It’s time to step back, reflect on the last year, and make New Year’s resolutions. We’ve taken a moment to make cybersecurity predictions for Europe, the Middle East and Africa (EMEA) in 2021, and to consider the upcoming challenges and opportunities.
- The consumer hop: With so many working from home, the weak point becomes what else could act as a bridge to the secured business device. Many homes now have between 20 and 50 things connecting to home Wi-Fi hubs, with an increase in smart home devices, including doorbells, TVs and digital assistants, as well as a plethora of family phones, tablets, wearables and computers. Our recent IoT security research report found more non-business devices are coming onto networks, with everything from connected teddy bears to medical devices and electric vehicles now needing to be secured alongside business IoT. We’ve also seen security policies being relaxed with the need to allow staff to use their devices at home, for example, enabling USB ports to allow home screens and printers, or other requirements. All of this means the end device and those things around it become bigger risks of access into a business’s critical systems and information.
- Investment fraud increases: Be it small business or consumers, so many are finding times incredibly tough financially during the COVID-19 crisis. Cybercriminals sadly prey on such circumstances, and in times of desperate need, people are more susceptible to click on scams in the hope of making good on the offer of loans, payment holidays and other financial opportunities that we would, in hindsight, recognise as too good to be true. So much of cybercrime succeeds through psychology; where there’s an emotional need, cybercriminals will exploit it.
- Criminals target new or modified touchless processes: As we’re looking to reduce our risk of infection in every aspect of life, we’re seeing increases in contactless payment limits, but also other methods, such as QR codes, being used to reduce points of touch. Our Unit 42 threat intelligence team has uncovered examples of QR codes being exploited, and we’ve seen increasing discussions and tutorials on how to abuse QR codes in underground forums. We should expect to see criminals continue to focus on immature contactless processes or changes to mature trusted ones where criminals can either intercept financial transactions or compromise systems to gain identity or other personal information.
- Employee fatigue: Working from home means many of us are now living online for between 10 and 12 hours a day, getting very little respite with no gaps between meetings and no longer having a commute. We’ll see more human errors causing cybersecurity issues purely driven by employee fatigue or complacency. This means businesses need to think about a whole new level of IT security education programme. This includes ensuring people step away and take a break, with training to recognise signs of fatigue. When you make a cybersecurity mistake at the office, it’s easy to go down and speak to a friendly member of your IT security team. This is so much harder to do at home now without direct access to your usual go-to person, and it requires far more confidence to confess. Businesses need to take this human error factor into consideration and ensure consistent edge security no matter what the connection. You can no longer just assume that because core business apps are routing back through the corporate VPN that all is as it should be.
- 5G and edge computing could catch some napping: With the debates on which hardware can be used where, and of course, all the other challenges we have faced in 2020, 5G, edge computing and, to some degree, IoT have not necessarily been at the forefront of business leaders’ minds. Yet in the background, huge investments are being made for 5G’s deployment, and due to the delays, when it happens, expect the ramp-up to be faster. 2021 will be the year we see cybercriminals really probe these spaces to see the art of the possible, as by 2022, more than a third of operators will have 5G networks in place in Europe, according to survey data from Enea. What's more, with the changing working environment, expect to see private 5G networks springing up to enable collaboration spots for staff in redesigned office working spaces.
- Rush to the cloud; security playing catch up: Most companies in Europe had plans to move key business processes to the cloud over the next few years, but with the onset of the pandemic, this became the next few months. Rather than taking the time to recodify processes, an intermediary lift and shift step was added: the quick move. While the process may still be the same, the environment and security changes. Businesses, in 2021, are already planning stage two: recodifying to gain the real advantages of agility from the cloud, while security teams are still fixing the issues from the intermediary shift. This continuing migration at pace will lead to security gaps, and we’re likely to see more cloud security incidents until the shifts are completed and stability resumes, at least for a while.
- eCrime takes advantage of GDPR compliance challenges in the cloud: It took most companies years to get their PII ready for GDPR when it came into force in 2018. With the urgent shift to cloud and collaboration tools driven by the lockdown this year, GDPR compliance was challenged. As businesses try and regain control of personally identifiable information (PII) in the cloud, expect cybercriminals to be looking to take advantage. We know from our Unit 42 research that cloud security is often not as strong as it should be, again the result of often-accelerated shifts. In a recent Red Team exercise, one simple IAM misconfiguration allowed our researchers to compromise an entire cloud environment and bypass nearly every security control.
- Privacy goes ever more local: We are seeing more of a focus than ever in Europe on privacy. Just one example of how significant this has become is a major smartphone company running TV adverts in the region highlighting its data protection capabilities. It's not an upsell; this is simply becoming a core requirement. At the same time, we have the EU looking to build EU clouds, such as the Gaia-X project, that align to the broader EU cloud strategy. All of this highlights how high privacy is on the EU agenda. This will potentially make digital transformation strategies more complex in the longer term as either trends continue, focused on regionalising data, or more likely, there will be stronger separation between actual PII data and the metadata behind it. In an ever more globally connected world, privacy is driving many people to view data as a more local commodity.
- SOC teams struggle with a new working environment and increased workloads: As many businesses look to reduce costs, one natural solution is to accelerate the digitisation of processes. This means ever more cybersecurity telemetry coming back to the security operations centre (SOC). Add to this the shift we’ve already seen in telemetry as employees work remotely and an increase from more new collaboration tools and cloud processes. Many SOC teams had also been used to using multiple screens for big data analytics, and regular team huddles to discuss complex issues; so the shift to work from home, often with one screen, has been tough for some. The teams keeping up will be the ones taking a data-driven ML/AI-based platform approach, helping them to be proactive against attackers trying to out-innovate them.
- Cybercriminals love current affairs: Cybercriminals will always flock to exploit the latest global trend or news item. We’ve seen this throughout 2020 around the pandemic with widespread use of virus-related themes, such as COVID-19-themed business email compromise campaigns, and on average 1,767 high-risk or malicious COVID-19-themed domain names being created every day. With the Brexit transition period having ended Dec. 31, there is a flurry of news as well as a desire for information on how it impacts both our personal and business lives. In 2021, we have to expect to see scams, misinformation, and attacks leveraging what is such a significant change not just for UK residents but many across the EU too. We might see fake websites springing up around the forms that businesses will need to complete to hire employees from the EU, for example. Brexit will also mean that so many business processes will have to change (e.g., applying for more export licences). There will be a big rush to do this, and we’re likely to see mistakes along the way, which could open up unnecessary risks and further opportunities for cybercriminals.
To learn more about the opportunities and challenges on the way in 2021, register for our EMEA 2021 Cybersecurity Predictions webinar.