2021 Cybersecurity Threats & Predictions

To Receive CPE Credit› Individuals

• Participate in entire webinar• Answer polls when they are provided

› Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to within 24 hours of webinar

› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar. Due to the large volume of certificates of completion issued, requests to reissue lost or misplaced certificates will be honored up to 60 days following the webinar

Presenter

Cerone F. “Cy” Sturdivant, CISA®Director | BKD Cybercsturdivant@bkd.com615.988.3596

Agenda Update on cybersecurity trends & statistics

Discuss current cybersecurity threats & concerns

Discuss the impacts & lessons learned from COVID-19

Discuss key industry best practices

Discuss predictions for 2021 & beyond

Questions

2020 Was Brutal for Most IT/Cyber Professionals

Cybersecurity Trends & Statistics

2020 Was Unprecedented

2020 at a Glance

FBI’s IC3 Five-Year Statistics

$13.3 Billion TOTAL LOSSES

Source: Ponemon Institute 2020 Cost of Data Breach Study

Globally, average total cost of a data breach

$3.86 million

Mean time to identify a breach

207 days

Mean time to contain73 days

Companies with an incident response team & extensive testing of their response planssaved more than $2 million compared to those who did not

Breach Detection & ExpenseYou Can’t Afford to Ignore Cybersecurity – Especially Now!

Average cost per lost or stolen record

is $146

In the U.S., average total cost of a data

breach is $8.56 million

Breakdown by Industry

Source: 2020 Cost of a Data Breach Report

Ransomware Realities

Cybersecurity Threats & Concerns

We Fear What We Do Not Understand

Cyberthreats

› The biggest threats to your assets are actually the same threats that we were worried about last year, five years ago, & in many cases, even a decade ago

› Only a handful of attacks truly use sophisticated “Mission Impossible” techniques

› When a criminal is trying to hack an organization, they won't reinvent the wheel unless absolutely needed

› Cybercriminals tend to seek the highest returns … in the shortest time … with the least risk

› Cybercriminal organizations are successful because they know who to attack, they have the technical resources to create new & increasingly more capable attack methods, & they often are highly collaborative in nature

Cybersecurity Threats Are Now Magnified› Social engineering attacks – phishing› Malware/destructive malware

• Ransomware • Remote access• Keyloggers

› Business email compromise› Corporate account takeovers› Supply chain – *SolarWinds*

Root causes of cyberattacks: Inadequate training, ineffective patch management, weak privileged access controls, & unmonitored detection systems

› Microsoft Exchange server vulnerabilities

› SolarWinds Orion/Sunburst

› Mimecast

› Malwarebytes

› SonicWall

› FireEye

New Cybersecurity Threats/Events so Far in Past Six Months

› Global domain registrations correlated with pandemic growth

1. Phishing2. Malspam3. Ransomware& many more!

Phishing Threats!

Fake Emails/Sites

› They will look very legitimate & clone beneficial organizations

› Goal is to install software or collect personal information

› In several cases, they will want donations &/or payment information

Source: Trendmicro https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains

The Ultimate Gateway – Email

C-level executives are 12 times more likely to be the target of social engineering attacks

85% to 90% of all breaches & incidents relate to human error. Most are the result of phishing campaigns!

Single Biggest Risk – UsersImportance of Awareness Training

COVID-19 Impacts & Lessons Learned

We Did Not See This Coming!

Current Top Impacts› Support of remote workers has increased IT workloads by 37% due to VPN &

videoconferencing issues, bandwidth constraints, password reset requests, & various messaging issues

› In addition, according to one recent survey, 35% of employers are grappling with remote work-driven changes in employee productivity

› Another study cites the three biggest struggles of remote work as insufficient collaboration & communication, loneliness, & inability to fully unplug after work

› Some employees also worry about the negative impact remote work could have on career advancement due to a lack of mentorship & reduced interpersonal networking opportunities

Early/Ongoing Impacts› Lag in converting to a remote workforce due to a lack of hardware, e.g.,

laptops, monitors, phones, etc.› Difficulty configuring new devices (or repurposed devices) in such a short time

frame › VPN capacity & MFA licensing issues, e.g., bottlenecks & availability › Absenteeism/distractions due to extended remote period with family

members› Increased demand on IT/IS with wide range of hours (internal & MSP)› Struggles with onboarding new personnel &/or furloughing employees› Increased focus on customers depending on your services

Top Lessons Learned› The need to understand the full maturity needs for operating remotely, e.g.,

hardware, deployment, hardening, communications, security, employees, etc. › Mobile devices & cloud technology are now a must have, e.g., O365/Azure/Teams,

AWS, Google, BYOD, etc.› The need to enable secure remote access software, e.g., Citrix, Virtual Box, VMWare,

etc.› The need for cloud-based security platforms operating outside the network› Enabling scalable VPN/MFA solutions with license retainer is a must› Training needs of extended remote workforce for appropriate use of VPN, virtual

software, softphones, etc. Note: More focus on cross-training› Creating a culture of mobility & remote expectations› Communication is paramount – from who, simplicity, timing, etc.

Top Lessons Learned

Our existing pandemic plan & business continuity plan efforts were not designed to handle this event!

Did you document or test how they fell short?

Industry Best Practices

› Develop & maintain a strong information security program› Develop & maintain a strong incident response program› Ensure business continuity/DR & vendor management policies &

procedures address cybersecurity › Consider how cybersecurity insurance should fit into your risk

management program › Ensure cybersecurity awareness training is performed regularly (educate &

motivate)› Join an information sharing & analysis center (ISAC) or other information

sharing forums – filter reports based on each employees’ role› Perform frequent cyber risk assessments, penetration tests, vulnerability

assessments, & IT control audits

Key Considerations: Focus on Governance Controls

Key Considerations: Focus on Technical Controls

› Use multifactor or two-factor for O365, VPN, remote sessions, & privileged access

› Track, report, independently test, & update security patches based on a risk priority schedule (Microsoft & non-Microsoft patches)

› Maintain accurate asset inventories for hardware & software, including data classification

› Enforce application whitelisting controls & remove unauthorized applications

› Remove local administrator rights to reduce malicious software installs› Tune existing security tools: web content, email filtering, end point, etc. › Deploy cloud-based security software & end-point protection (Sophos,

Web Root, etc.)

Key Considerations – Technical Controls

› Implement strong cloud-based data loss prevention controls› Use security information & event management (SIEM) tools with

“defense in depth” approach› Change your passwords more frequently during this time› Ensure data encryption is enforced to protect confidential data› Segment internal networks to isolate critical systems › Be aware of insider threat – layoffs, disgruntled, etc. Think zero trust!› Consider installing secure home Wi-Fi routers for key personnel› Consider posture checking on corporate devices prior to joining

VPN/network

Predictions for 2021 &

Beyond

Predictions for 2021 & Beyond› More attacks will occur on home computers & networks due to the move to work

from home (WFH) fueled by COVID-19, with bad actors taking advantage of unpatched systems & architecture weaknesses & IOT devices

› The rush to “cloud everything” will cause many security holes, challenges, misconfigurations, & outages

› More growth in the security industry. The number of new products & new mergers/ acquisitions will cause network complexity issues & integration problems & overwhelm cyber teams

› Privacy will be a mess, with user riots, new laws, confusion, & self-regulation failing› Identity access management & multifactor authentication (MFA) will take center stage

as passwords (finally) start to go away in a tipping-point year

Predictions › Tons of high-profile Internet of Things (IoT) hacks, some which will make headline

news› Ransomware will get worse & worse—with new twists, data stealing prior to

encryption, malware packaging with other threats, & very specific targeting of organizations

› A lot of 5G vulnerabilities will become headline news as the technology grows› Mobile devices, including smartphones, will be attacked in new ways, including app

stores› Cryptocurrencies will play new roles, with criminals switching often for hiding

advantages› As digital transformation projects grow, many plans will implode as security challenges

mount

Final Thoughts& Conclusion

A strong cybersecurity culture & overall program is a must going forward!

Are you taking care of your “cybersecurity health”?

Cybersecurity Nutrition

Quote to Remember!

What Cybercriminals See, if You Fail!

A research collaboration with Cisco and the National Center for the Middle Market

Resources › Infosec Institute – https://resources.infosecinstitute.com/› Info Risk Today – https://www.inforisktoday.com/› Security Week – https://www.securityweek.com/› Dark Reading – https://www.darkreading.com/› The Top Cyber Threat Intelligence Feeds –

https://thecyberthreat.com/cyber-threat-intelligence-feeds/

Questions?

Continuing Professional Education (CPE) Credits

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars

CPE Credit› CPE credit may be awarded upon verification of participant

attendance› For questions, concerns, or comments regarding CPE credit, please

email the BKD Learning & Development Department at training@bkd.com

Cerone F. “Cy” Sturdivant615.988.3596csturdivant@bkd.com

Thank You!