"The biggest security threat will be the spread of intrusions in widely used third-party SaaS tools. With an increasing reliance on large suites of external tools, the danger is growing that a single widely used tool can be the ground zero for large scale intrusions, similar to the recent SolarWinds hack."
Joel Burleson-Davis, CTO, SecureLink:
"Third-party access continues to be one of the top attack vectors used in new breaches or attacks that lay the groundwork for future breaches… Successful data security is not just about who you keep out, who you let in is just as critical."
Chloé Messdaghi, Chief Strategist, Point3 Security:
"While ransomware and phishing are well known threats, less well known are third-party security issues… unfortunately, in 2021, too many companies will fail to take third-party and Nth party data security and risk into consideration – that's the biggest underexamined threat organisations will face this year."
Phishing/Social Engineering
Sarah Armstrong-Smith, Chief Security Advisor, Microsoft:
"Organised cybercrime and freelance attackers will continue to target businesses often via the remote workforce through phishing and business email compromise - with the goal of harvesting credentials, exposing vulnerabilities and ultimately accessing and compromising an organisations technology and data."
Igor Andriushchenko, Director of Quality and Security – Engineering, Snow Software:
"Social engineering – centuries old attack will regain even more popularity in the world of remote work. People have not ever met many of their colleagues that joined the companies in 2020 due to the shift towards remote work. This makes an ordinary social engineering attack much simpler as in this case we all know much less unique information about each of our co-workers – which is the key to proving the authenticity of an email, call or video chat."
Rob Price, Global Solution Consultant, Snow Software:
"Phishing will continue to be the number one form of cybercrime as criminals continue to attack the weakest point of an IT environment – the user."
Tom Hoffman, SVP of Intelligence, Flashpoint:
"In a continuation of what we've seen this year, 2021 will see the ongoing development of the sophistication of phishing attacks utilising advanced tools such as automation to target and dupe more people."
Javvad Malik, Security Awareness Advocate, KnowBe4:
"The biggest security threat for 2021 will be social engineering. With more people working remotely, we've seen an increase in phishing and other social engineering scams take place over the year."
Mike Puglia, Chief Strategy Officer, Kaseya:
"Phishing will remain the single biggest enterprise threat in 2021. The harbinger of everything from ransomware to espionage, phishing can lead to extensive damage within an organisation."
Ed Bishop, Chief Technology Officer, Tessian:
"Account takeover will surge as attackers further advance their phishing techniques. Why will this be the biggest enterprise security threat? Because people receiving these fraudulent emails will likely have no idea that the person in their trusted network - whether that's a supplier, customer, partner or colleague - has been compromised."
Dr. Ian Pratt, Global Head of Security, HP Personal Systems:
Greater innovation in phishing will see thread hijacking and whaling attacks.
Gaurav Banga, Founder and CEO, Balbix:
"In 2021, we expect to see an increase in personalized phishing attacks. Bad actors will use AI and automation at a large scale to collect information about you…"
Kent Blackwell, Threat & Vulnerability Assessment Manager, Schellman & Company, LLC:
"Phishing and advanced techniques to bypass MFA/2FA will continue to be the greatest threat in 2021. With the increasing adoption of Single Sign-On, these portals are often targeted for the valuable access a single compromised account can provide."
Tigran Nazaryan, VP of Engineering, 10Web.io:
"Phishing. Exploiting the human factor is the most popular and the easiest way to create data breaches and business disruptions. No matter what technology is used to protect enterprises, human is the weakest factor."
Dr. Jonny Milliken, Director of Security Research and SOC, Cygilant:
"In 2021, the biggest enterprise security threat will be phishing attacks. Phishing continues to be the most prevalent and most effective threat type against businesses, and it is only getting more targeted."
Liam Follin, Web Application Security Specialist and Penetration Tester, Pentest People:
"The biggest enterprise security threat in 2021 will, as ever, almost certainly be social engineering. A good rule of thumb in IT is to never trust a person if you can trust a machine instead. Unfortunately, we do have to trust users with some things and even the most restricted permissions can be leveraged by a competent social engineer in order to compromise accounts, and then facilitate further attacks on organisations."
Sébastien Goutal, Chief Science Officer, Vade Secure:
"Targeted attacks such as Business Email Compromise (BEC) will be the biggest challenge for enterprises. Carefully crafted attacks can lead to very important money gains for the criminals and are very difficult to detect from a technological point of view. These attacks will also continue to spread worldwide, targeting different kinds of organisations in many different countries."
People problems
Rod Simmons, Vice President of Product, Omada:
"The single biggest enterprise security threat of 2021 is end users… While we can argue that IT will continue to struggle to find attack patterns, the larger concern is doing the basics to better secure identities."
Neil Thacker, CISO EMEA, Netskope:
"Next year, the biggest enterprise security threat will come from within, as insider incidents causing or contributing to successful breaches will accelerate. Malicious insider activity rises during times when people are facing challenges and economic uncertainty, and 2020 has created a challenging economic landscape for 2021."
Myrna Soto, Chief Strategy and Trust Officer, Forcepoint:
"In 2021 the biggest threats will come from the people and places organisations least expect. In the past we've thought of "insider threats" as disgruntled employees who walk out of the building with proprietary information hidden in their briefcases. But today, employees may be scattered around the world, and could be hired after only meeting via Zoom."
Kevin Parker, Co-founder, vpnAlert:
"Insider attacks are often overlooked. But with over 60% of cybersecurity threats being insider attacks, my prediction is that this will be the biggest enterprise security threat of 2021."
Ryan Weeks, CISO, Datto:
"We'll see an increase in insider threats as employees continue to work from home… because it's easier for employees to get away with suspicious activity."
Greg Kelley, EnCE, DFCP, Vestige Digital Investigations:
"The biggest security threat of 2021 will continue to be the user. The vast majority of attacks are successful due to a compromise at the user level involving either an email phishing credentials or an email enticing a user to open a weaponised attachment."
Christian Mathews, Security Picks:
"It's easy to jump to obvious ideas like advances in AI and how that is being used for hacking or automation of brute force attacks on systems. In our opinion, the biggest security threat continues to be people. Many times these individuals are threats without knowing it themselves."
Joe Payne, CEO, Code42:
"Insider Risk will grow in 2021 with remote work largely still in place. A remote, collaborating, off-network workforce creates a perfect storm for data leaks from insiders."
Matias Madou, Co-founder and CTO, Secure Code Warrior:
"One of the biggest security concerns in 2021 should be the untrained developer. Organisations must focus on training people, rather than an over-reliance on security tools. Scanning tools and the like have their place in a DevSecOps process, for example, but security at speed is made possible by producing secure code in the first place."
Tal Zamir, CTO and Founder, Hysolate:
"The biggest enterprise security threat for 2021 would definitely be people. With literally everyone working remotely, laptops and their users now pose greater risk than ever."
Robert Capps, VP of Marketplace Innovation, NuData Security:
"The largest threat of 2021 is the attack on employees. Through phishing, malware, and malicious phone calls and texts, cyber criminals continue to target the most vulnerable and important element of our organisations, our people."
Ofer Israeli, CEO and Founder, Illusive:
"The biggest single threat facing security teams in 2021 is their inability to detect attackers that have gained a beachhead in their environment and are now moving laterally against high-value assets."
Bryan Harper, Manager, Schellman & Company, LLC:
"Another significant security threat for 2021 relates to a critical shortfall in the number of knowledgeable cybersecurity professionals… The existential threat to organisations is to get into the game or risk being left behind. This drive pushes security personnel further from the action for the sake of speed resulting in less-knowledgeable security folks and the very real challenge of trying to implement governance practices without the right mix of knowledgeable and skilled cybersecurity professionals to pull it off."
Organisation/Strategy
Jim Higgins, Director of Product Security, Google:
"The single biggest threat in 2021 is that history will repeat itself. If we don't come together as an industry to share how to build secure software and infrastructures, then we are destined to make the same mistakes again and again."
Chris Schnieper, Director of Fraud & Identity, LexisNexis Risk Solutions:
"There are plenty of reasons to believe that uncertainty will continue through 2021 and may be the biggest enterprise risk of the year… with continued concern over health and economic well-being, fraudsters will have plenty of ways to scam consumers and defraud support programs."
Jay Leaf-Clark, Head of IT, Dashlane:
"The single biggest threat to enterprise security is, and will continue to be, apathy and inaction. Be it from executive leadership who fail to properly invest in modern, robust security solutions and headcount; IT and security leaders who fail to build, monitor, and continuously iterate on policy and procedure-based, ever-evolving threats; or the employee base who fail to take enterprise security seriously, and instead prioritise convenience and ease of use over protecting company internet protocol (IP)."
Alistair Fawcett, COO, OryxAlign:
"The biggest enterprise 'cyber' security threat of 2021 is, most likely, the same as previous years – complacency, failure to adapt to changes in threats and failure to get the basics right."
John Hammond, Senior Security Researcher, Huntress:
"The single biggest threat to enterprise security this year is the enterprise itself… After the rough waters that 2020 brought, companies need to not only invest in security, but prioritise it. Staying complacent, deprioritising patches, cutting corners and minimal training wasn't enough in 2020, and it won't be enough this year."
Brendan O'Connor, CEO, AppOmni:
"Security teams lack visibility and control over their SaaS environments. Most enterprises aren't adequately managing which employees, external users, and 3rd party apps have access to sensitive data in the cloud. Unfortunately, I think many companies will learn this the hard way in 2021."
Dody Lira, Senior Solution Engineer, Abusix:
"A threat that will be prominent in 2021 (and will continue to be a problem year after year) is security teams managing too many systems that don't fully integrate on an already growing and involved network."
Gregory J. Touhill, President, AppGate Federal, Brigadier General (Ret), first U.S. CISO under Obama:
"Complexity. Our systems and network infrastructure have become so exquisitely complex that complexity is a significant risk area… This complexity results in frequent misconfigurations; delayed or incomplete patching and updates; and a frustrated and beleaguered workforce. This presents an unacceptable advantage to attackers that will continue to be exploited in 2021."
Mark Sangster, VP and Industry Security Strategist, eSentire:
"The biggest concern comes from the convergence of Operation Technology (OT) and Information Technology (IT). As industrial ICS controls are further connected and integrated with business operations software like ERP systems, criminals will exploit these systems to create incremental vulnerabilities that lead to massive business outages, derail automated assembly lines, and even shutdown critical services such as power and water utilities, traffic management, and even retail order fulfillment from online retailers."
Azeem Aleem, VP Cybersecurity Consulting, Global Digital Forensics and Incident Response Lead, NTT Ltd.:
"Attacks around industrial control systems (ICS) is going to be a major threat in 2021. The shift from legacy systems to process control networks with connectivity around the enterprise is causing backdoors exploits around ICS… as more systems become IP-based, and compute-based automation is introduced into systems, the threat grows exponentially."
Emerging Tech (AI, Edge, 5G, Quantum)
Tyson Savoretti, Senior Security Consultant, Audit Liaison, LLC:
"The biggest threat to enterprise security in 2021 is automation-induced apathy. As enterprises grow and outsource, they find creative ways to automate technical security controls. While the technical security controls do help mitigate traditional attack vectors, businesses must continue to improve on the awareness of their most common vulnerability, human beings."
Dr. Zulfikar Ramzan, CDO, RSA Security: