2021 Cybersecurity Threats & Predictions
Transcript of 2021 Cybersecurity Threats & Predictions
2021 Cybersecurity Threats & Predictions
To Receive CPE Credit› Individuals
• Participate in entire webinar• Answer polls when they are provided
› Groups• Group leader is the person who registered & logged on to the webinar• Answer polls when they are provided• Complete group attendance form • Group leader sign bottom of form• Submit group attendance form to within 24 hours of webinar
› If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar. Due to the large volume of certificates of completion issued, requests to reissue lost or misplaced certificates will be honored up to 60 days following the webinar
Presenter
Cerone F. “Cy” Sturdivant, CISA®Director | BKD [email protected]
Agenda Update on cybersecurity trends & statistics
Discuss current cybersecurity threats & concerns
Discuss the impacts & lessons learned from COVID-19
Discuss key industry best practices
Discuss predictions for 2021 & beyond
Questions
2020 Was Brutal for Most IT/Cyber Professionals
Cybersecurity Trends & Statistics
2020 Was Unprecedented
2020 at a Glance
FBI’s IC3 Five-Year Statistics
$13.3 Billion TOTAL LOSSES
Source: Ponemon Institute 2020 Cost of Data Breach Study
Globally, average total cost of a data breach
$3.86 million
Mean time to identify a breach
207 days
Mean time to contain73 days
Companies with an incident response team & extensive testing of their response planssaved more than $2 million compared to those who did not
Breach Detection & ExpenseYou Can’t Afford to Ignore Cybersecurity – Especially Now!
Average cost per lost or stolen record
is $146
In the U.S., average total cost of a data
breach is $8.56 million
Breakdown by Industry
Source: 2020 Cost of a Data Breach Report
Ransomware Realities
Cybersecurity Threats & Concerns
We Fear What We Do Not Understand
Cyberthreats
› The biggest threats to your assets are actually the same threats that we were worried about last year, five years ago, & in many cases, even a decade ago
› Only a handful of attacks truly use sophisticated “Mission Impossible” techniques
› When a criminal is trying to hack an organization, they won't reinvent the wheel unless absolutely needed
› Cybercriminals tend to seek the highest returns … in the shortest time … with the least risk
› Cybercriminal organizations are successful because they know who to attack, they have the technical resources to create new & increasingly more capable attack methods, & they often are highly collaborative in nature
Cybersecurity Threats Are Now Magnified› Social engineering attacks – phishing› Malware/destructive malware
• Ransomware • Remote access• Keyloggers
› Business email compromise› Corporate account takeovers› Supply chain – *SolarWinds*
Root causes of cyberattacks: Inadequate training, ineffective patch management, weak privileged access controls, & unmonitored detection systems
› Microsoft Exchange server vulnerabilities
› SolarWinds Orion/Sunburst
› Mimecast
› Malwarebytes
› SonicWall
› FireEye
New Cybersecurity Threats/Events so Far in Past Six Months
› Global domain registrations correlated with pandemic growth
1. Phishing2. Malspam3. Ransomware& many more!
Phishing Threats!
Fake Emails/Sites
› They will look very legitimate & clone beneficial organizations
› Goal is to install software or collect personal information
› In several cases, they will want donations &/or payment information
Source: Trendmicro https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains
The Ultimate Gateway – Email
C-level executives are 12 times more likely to be the target of social engineering attacks
85% to 90% of all breaches & incidents relate to human error. Most are the result of phishing campaigns!
Single Biggest Risk – UsersImportance of Awareness Training
COVID-19 Impacts & Lessons Learned
We Did Not See This Coming!
Current Top Impacts› Support of remote workers has increased IT workloads by 37% due to VPN &
videoconferencing issues, bandwidth constraints, password reset requests, & various messaging issues
› In addition, according to one recent survey, 35% of employers are grappling with remote work-driven changes in employee productivity
› Another study cites the three biggest struggles of remote work as insufficient collaboration & communication, loneliness, & inability to fully unplug after work
› Some employees also worry about the negative impact remote work could have on career advancement due to a lack of mentorship & reduced interpersonal networking opportunities
Early/Ongoing Impacts› Lag in converting to a remote workforce due to a lack of hardware, e.g.,
laptops, monitors, phones, etc.› Difficulty configuring new devices (or repurposed devices) in such a short time
frame › VPN capacity & MFA licensing issues, e.g., bottlenecks & availability › Absenteeism/distractions due to extended remote period with family
members› Increased demand on IT/IS with wide range of hours (internal & MSP)› Struggles with onboarding new personnel &/or furloughing employees› Increased focus on customers depending on your services
Top Lessons Learned› The need to understand the full maturity needs for operating remotely, e.g.,
hardware, deployment, hardening, communications, security, employees, etc. › Mobile devices & cloud technology are now a must have, e.g., O365/Azure/Teams,
AWS, Google, BYOD, etc.› The need to enable secure remote access software, e.g., Citrix, Virtual Box, VMWare,
etc.› The need for cloud-based security platforms operating outside the network› Enabling scalable VPN/MFA solutions with license retainer is a must› Training needs of extended remote workforce for appropriate use of VPN, virtual
software, softphones, etc. Note: More focus on cross-training› Creating a culture of mobility & remote expectations› Communication is paramount – from who, simplicity, timing, etc.
Top Lessons Learned
Our existing pandemic plan & business continuity plan efforts were not designed to handle this event!
Did you document or test how they fell short?
Industry Best Practices
› Develop & maintain a strong information security program› Develop & maintain a strong incident response program› Ensure business continuity/DR & vendor management policies &
procedures address cybersecurity › Consider how cybersecurity insurance should fit into your risk
management program › Ensure cybersecurity awareness training is performed regularly (educate &
motivate)› Join an information sharing & analysis center (ISAC) or other information
sharing forums – filter reports based on each employees’ role› Perform frequent cyber risk assessments, penetration tests, vulnerability
assessments, & IT control audits
Key Considerations: Focus on Governance Controls
Key Considerations: Focus on Technical Controls
› Use multifactor or two-factor for O365, VPN, remote sessions, & privileged access
› Track, report, independently test, & update security patches based on a risk priority schedule (Microsoft & non-Microsoft patches)
› Maintain accurate asset inventories for hardware & software, including data classification
› Enforce application whitelisting controls & remove unauthorized applications
› Remove local administrator rights to reduce malicious software installs› Tune existing security tools: web content, email filtering, end point, etc. › Deploy cloud-based security software & end-point protection (Sophos,
Web Root, etc.)
Key Considerations – Technical Controls
› Implement strong cloud-based data loss prevention controls› Use security information & event management (SIEM) tools with
“defense in depth” approach› Change your passwords more frequently during this time› Ensure data encryption is enforced to protect confidential data› Segment internal networks to isolate critical systems › Be aware of insider threat – layoffs, disgruntled, etc. Think zero trust!› Consider installing secure home Wi-Fi routers for key personnel› Consider posture checking on corporate devices prior to joining
VPN/network
Predictions for 2021 &
Beyond
Predictions for 2021 & Beyond› More attacks will occur on home computers & networks due to the move to work
from home (WFH) fueled by COVID-19, with bad actors taking advantage of unpatched systems & architecture weaknesses & IOT devices
› The rush to “cloud everything” will cause many security holes, challenges, misconfigurations, & outages
› More growth in the security industry. The number of new products & new mergers/ acquisitions will cause network complexity issues & integration problems & overwhelm cyber teams
› Privacy will be a mess, with user riots, new laws, confusion, & self-regulation failing› Identity access management & multifactor authentication (MFA) will take center stage
as passwords (finally) start to go away in a tipping-point year
Predictions › Tons of high-profile Internet of Things (IoT) hacks, some which will make headline
news› Ransomware will get worse & worse—with new twists, data stealing prior to
encryption, malware packaging with other threats, & very specific targeting of organizations
› A lot of 5G vulnerabilities will become headline news as the technology grows› Mobile devices, including smartphones, will be attacked in new ways, including app
stores› Cryptocurrencies will play new roles, with criminals switching often for hiding
advantages› As digital transformation projects grow, many plans will implode as security challenges
mount
Final Thoughts& Conclusion
A strong cybersecurity culture & overall program is a must going forward!
Are you taking care of your “cybersecurity health”?
Cybersecurity Nutrition
Quote to Remember!
What Cybercriminals See, if You Fail!
A research collaboration with Cisco and the National Center for the Middle Market
Resources › Infosec Institute – https://resources.infosecinstitute.com/› Info Risk Today – https://www.inforisktoday.com/› Security Week – https://www.securityweek.com/› Dark Reading – https://www.darkreading.com/› The Top Cyber Threat Intelligence Feeds –
https://thecyberthreat.com/cyber-threat-intelligence-feeds/
Questions?
Continuing Professional Education (CPE) Credits
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org
The information in BKD webinars is presented by BKD professionals, but applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor before acting on any matters covered in these webinars
CPE Credit› CPE credit may be awarded upon verification of participant
attendance› For questions, concerns, or comments regarding CPE credit, please
email the BKD Learning & Development Department at [email protected]
Cerone F. “Cy” [email protected]
Thank You!