ahead, we see that the WFH model is here to stay, at least to some degree. Organizations will need to implement new and additional changes to support these changes and will need to reassess the organization after every change.
During COVID, companies didn’t have time to make major changes, but now they will need to implement more comprehensive changes and make sure that they are implementing them correctly. Here, CYE can play an even bigger role because we don’t only reveal the attack routes, but we also do a mitigation plan and advise organizations how to remediate.
From technical injections to business-related vulnerabilities
When it comes to trends in application security, we will see less and less technical injections, such as SQL injections and Cross Site Scripting (XSS), which can be mitigated and blocked using advanced programming and frameworks and Web Application Firewalls (WAFs). On the other hand, however, we are going to see more business-related vulnerabilities, such as business logic flaws, authentication and, namely, authorization issues. Today, technical automated scanners cannot deal with business-related vulnerabilities. They do not check these kinds of vulnerabilities at all, which is why hackers will seek to exploit them.
2020 was a year that most of us are all too willing to leave behind. However, as we embrace the new challenges – and opportunities – of 2021, we must carry the lessons learned from 2020 into the new year and understand that when it comes to cybersecurity, we must constantly question, inquire and challenge our underlying assumptions. With so many cyber attacks shaking the industry, CISOs need to question whether their cybersecurity programs are not only compliant with the necessary regulations, but actually prioritize and secure their most critical business assets.