Cybersecurity trends 2021: universal protection in security in the remote world
The COVID-19 pandemic has changed a lot for modern businesses. In many ways, though, these changes were simply accelerated inevitabilities.
As businesses have hastily adopted new security programs designed to tackle a rapidly expanding remote workforce, opportunistic cybercriminals have seized the opportunity of a lifetime that befalls them. While those threat actors are not new, they’ve been given millions of new remote endpoints to attack and a plethora of global anxiety they can use as the base for misinformation.
Thankfully, if companies want to defend against emerging and advanced cyber threats, cutting-edge security technology is available.
The trends outlined in this piece can be used to paint a broad picture of the current state of cybersecurity. Each section will examine a trending technology, cultural shift, or operational trend related to the current state of the modern business. While only one trend explicitly relates to the impact of the current COVID-19 pandemic, many of the technologies themselves can be configured to protect vulnerable remote workforce environments.
"Secure by default" as the new standard for a remote workforce
Increasingly complex remote work environments will drive SaaS businesses to integrate traditional monitoring with UX security monitoring in order to limit the ability of users, administrators, and business partners.
If a product allows users to unknowingly halt operations or expose sensitive data, the product is inherently flawed. Technology, especially with an increasingly fractured and geographically dispersed workforce, employees are given boundless opportunities to unknowingly put businesses at risk.
Awareness, security, and privacy training are always necessary. Although, for as much good as security awareness training does, it still relies on one of the most unpredictable variables on earth: people. On the other hand, security by design is necessary and ideal for virtually all businesses. The less employees need to interact with security tools, the safer they will be. New security applications built for a fully remote business world should be designed to guarantee user adoption.
Software should be designed to prevent individuals from actively falling victim to a cyber attack in the first place and give them as few opportunities as possible to make security-impacting decisions. For example, a mobile device security tool may encrypt network traffic, block dangerous URLs, and quarantine malicious files. Additionally, performance can impact adoption as well. If a user’s web browsing speeds are slowed substantially while using a virtual private network (VPN), they will likely turn it off at times when their activities necessitate higher connectivity speeds.
However, that’s not the world we live in. Cybercriminals are becoming increasingly creative in the ways they trick users. Employees can use their work phone to scan a QR code that compromises the device or they could download a PDF about COVID-19 testing that contains fileless malware and triggers a ransomware download.
Any security solution available today should be available across devices and geographic locations to ensure protection for ‘bring your own device’ (BYOD) endpoints, unsecured WiFi, and shared personal or work devices.
Some companies have stepped up to the task, but even one month into the pandemic, barely one in four remote workers were required to use any level of multi-factor authentication (MFA), and hardly half had any kind of security training.
Optional security teams should become required, but should not interfere with user experience. Zero trust, passwordless authentication, and risk-based security solutions are all technologies that can help provide unobtrusive protection for end users.
DevSecOps and the security skills shortage: a recipe for disaster
With many current DevSecOps programs actually being overstated, semi-secure DevOps programs, companies will be forced to rebuild their approach to secure application lifecycles end to end.
DevSecOps is already a popular buzzword. In theory, the process of continuously analyzing, testing, and patching applications throughout their lifecycle is smart. But when DevSecOps is actually put into production, it’s done hastily by businesses more concerned with releasing a product than ensuring its security. A lot of the actual DevSecOps methodologies are just improvised agile security tasks placed atop existing DevOps programs to cover continuously emerging vulnerabilities.
And that’s not just speculation, 43% of organizations rely on ad-hoc remediation to deal with securing their agile applications, according to a report from CloudPassage. Today, only 21% of DevOps teams have a comprehensive DevSecOps program in place, according to the same report. Another report by GitHub found that more than one in four developers said that they are completely responsible for security in their organizations.
Companies that fail to build extensive security programs but continue to rely on DevOps to build their applications will continue putting their business at risk and won’t fully comprehend the flaws present in their products. As a result, they will hire additional security professionals, increase secure code training, simplify security stacks, and define security processes before building workflows.
Native integration and customer visibility drive cloud marketplace growth
Security vendors and cloud service providers will continue to partner, shifting much of the buying process into online marketplaces capable of supporting one-click deployment.
Software acquisition in general has changed substantially over past decades and security technology is no exception. Companies have much less reliance on traditional analyst firms as they’re more seen as pay-to-play gatekeepers offering little more than marketing collateral for existing industry leaders. In today’s technology market, reviews, surveys, and usage statistics from fellow technology users make up 51% of today’s trusted sources for making purchasing decisions.
Now, small companies can demonstrate success on any number of mediums, including online marketplaces provided by leading cloud computing service providers, and they typically don’t need to purchase expensive on-premises infrastructure.
Companies never made their purchasing decisions based on price or analyst reports alone. As always, they will continue examining as many resources as possible to build their shortlist. But the availability of solutions in those marketplaces will play a substantial role in determining that shortlist.
Companies will want tools that natively integrate with their existing cloud services and software solutions. This shift has also driven the growth of hybrid cloud environments and the popularity of cloud-native applications.
Some companies starting from scratch, or looking to simplify their stack, will also look to these providers for bundled, full-stack offerings to provide a single management console for various cloud, IT, and security management teams.
The marketplaces themselves will become hubs for information about the products, feedback from previous users, and the platform for integrating and deploying new tools.
A fool’s enterprise: zero trust with zero planning
The rapid adoption of zero trust programs, security staffing shortage, and an unexpected increase in remote workers will result in numerous major security incidents for numerous major enterprise businesses.
Zero trust security has been one of the fastest-growing markets over the past two years, and it’s not just hype, it’s a groundbreaking technology and growing market set to reach $38 billion by 2025. That’s why I mentioned zero trust security in my trends analyses for both 2019 and 2020.
Over the course of a single year, Okta found 275% growth in zero trust initiatives between 2019 and 2020. In 2019, about 20% of those surveyed had initiatives in place to adopt zero trust. In 2020, that number jumped to 60%.
Zero trust changed the way we think about security. Traditional tools will prevent cybercriminals from accessing your network, but if they get in, you may have no idea. They can’t protect against internal threat actors who’ve accessed your systems either. Now, a zero trust network security program, powered by microsegmentation can monitor everyone within the network at all times. They help security detect privilege escalation, stop lateral movement, and detect data leakage.
But they’re not simple and they can’t do everything.
Zero trust can be a key to building a frictionless, passwordless user experience, but that requires each user to be properly credentialed and each network asset to be properly configured at all times. Every business wants the latest and greatest in security technology, but asking an understaffed team to maintain 24/7 protection over a complex hybrid computing environment is not smart.
However, 78% of IT security teams are looking to embrace a zero trust model in the near future, according to a report by Cybersecurity Insiders. But many of these companies have unrealistic implementation expectations. Of those surveyed, roughly half the companies planning to implement claimed they would complete it in under 12 months. Additionally, 47% of enterprise IT security teams lack confidence in their ability to achieve zero trust.
To avoid being the company that rushed to implement zero trust and ended up being exposed, they should adopt unobtrusive security automation tools to help detect and remediate anomalies, misconfigurations, and compliance issues as they arise.
Risk-based, data-driven security technologies will continue to expand in popularity. These tools typically operate in the background, continuously monitoring logs to detect anomalies. Risk-based analytics have already become popular for authentication, email protection, and vulnerability management technologies and will only continue to emerge in new markets. These tools will help collect valuable threat data and make work easier for overburdened security staff.
Securing 5G with IoT edge platform modules
Edge-enabled computing will become the industry-standard security solution IoT pros have been searching for to secure smart devices and the data they store.
While some people still think their home router runs on a 5G network and others think 5G is a global, inter-government conspiracy, companies are developing ways to utilize 5G networks with modern business devices. 5G allows for nearly 20-times the speeds of LTE with a fraction of its latency. This means 5G-enabled devices are capable of transferring large amounts of data at all times, but that also means there’s a lot of new, potentially sensitive data, that needs to be protected.
For years, millions of compromised IoT endpoints have plagued society revealing personal data, being used in DDoS attacks, or both. With IoT edge protection, these industry 4.0, internet-enabled devices will be self-securing and minimize the threat surface of sensitive information by reducing total data in transit.
Edge technology shifts the computing from the cloud to the device itself by deploying a local module with software and a runtime on the device itself. This means no data needs to be transferred to enable analysis or utilization.
There’s a ton of perks when it comes to compliance, as well. These devices can store personal biometric information, medical data, and any other kind of sensitive data you can think of without deploying it to the cloud or exposing it to a man-in-the-middle attack. Additionally, edge technology will allow for simplified remote configuration, patching, and secure communication.
The speed at which edge computing overtakes IoT security will be determined by the cost of producing edge-enabled devices and the effort it takes to deploy edge runtime modules.
Things are changing fast
While 2020 has shaken the world in unfathomable ways, it has driven the rapid adoption and evolution of technologies relating to remote work. And the ones mentioned above are just a few of those trends within the cybersecurity industry.
Some people believe these changes to the business world are temporary, I am not one of them. The remote, global workforce is here to stay. I have no doubt that will make work more difficult for security teams, and make things easier for cybercriminals, and that makes these ideas important for companies hoping to keep cybercriminals away from the business, customer, and personal information.
Explore the highest-rated software in related categories:
As an analyst at G2, Aaron’s research is focused on cloud, application, and network security technologies. As the cybersecurity market continues to explode, Aaron maintains the growing market on G2.com, adding 90+ categories of security technology (and emerging technologies that are added regularly). His exposure to both security vendors and data from security buyers provides a unique perspective that fuels G2’s research reports and content, including pieces focused on trends, market analysis, and acquisitions. In his free time, Aaron enjoys film photography, graphic design, and lizards.