Cybersecurity has always been a never-ending race, but the pace of change is accelerating. Companies continue to invest in technology to run their businesses. Today, they are integrating more and more systems into their IT networks to support remote work, improve customer experience and drive value, creating new potential vulnerabilities.
At the same time, adversaries – no longer limited to individual actors – include highly sophisticated organizations that leverage tools and capabilities integrated with artificial intelligence and machine learning. The scope of the threat is growing, and no organization is immune. Small and medium-sized businesses, municipalities, and state and federal governments face these risks just as much as large enterprises. Today’s most sophisticated cyber controls, however effective, will soon be obsolete.
In this environment, leaders must answer key questions, “Are we prepared for accelerated digitization over the next three to five years?” and, more specifically, “Are we looking far enough ahead to understand how today’s technology investments will impact cybersecurity in the future?”
Many organizations are recognizing the need to radically change their cybersecurity capabilities and ensure the resiliency of their technology. The solution is to strengthen their defenses by looking to the future – anticipating the emerging cyber threats of the future and understanding the multitude of new defensive capabilities that companies can use today and others they can plan to use tomorrow.
1. Three cybersecurity trends with large-scale implications
Businesses can only address and mitigate the disruptions of the future by being more proactive and forward-looking today. Over the next three to five years, three major cybersecurity trends that cut across multiple technologies will have the greatest impact on businesses.
1.1. On-demand access to ubiquitous data and information platforms is growing
Mobile platforms, remote work, and other changes are increasingly dependent on rapid access to ubiquitous and large data sets, increasing the likelihood of a breach. The web hosting services market is expected to generate $183.18 billion by 2026. Companies are collecting much more data about their customers, from financial transactions to electricity usage to social media views, in order to understand and influence buying behavior and more effectively forecast demand. By 2020, each person on Earth will create an average of 1.7 megabytes of data per second. With the increased importance of the cloud, companies are increasingly tasked with storing, managing and protecting this data3 and addressing the challenges associated with exploding data volumes. To implement such business models, companies need new technology platforms, including data lakes that can aggregate information, such as vendor and partner channel assets, across environments. Companies aren’t just collecting more data, they’re centralizing it, storing it in the cloud and granting access to it to a range of people and organizations, including third parties such as suppliers.
Many recent high-profile attacks have exploited this expanded access to data. The Sunburst hack in 2020 involved malicious code distributed to customers during regular software updates. Similarly, in early 2020, attackers used compromised employee credentials from a large hotel chain’s third-party application to access more than five million customer records.
1.2. Hackers are using AI, machine learning and other technologies to launch increasingly sophisticated attacks
The stereotypical hacker working alone is no longer the primary threat. Today, cyberhacking is a multi-billion dollar enterprise with institutional hierarchies and research and development budgets. Attackers use advanced tools, such as artificial intelligence, machine learning and automation. In the next few years, they will be able to accelerate – from weeks to days or hours – the end-to-end attack lifecycle, from recognition to exploitation. For example, Emotet, an advanced form of malware targeting banks, may change the nature of its attacks. In 2020, leveraging advanced AI and machine learning techniques to increase its effectiveness, it used an automated process to send contextualized phishing emails that hijacked other email threats – some related to COVID-19 communications.
Other technologies and capabilities are making already known forms of attacks, such as ransomware and phishing, more prevalent. Ransomware-as-a-service and crypto-currencies have significantly reduced the cost of launching ransomware attacks, which have doubled in number each year since 2019. Other types of disruptions often trigger a spike in these attacks. During the initial wave of COVID-19, from February 2020 to March 2020, the number of ransomware attacks worldwide spiked 148 percent, for example. Phishing attacks increased by 510 percent from January to February 2020.
1.3. The ever-changing regulatory landscape and persistent gaps in resources, knowledge, and talent will outpace cybersecurity
Many organizations lack sufficient cybersecurity talent, knowledge, and expertise, and this gap is growing. In general, cyber risk management has not kept pace with the proliferation of digital and analytic transformation, and many organizations do not know how to identify and manage digital risks. To complicate the problem, regulators are tightening their guidance on companies’ cybersecurity capabilities – often with the same level of oversight and attention applied to credit and liquidity risks in financial services and operational and physical security risks in critical infrastructure.
Cyber risk management has not kept pace with the proliferation of digital and analytic transformation, and many companies do not know how to identify and manage digital risks.
At the same time, companies are facing more stringent compliance requirements due to growing privacy concerns and high-profile breaches. There are now more than 100 cross-border data flow regulations. Cybersecurity teams must manage additional data and reporting requirements stemming from the White House’s executive order on improving the nation’s cybersecurity and the advent of mobile operating systems that ask users how they want data from each app to be used.
2. Develop defensive capabilities to prepare for emerging threats
For each of these changes, defensive capabilities can be developed by organizations to mitigate the risk and impact of future cyber threats. Clearly, these capabilities are not a perfect match for individual developments, and many of them apply to multiple developments. Leadership teams need to consider all of these capabilities and focus on those that are most relevant to their unique business situation and context.
2.1. Responses to the first trend: Zero trust capabilities and large data sets for security purposes.
Mitigating the cybersecurity risks associated with on-demand access to ubiquitous data requires four cybersecurity capabilities: zero trust capabilities, behavioral analysis, elastic log monitoring, and homomorphic encryption.
- Zero Trust Architecture (ZTA). In industrialized countries, approximately 25% of workers work remotely three to five days a week. Hybrid and remote work, increased access to the cloud, and the integration of the Internet of Things (IoT) create potential vulnerabilities. A ZTA shifts the focus of cyber defense from static perimeters around physical networks to users, assets and resources, mitigating the risk associated with decentralized data. Access is enforced more granularly through policies: even if users have access to the data environment, they may not have access to sensitive data. Organizations must tailor the adoption of zero trust capabilities to the threat and risk landscape they face and their business objectives. They should also consider implementing red-team testing to validate the effectiveness and coverage of their zero trust capabilities.
- Behavioral analysis. Employees are a major vulnerability for organizations. Analytics solutions can monitor attributes such as access requests or device health and establish a baseline to identify anomalous user behavior, intentional or not, or device activity. These tools can not only enable risk-based authentication and authorization, but also orchestrate incident prevention and response measures.
- Elastic log monitoring for large data sets. Massive data sets and decentralized logs resulting from advances such as big data and IoT complicate the challenge of monitoring activity. Elastic Log Monitoring is a solution based on several open-source platforms that, when combined, allow organizations to pull log data from anywhere in the organization to a single location, and then search, analyze and visualize the data in real time. Native log sampling capabilities in core tools can ease the burden of managing an organization’s logs and clarify potential tradeoffs.
- Homomorphic encryption. This technology allows users to work with encrypted data without having to decrypt it first, giving third parties and internal collaborators more secure access to large data sets. It also helps companies meet more stringent data privacy requirements. Recent advances in computing capacity and performance now make homomorphic encryption practical for a wider range of applications.
2.2. Responses to trend two: Using automation to combat increasingly sophisticated cyberattacks
To counter more sophisticated attacks conducted by AI and other advanced capabilities, organizations should take a risk-based approach to automation and automated responses to attacks. Automation should focus on defensive capabilities such as security operations center (SOC) countermeasures and labor-intensive activities such as identity and access management (IAM) and reporting. AI and machine learning should be used to stay on top of evolving attack patterns. Finally, the development of automated technical and organizational responses to ransomware threats helps mitigate risk in the event of an attack.
- Automation implemented through a risk-based approach. As the level of digitization accelerates, organizations can use automation to manage low-risk and routine processes, freeing up resources for higher-value activities. It is critical that automation decisions are based on risk assessment and segmentation to ensure that additional vulnerabilities are not inadvertently created. For example, organizations can apply automated patches, configurations and software upgrades to low-risk assets, but use more direct monitoring for higher-risk assets.
- Using defensive AI and machine learning for cybersecurity. Just as attackers are adopting AI and machine learning techniques, cybersecurity teams will need to evolve and scale the same capabilities. Specifically, organizations can use these technologies and outlier models to detect and remediate non-compliant systems. Teams can also leverage machine learning to optimize workflows and technology stacks so that resources are used most effectively over time.
- Technical and organizational responses to ransomware. As the sophistication, frequency and scope of ransomware attacks increase, organizations must respond with technical and operational changes. Technical changes include the use of resilient data repositories and infrastructure, automated responses to malicious encryption and advanced multi-factor authentication to limit the potential impact of an attack, and ongoing cyber hygiene. Organizational changes include conducting tabletop exercises, developing detailed, multi-dimensional plans, and preparing for all options and contingencies, including management response decisions, to make the business response automatic.
2.3 Responses to Trend 3: Building Security into Technology Capabilities to Address Increasing Regulatory Oversight and Resource Gaps
Increasing regulatory oversight and gaps in knowledge, talent, and expertise reinforce the need to build security into technology capabilities as they are designed, built, and implemented. In addition, capabilities such as security as code and software nomenclature help organizations deploy security capabilities and stay ahead of regulators’ demands.
- Secure software development. Rather than treating cybersecurity as an afterthought, companies should build it into software design from the start, including using a software nomenclature. One important way to create a secure software development life cycle (SSDLC) is to have security and technology risk teams engage with developers at every stage of development. Another way is to ensure that developers learn certain security capabilities that are better employed by the development teams themselves (for example, threat modeling, code and infrastructure analysis, and static and dynamic testing). Depending on the business, some security teams may move to agile product approaches, others may adopt a hybrid agile-kanban ticket-based approach, and still others – especially highly specialized groups, such as penetration testers and security architects – may “get to work” by aligning with agile sprints and ceremonies.
- Leverage “as a Service” solutions. Migrating workloads and infrastructure to third-party cloud environments (such as platform-as-a-service, infrastructure-as-a-service and hyperscale providers) can better secure organizational resources and simplify management for cyber teams. Cloud providers not only handle many of the routine security, remediation and maintenance activities, but also offer automation capabilities and scalable services. Some organizations seek to consolidate vendors for simplicity, but it can also be important to strategically diversify partners to limit exposure to performance or availability issues.
- Infrastructure and Security “as Code”. Standardizing and codifying infrastructure and control engineering processes can simplify the management of hybrid and multi-cloud environments and increase system resiliency. This approach enables processes such as orchestrated patching and rapid provisioning and deprovisioning.
- Software Nomenclature. As compliance requirements increase, organizations can mitigate the administrative burden by formally detailing all components and supply chain relationships used in software. Similar to a detailed bill of materials, this documentation would list open-source and third-party components in a code base through new software development processes, code scanning tools, industry standards and supply chain requirements. In addition to mitigating supply chain risks, detailed software documentation ensures that security teams are prepared for regulatory investigations.
Digital disruption is inevitable and will result in rapid technological change. Organizations making large-scale investments in technology, whether out of innovation or necessity, must be aware of the cyber risks associated with it. Attackers exploit the vulnerabilities that new technologies introduce, and even the best cyber controls quickly become obsolete in this accelerating digital world. Organizations looking to position themselves as effectively as possible over the next five years will need to take a relentlessly proactive approach to building long-term defensive capabilities.