2020 will go down as recent history’s most notorious year for many reasons - and cybersecurity is no exception. Over the past 12 months, we witnessed countless cyber-attacks including fraud, data breaches, espionage, nation state attacks, insider threats and many more as hackers looked to exploit the vulnerable and desperate state the world found itself in. While some incidents were more common than others, I observed five key themes that stood out to me from last year and I’ll evaluate them to see how we, as a collective, can better prepare ourselves in 2021.
Social Engineering and Fake News
At the height of the pandemic, hackers were exploiting confusion and uncertainty to their advantage, pushing out phishing and scams, to the point where there was a 6000% increase in pandemic-related phishing attacks. With confusion and fear consuming the masses, many didn’t know what information to believe and what information provided crucial pandemic advice and this played into the hands of cyber-criminals who preyed on this anxiety, leading to the noticeable spread of fake news and disinformation. The fake news campaigns largely dominated social media platforms - which at the time were unregulated - to misinform the public about the possible vaccine and its effects. However, the focus of these campaigns quickly revolved around the US elections which became a hot topic for debate. Nevertheless, at a time when many were seeking answers, the internet had become a hotbed of abuse, where lies were being spread and cyber propaganda was being found in tweets, deepfakes and unvetted articles. What may have once been seen as a joke had now become a new method to deceive and commit fraud.
Remote Working and Tech Debt
The past year also saw one of the biggest shifts in the working world in recent history – remote working. Employees were quickly urged to stay at home and trade in their office desks for the kitchen counter or spare room. Some were even reduced to using ironing boards. This may be the norm now but at the beginning it was tough to expect almost the entire workforce to set up home offices in a short space of time. To achieve this rapidly, security was often disregarded by organizations which had to adapt and mobilize quickly to keep employees productive. However, too many employers were slow to realize the vulnerabilities and security issues that surrounded staff in their own homes. Because some organizations failed to provide basic security to their employees who were now accessing corporate information from the sofa in their lounge, data breaches and security incidences grew. Heading into 2021, with remote working the norm for most, robust security controls should now be mandatory to support remote working into the future.
Orgs Going Under Because of Cyber-Attacks
Cyber-attacks always end up with bad results or consequences. Never has there been a ‘positive’ cyberattack. It doesn’t exist. The only thing organizations can do when impacted by an attack is to detect the threat, contain it and remediate as fast as possible to continue business operations. But it was rare to see a business go under as a direct result of a cyber-attack. However, the arrival of the pandemic has definitely altered this for the worse. The year 2020 began with the high-profiled ransomware attack against Travelex which resulted in a lengthy shutdown of its services. This lasted an estimated four-months before a ransom was reportedly paid to restore services. During this time, the pandemic had hit, and Travelex suffered to the extent that it went into administration in August. In November 2020, an Australian hedge fund executive opened a phishing email disguised as a Zoom invite. This gave attackers access to their inbox and as a result were able to steal $8m. While most of the money was recovered, the reputational impact was so great its major client pulled out, forcing the hedge fund to shut down. While in the past cyber-attacks were considered a nuisance, we’re beginning to see clear cases of organizations being forced out of business due to these incidents. This will likely continue in 2021 and be a warning to business leaders to take security seriously. Remember that famous saying: Suffering a cyber-attack is no longer an ‘if’ but ‘when’.
Cyberwar
Another trend we witnessed during the past year was the evolution of nation state cyberwarfare. These state backed actors pose a worrying concern for governments, cybersecurity organizations and the wider public. The recent hacks against prominent cybersecurity vendors FireEye and Solarwinds is evidence of that. Both had close partnerships to the US government, and it was reported that Russian cyber-criminals had infiltrated these systems to gain access to highly sensitive information. It proves an all-out cyberwar is no longer just on the horizon – it’s here. Proactive action is required by governments and their security partners and reinforcing this message is President-elect Joe Biden, who stated the following after the recent attack: “A good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyber-attacks in the first place.”
Dependency on the Big Five
With adjustments made to working and social conditions our reliance on tech greatly accelerated especially on the big five tech oligarchs of Amazon, Microsoft, Google, Apple and Facebook. Each provided a variety of digital and physical services to keep us going and businesses operational during the year. While these have their benefits, this dependence is a double-edged sword and the majority of us witnessed this first-hand when AWS and Google suffered outages to key services, some of which made the headlines. Naturally, if any of these companies suffered an outage or were to be hit by a malicious cyber-attack, considerable consequences will impact consumers and organizations so we need to consider the risks and prepare contingency plans should these services be made unavailable.
Looking back at what has been a unique year, I have every confidence that we will overcome similar challenges. We should use the above moments as a reminder of where we have come from, what we have been through and, what we have survived. Thankfully, as an industry, we learn fast from our mistakes and our achievements and I know we are better prepared for the future ahead.