If there’s one thing the events of 2020 have taught us, it’s that forecasting the future is an endeavor fraught with peril. The only thing we’re completely confident about is that it’s wise to expect — and prepare for — the unexpected. This is just as true for cybercriminals’ newest adversarial tactics as it is for global health crises.
Nonetheless, once industry trends have been set in motion, they seem to obey the laws of momentum. Corporate spending on cybersecurity technologies and services has seen consistent annual increases for over a decade, with the coronavirus pandemic only amplifying demand for remote work enablement and cloud security. Year after year, attack volumes grow, as does the number of confirmed incidents and breaches. And pundits continue to opine that much cybersecurity spending is simply a waste of money.
Here at BTB, we believe that over the next twelve months we’re likely to see several longstanding industry trends continue. But we’re also optimistic that growing public awareness of the importance of adhering to cybersecurity best practices will be combined with increased pressure from regulators to motivate positive transformation.
We encourage business leaders and other stakeholders to prepare for some degree of stasis, but to also anticipate change. Here are our main predictions for 2021 and beyond:
#1: Cybersecurity spending and breach numbers will continue to rise.
“What I see happening is more spending, more breaches, and more frustration,” says Matt Wilson, Chief Information Security Advisor at BTB. “Because so many organizations are still missing the fundamentals, they’ll get less risk reduction and less value for their investments in security than I’d like. People think that money alone is enough to solve the problem, but it’s not.”
This trend — that even as cybersecurity spending grows, so too do attack volumes, the number of breaches and their associated costs — has been with us for years.
“Traditionally, getting executive leadership to fully understand the extent of cybersecurity challenges was difficult,” Wilson adds.
#2: There will be increased focus on cybersecurity monitoring and rapid response, especially among small and mid-sized businesses (SMBs).
Massive in scale and extremely ambitious in scope, the SolarWinds breach has dominated cybersecurity-related headlines since news of the incident was first made public in mid-December. Though additional details about this attack are still coming to light, it’s likely it will be years before we know the full extent of its impact.
Nonetheless, the sheer size and sophistication of the SolarWinds hack — and the amount of attention it has attracted — may well transform it into a much-needed wake-up call for defenders.
“So many organizations were impacted by SolarWinds,” says Wilson. “When attack victims range from government agencies and the Department of Defense to big-name tech companies and cybersecurity vendors like FireEye/Mandiant, it really highlights the fact that nation-state level attacks can’t always simply be prevented. Instead, rapid detection and response are the key to minimizing costs and damages.”
With highly capable cybersecurity service providers now offering comprehensive monitoring capabilities at a price point that’s affordable for the majority of SMBs, and greater awareness among business leaders of the value that such monitoring brings, Wilson expects interest in these services to expand.
“Today, getting buy-in from leadership still isn’t easy, but it’s much easier than it used to be,” he says.
#3: Regulations will grow in influence and impact.
In addition to more states enacting legislation that’s similar to the California Consumer Privacy Act (CCPA), or enforcing these regulations more stringently, it’s likely that federal standards and frameworks such as the Cybersecurity Maturity Model Certification (CMMC) will have “trickle down” effects on businesses in industries that aren’t immediately impacted by them.
The CMMC requires contractors serving the U.S. Department of Defense (DoD) to adhere to a set of cybersecurity best practices and to undergo third-party assessments verifying that their capabilities can evolve in response to changes in adversaries’ techniques and the cyberthreat landscape.
We anticipate that even organizations that aren’t DoD contractors will view the CMMC framework as a kind of “gold standard” that they’ll strive to meet. And, for the more than 300,000 contractors who currently compete for DoD contracts, evidence that they’ve met minimum certification requirements will be required for growing numbers of requests for information (RFIs) and requests for proposals (RFPs). This began in September of 2020 and will expand to include all new contracts by early 2026.
The CMMC was initially released in January of 2020, but pandemic-related delays slowed the adoption of mandatory enforcement. We expect to see its pace increase in 2021.
#4: 2021 will be a cleansing year, especially for businesses that implemented unfamiliar technologies in 2020.
Many businesses built new cloud environments, stood up new cloud solutions, or otherwise invested in technologies to secure a newly remote workforce in response to the sudden shift to remote work that 2020’s global pandemic necessitated. Some of these may have been hastily implemented or deployed outside of standard processes for speed, and as a result, we’re now seeing an uptick in configuration errors and misconfiguration-related breaches.
“In 2020 lots of organizations jumped feet-first into technologies that they barely had time to learn or understand,” says Wilson. “People were putting Band-Aids on things, and some of those are not going to hold.”
Our advice to security organizations of all sizes is to make 2021 a year of review, reflection and (if needed) cleanup.
“Now is the time to revisit what you did last year,” Wilson adds. “Make sure you understand what you did and why you did it.”
We hope that more business leaders will adopt a value-driven approach to investments in cybersecurity technologies and services.
Finally, we’d like to see more decision-makers embrace cybersecurity best practices and a thoughtful approach to continuous improvement.
Many of the basics are free or relatively inexpensive, yet their adoption can have an outsized impact on overall organizational risk.
- patching and hardening
- ongoing monitoring and robust incident response (IR) procedures
- careful management of your relationships with third party vendors, suppliers and contractors
- employee training
“Instead of just spending money and wondering why you’re not getting better, challenge yourself to be better,” says Wilson. “Find ways you can do that while staying within your budget or even spending less. This involves asking tough questions of yourself and your team, but it’s essential.”
To learn more about steps you can take to improve your organization’s cybersecurity and how we can help, visit us at www.btbsecurity.com.