2020 saw an unprecedented increase in cybercrime. With the coronavirus pandemic pushing everyone online, as well as the increase in remote working, cybersecurity was a trending topic all year. Now in 2021 many are wondering what this year has in store.
Operating out of London and Dublin, Cyber Risk Aware (CRA) helps companies worldwide assess the level of human cyber risk in their business. Stephen Burke CEO, founded Cyber Risk Aware in 2016 and has been working in cybersecurity since 2009.
Here Stephen shares his thoughts on the Cybercrime of 2020, and what we can learn in 2021.
Nothing could have prepared us for 2020 – a year that demanded a swift and dramatic restructure of corporate operations in response to the Covid-19 pandemic.
Remote workforces were created overnight, even within industries w
ho never had the experience of managing effective, remote working teams. With limited time and resources to prepare and support home working employees, a makeshift remote setup was thrust upon us. This, consequently, created an opportunity for massive cybersecurity breaches and a stream of cyberattacks, which can have a devastating impact on businesses when the cost of a data breach averaged between $184k and $715k for a medium-sized business in 2019. 2020 was an opportunistic year for cybercriminals, who took advantage of a time of uncertainty. In the UK, businesses experienced a 31% increase in cybercrime during the height of the pandemic, with phishing emails up by nearly 700%, preying on what should be a company’s greatest cyber defence asset; their employees.
As the new year starts, it’s important all businesses reflect on last year’s challenges overcome, mistakes made and to ask the questions: what have we learnt from this turbulent time? Are cyber attacks getting worse? Why isn’t simple scheduled training enough anymore? And will a more human-centric approach to cyber training make a difference? We also need to think about the new year and make cybersecurity predictions to stay ahead of relentless cybercriminals.
- Cybersecurity Risks Increasing
We have seen the methods cybercriminals use evolve in sophistication as well as in volume, pushed even further during this pandemic period where staff are working in new ways, often separated from IT help. This increased level of sophistication makes cyber attacks much harder to identify and therefore far more threatening. While phishing, ransomware, malware and DDoS attacks were among the most common methods employed by cybercriminals in 2020, there was also a rise in new methods. Cybercriminals are always on the lookout for new opportunities and emerging trends, taking advantage of unpatched vulnerabilities before businesses have a chance to ensure staff are adequately trained and their networks are properly secured and protected.
- Technology Has its Limits
In the Covid-19 era, we have all learnt the importance of community and culture, this same lesson has been learnt in cybersecurity too. With an increased remote workforce, businesses are more vulnerable to cybercrime than ever before. Knowing that over 90% of data breaches are the result of human error, it is recognised how people’s actions are a huge part of the problem, so they must therefore be part of the solution – a business is only as strong as their staff and technology alone is not enough to protect a business.
3. Scheduled Training Alone Doesn’t cut it Anymore
Scheduled cybersecurity training sessions are often outdated, avoided by staff and forgotten by the time employees actually need the knowledge or are faced with a potential cyber attack. This renders them pointless and an ineffective use of both time and money. Training content must be digestible and easy to understand and delivered regularly to create actual behavioural change and allow staff to learn.
Short and regular training which immediately notifies staff when they make a risky cyber decision at that exact moment of need, alerting them and educating them as to why their actions are unsafe leaves a business protected from accidental employee actions that often lead to costly security incidents. Scheduled training and lectures are useful, but as they are training ahead of a problem companies can never anticipate happening, leads it to be ineffective when compared to point-in-time training in response to specific user actions.
2021 Predictions see Cybersecurity Risks Escalating
While 2020 may have highlighted the security challenges of remote working, 2021 will see businesses face further heightened security risks as Covid-19 and the vaccine take us into the new year.
Covid to Cause Further Cyber risk
The global pandemic and lockdowns have changed the lives of us all, both at home and the way we work. It is unlikely we will see a sudden mass return to the office and these changes reversed in the start of 2021, even with the Covid-19 vaccine people will not be working as they did before for some time. However, later in the year when people do start returning to the office and re-joining the corporate network they will be doing so with insecure hardware that has been used for remote working for months. These devices may store confidential data and could have been used by other household members. The risk of these devices having insecure software installed or have visited insecure websites over the past 10 months is undeniably high. This could cause mass unsecure device attacks as they rejoin corporate networks and allow hackers access to the 17 million files employees averagely have access to.
Cutting Costs in a Smart Way
It’s been a tough year for businesses financially and cuts, unfortunately, may take place. Companies will be looking to leverage the spending they have already made to ensure they are in both a mature business and cybersecurity position. To do this they need a platform that can deliver training to staff in real-time at their exact moment of need, in response to employees actions. Businesses should leverage their existing tech by using a platform that requires less admin staff to manage and is capable of integrating with existing technology and working flexibly on any device, in any location to cause actual behaviour change in staff through training.
Copycat Attacks to Rise
As technology evolves so do cybercriminals, who latch on to newsworthy events for new opportunities to infiltrate a business. Copycat attacks are also common, so there is a chance we will see cybercriminals copying recent successful cyber attacks such as the recent SolarWinds attack, where Malware provided remote access into an organisation’s networks allowing information to be stolen, undetected for months, affecting up to 33,000 of SolarWinds Orion customers. Additionally, we are likely to see copycat attacks continue with Ransomware. There was a 40% Increase in Ransomware Attacks in Q3 2020 it is likely that this will continue to rise in 2021 along with the continued sophistication of phishing and vishing to target new companies and untrained individuals.
This last year has provided endless challenges and struggles, but an equal amount of lessons can be learnt and put to use in 2021. With the rise of the cloud, an increase of global businesses and soaring office rental costs in capital cities remote working was ultimately inevitable. And the pandemic has pushed us to achieve these future goals much earlier than initially thought possible. It is only by creating this workplace confidence and cyberculture that businesses can have the vital best practices in place, continually educating staff to ensure the business and networks are protected from the inside out.
