Various events over recent years have ensured that the cybersecurity landscape continues to evolve rapidly, and organizations are seemingly constantly scrambling to keep up. This ranges from the rise in data protection legislation around the world, precipitated by the implementation of the General Data Protection Regulation (GDPR) in 2018, and most recently the COVID-19 pandemic and the resultant shift to remote working.
Infosecurity recently caught up with Kunal Anand, chief technology officer at security company Imperva, to discuss how the cybersecurity picture and threat landscape is likely to evolve throughout the rest of 2020 and beyond.
Misinformation and Bot Activity
Misinformation and fake news have been well discussed in recent years, but Anand is seeing a particularly large spike this year, precipitated by the health, economic and social uncertainty posed by COVID-19. This, and the US Presidential election towards the end of the year, is only going to exacerbate this trend further, and everyone needs to be on their guard. He commented: “There’s a lot of spam and bot activity that we’re seeing, specifically around scraping – and bots as a service is something we will see proliferating throughout 2020.”
This kind of activity is heavily linked to nefarious nation-state activity. For instance, recently the NCSC revealed that the threat group APT29, which has links to Russian intelligence agencies, has been actively targeting UK, US and Canadian vaccine research and development organizations. There has also been an Intelligence and Security Committee (ISC) report on how Russia is attempting to influence election results in the UK through malicious cyber-activity. Again, this is a trend Anand expects to continue as we enter the US election cycle.
“I am bracing for many stories to drop with respect to breaches or bad management of data or vulnerabilities”
Full Cybersecurity Impact of COVID
On a more micro level, the virtually overnight shift to remote working many businesses have had to undertake as a result of COVID-19 lockdown restrictions has made them far more vulnerable to cyber-attacks. Anand believes we have yet to see the full impact of this phenomenon. He added: “I am bracing for many stories to drop with respect to breaches or bad management of data or vulnerabilities that should have been fixed but didn’t get remediated correctly. I wouldn’t be surprised if we see a wave of those things happen, not necessarily in a month, maybe even a quarter of a year from now.”
In the midst of an uncertain economic climate, a primary focus on survival by many businesses means it is harder than ever for cybersecurity best practices to be properly followed. Anand explained: “Security teams are pretty strained given everything that’s going on right now. While they may be aware of acute threats like DDOS or worried about a certain class of attack, they’re probably not thinking about the whole picture. Also, not every organization does things that seem so simple like threat modelling.”
More Optimistic Picture
Nevertheless, there is room for optimism in the way Anand expects companies to approach cybersecurity going forward. The difficult financial climate, for example, is forcing organizations to demand better value for money from security vendors, according to Anand. This includes ensuring products are implemented quickly as well as demanding that software from one vendor is able to work effectively with products from others.
“We’re seeing companies getting smarter about how they buy and how they leverage all their capabilities together leading to an overall improvement in cybersecurity,” he said.
Anand also believes the shift to home working will ultimately lead to more organizations adopting a zero-trust model of cybersecurity, something experts have been calling for over many years. This, he believes, will be driven by organizations’ shift to the cloud over recent years, as well as the growing value of data, both of which have been accelerated by the COVID-19 pandemic.
Anand explained: “Given everything we’ve seen with remote work, around how VPNs can be breached and the inadequacies of a centralized model, zero-trust is something that tries to take a more decentralized approach to managing what a user or passenger should be able to do throughout the entire eco-system. We’re going to see a lot more of that over the next few years.”
For a zero-trust model to be truly effective though, there needs to be a general workforce far better versed in secure practices. The basic approach often used by organizations to train their staff on such methods by presentations and videos is wholly inadequate. Instead, Anand thinks cybersecurity training should be a far more interactive affair. This includes ‘war-game’ type scenarios, where a major incident is simulated to hone teams’ skills in reacting to situations such as data breaches.
He added: “I think a good way to get people more involved would be to do things like those table-top exercises – to think through what would happen as a company if your product got breached or to go to development teams and to force them to think through from a threat modelling perspective how the various systems could be broken or how those various systems could be compromised.”
There is no doubt the events that have already taken place in 2020 are dramatically changing the cybersecurity landscape. There are new opportunities for nefarious nation-state actors to influence countries internal affairs as well as for cyber-criminals to target organizations distracted by the COVID-19 pandemic. Yet there is room for optimism, with a strong reaction needed to these kinds of developments to protect people and systems on the part of government agencies and businesses.