2020 was an unprecedented year. Not surprisingly, not one of the security professionals that we asked for last year's survey predicted that a global pandemic would be one of the year's major security threats. Many of our respondents this year though expect the far-reaching effects of the coronavirus to continue.
As in previous years, we asked security professionals a simple question: what will be the single biggest security threat of 2021? Responses varied from a single sentence to multiple paragraphs, and naturally, many individuals highlighted problems that related to their own industry or solution. Some respondents offered more than one response, where possible these have been split by theme.
Remote working tops security fears
Out of 169 usable responses, security issues related to the pandemic—predominantly remote working policies—are cited as the primary cause for concern in the coming year. All comments that specifically referenced new remote working policies or the pandemic have been grouped together and accounted for around a third of the total comments received.
Many of these comments centred around device security, as personal devices are increasingly used for work. As Sandeep Chandana, Director, Data Scientist for the Cloud Business Unit, McAfee says, "The increasing proportion of unmanaged devices accessing the enterprise cloud has effectively made home networks an extension of the enterprise infrastructure."
Others referenced the speed at which organisations were forced to adapt to remote working, or the need to accelerate digital transformation plans. Sivan Tehila, Director of Solution Architecture at Perimeter 81 expects this year will "be the year organisations face security consequences of the rapid shift to work from home."
Ransomware concerns increase
Ransomware is security professionals' second biggest concern this year—up from fourth place in last year's survey—though a number of respondents reference the pandemic's forced remote working as a cause of this. Will Bass, Vice President, Cybersecurity Services at Flexential explains, "COVID19 has accelerated a permanent increase in remote work that exposes organisations to greater ransomware risk as attackers target end users and home networks to enter corporate networks."
Concerns were also raised about the increase in targeted ransomware, ransomware-as-a-service, and 'double extortion'. Alex Holland, Senior Malware Analyst, HP explains: "The rise of 'double extortion' ransomware, where victim data is exfiltrated before being encrypted, will particularly hurt public sector organisations, who process all manner of personally identifiable information. Even if a ransom is paid, there is no guarantee that a threat actor won't later monetise the stolen data."
SolarWinds draws attention to third-party suppliers
Unsurprisingly, last year's SolarWinds hack has put the supply chain at top of mind for many security professionals. "Supply chain attacks of all sorts – from outsourcing IT and development providers to third-party libraries – will continue and become even more noticeable," says Snow Software's Igor Andriushchenko. Though to "simply call it supply chain risk is too simple and it isn't just an aftereffect of the Solarwinds breach," warns Matt Wilgus, Principal, Threat & Vulnerability Assessment Services, Schellman & Company, LLC. "Even mature vendor management programs do not have much visibility into the vendor's suppliers."
Phishing and people problems round out top 5 concerns
Rounding out the top five security concerns for the upcoming year—and almost equal in number of comments—were phishing/social engineering and people problems. Our 2020 survey cited people problems as the primary cause for concern, with human error and insider threats featuring alongside other people-related issues such as a lack of understanding of security risks, and—related—the cybersecurity skills gap.
Last year's third highest response was Artificial Intelligence, which this year drops to sit among the 'Other' category.
Also worthy of note were comments that cited disinformation as a major security concern. Given the proliferation of fake news, interest in deepfakes, and ease with which false information is spread, it is perhaps surprising that just five security experts expect a rise in 'trust attacks'. "2020 was the year in which information and disinformation were pitted against each other, fuelled by deepfakes that both entertained and also distorted political discourse…" says Max Heinemeyer, Director of Threat Hunting, Darktrace. "2021 will see more so-called 'trust attacks' where sophisticated hackers use illegitimate access to computer networks not to steal data, but to subtly alter information and undermine its integrity."
All usable responses have been included below. Responses have been lightly edited for clarity and grouped into the following sections:
- Covid-19/Remote working - 55
- Ransomware - 35
- Supply chain - 23
- Phishing/social engineering – 14
- People - 13
- Organisation/strategy – 10
- Emerging tech (AI, Edge, 5G, Quantum) - 6
- API - 6
- Disinformation/trust attacks - 5
- Other - 23
Covid/Remote working
Catherine Pitt, Global Vice President, Chief Security Officer, Plex Systems:
"With many more employees working remotely, bad actors are able to gain a foothold by exploiting employees' trust. Once the bad actor has access to a system or network, they are then able to hold the system hostage against a ransom fee."
Carolyn Crandall, Chief Security Advocate, Attivo:
"In addition to ransomware continuing to be a huge threat in 2021, we also know that remote working has raised the threat level for organisations by opening up vast numbers of new endpoints for attackers to target."
Manoj Bhatt, Head of Cyber Security and Advisory, Telstra Purple:
"Remote workers will continue to be a primary target for cyber criminals affecting all enterprises throughout 2021. As people now work from home, instead of having one entry point such as a firewall that everybody in the company goes through, we now have multiple connections from different locations. From a security perspective that makes it incredibly hard to manage because of the increased entry points into a company's network."
Keith Price, Cyber Security Director, Littlefish:
"With the pandemic not yet behind us, an overwhelming majority of businesses are still adapting to remote working. Many will still see it as a temporary measure and have inadequate security policies and protocols in place as a result, making them ideal targets for bad actors."
Grady Summers, EVP Solutions and Technology, SailPoint:
"The remote workforce is putting organisations at a greater risk of data breaches, IP theft, and illegal access through company and personal devices… If these risks are not addressed, the threat landscape will continue to become more complex in 2021. Identity and access management plays a major role in securing enterprise identities and limiting the blast radius from a compromise."
Samantha Humphries, Senior Security Strategist, Exabeam:
"We will continue to see breaches occur because of a lack of security around remote working and the use of personal devices and home networks. The more cloud, the more connected devices, the more opportunity for cybercriminals."
Andrea Babbs, UK General Manager, VIPRE:
"In the rush to keep 'business as usual' during such uncertain times, businesses may have inadvertently made their security infrastructure vulnerable to data breach – be that from external threats or accidental insider data leakage."
Ilia Sotnikov, VP, Netwrix:
"The urgent need to support distributed workforces has forced enterprises to accelerate their digital transformations, so now, they rely on managed services and IT solutions suppliers more than ever before. With that in mind, hackers will then ramp up their attacks on solutions and services providers."
John Viega, CEO and Co-founder, Capsule8:
"In 2021, I expect that the biggest threat for most enterprise organisations will be the organisation itself. Last year, the pandemic drove many enterprises to migrate to the cloud faster than planned. That leaves a lot of room for error."
Gidi Cohen, co-founder and CEO, Skybox Security:
"The seismic shift to distributed workforces will quickly diminish the effectiveness of "detect-and-respond" programs."
Ryan Weeks, CISO, Datto:
"We'll see an increase in insider threats as employees continue to work from home… because it's easier for employees to get away with suspicious activity."
Bindu Sundaresan Director, AT&T Cybersecurity:
"Cloud vulnerabilities and misconfiguration issues are top concerns entering 2021 as cybersecurity teams continue to redefine an organisation's network perimeter."
Martin Jartelius, CSO, Outpost24:
"Remote working means that a lot of edge and network protection is not present protecting individual employees. It also means that simple collegial support combating fraud is no longer as easy as turning to your co-workers and asking for a second opinion."
Libby Bagley, Community Manager, License Dashboard:
"Remote working is the biggest challenge to cybersecurity most of us have faced in our careers. When lockdown hit, the focus for most businesses was on an employee's ability to do their job from home. Now it needs to be on how remote working leaves an organisation vulnerable to attack."
Dave Waterson, CEO, SentryBay:
"Continued working from home is a security threat if endpoint devices are left unmanaged… company data now has a broader physical footprint, and organisations have less control over how it is being accessed…"
Oliver Cronk, Chief IT Architect, EMEA, Tanium:
"The challenges of 2020 showed that VPNs and on premise centric solutions are long past their sell by date; a massive bottleneck preventing workforce agility and mobility… In a world of highly distributed employees with unpredictable working patterns on premise centric IT management and security tooling that saturates VPN links just doesn't make sense."
Kelvin Murray, Senior Threat Research Analyst, Webroot:
"In 2021, cyber-attackers will increasingly target home routers, insecure IoS devices and VPN systems to infect corporate machines connected to that network."
Igor Volovich, Chief Security Strategist, Cyber Strategy Partners:
"Pandemic protocols pushed enterprises to adopt cloud and remote work models on an accelerated schedule, regardless of actual readiness or maturity. Many firms prioritised functionality over security, bypassing controls and safeguards that would ordinarily be included in transformation efforts of such scale."
Boris Balacheff, Chief Technologist for Security Research and Innovation, HP Labs:
"Organisations need to accept that the future is distributed. Everything from remote workers' devices to industrial IoT devices have become the new frontlines of the cybersecurity battleground in our increasingly cyber-physical world."
Amir Tarighat, Founder and CEO, Achilleion:
"By far the biggest enterprise threat in 2021 is unsecured personal devices interacting with the digital workplace. No matter how secure the company network, data, and apps might be; employee's personal devices doing simple things like checking email or accessing files can be a conduit for hackers seeking to target the company's systems."
Quentyn Taylor, Director of Information Security, Canon:
"For me, home working will be the most impactful security factor for 2021… with the increased blurring of lines between home and work, we'll continue to see home technology being used even more for work purposes and, in some cases, causing as many problems as it solves!"
Sandeep Chandana, Director, Data Scientist for the Cloud Business Unit, McAfee:
"The increasing proportion of unmanaged devices accessing the enterprise cloud has effectively made home networks an extension of the enterprise infrastructure. We expect that widespread attacks will start weaponising AI for better efficacy against thousands of heterogenous home networks."
Omkar Dharmapuri, Founder, TechLurn:
"Since we're still not recovered from the pandemic and likely to keep working remotely for quite some time, I expect that ransomware attacks will keep continuing to grow."
Ben de Bont, Chief Information Security Officer, ServiceNow:
"Exhaustion. Everyone (end users, security analysts, vendors, contractors, customers) is worn down from COVID. These enablers of our business are getting sloppy – presenting ample opportunity for exploitation by bad guys, whether in highly targeted attacks or opportunistic battering down of enterprise defences."
Charles Eagan, CTO, BlackBerry:
"From criminals looking to make a quick buck, to state-sponsored actors, criminals continue to target COVID-19 research with alarming frequency. As the pandemic's effects rage on across the globe, that trend will only continue to grow."
Kristen Bolig, Founder, SecurityNerd:
"It's likely that the number of cyberattacks on remote workers will continue to rise in 2021. Chief among them will be ransomware attacks."
Corey Nachreiner, CTO, WatchGuard:
"As remote workforces continue to swell over the coming months, attackers swarming VPNs and RDPs as will be one of the biggest enterprise security threats this year. "
John Torres, President of Security & Technology Consulting, Guidepost Solutions:
