By Jeremy Swenson
December 16, 2020
Every year we like to review the most impactful security, technology and business happenings from the prior year. This year is unique as the pandemic is a major catalyst for the five trends we identify, and all are likely to continue having a significant impact in the coming year.
1) Identity & Access Management (IAM) Scrutiny Drives Zero Trust
The pandemic has pushed most organizations to a mass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities according to a Microsoft Security study. This infers single sign on at the personal device level and improved multifactor authentication.
2) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries
This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored real time, and the related exception policies should be revaluated.
3) Data Governance Gets Sloppy Amid Agility
Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics – well intentioned to make emergency response faster – created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.
4) The Divide Between Good and Bad Cloud Security Grows
The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disaster.
5) Phishing Attacks Grow Exponentially and Get Craftier
The pandemic has caused a hurricane of phishing emails that has been hard to keep up with. According to KnowBe4 and Security Magazine there has been a 6,000% increase in phishing e-mails since the start of the pandemic. Many of these e-mails have improved their approach and design appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year as per Security Magazine. With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased 50% as per Security Magazine.
COVID-19 has been the catalyst for digital transformation across multiple industries, and as our office structures and ecosystems are changing, so are our security requirements. The combination of a more agile workforce and increasingly creative threat actors requires updated risk evaluations and new policies and procedures in a variety of areas. These identifiable trends of 2020 will serve us well in 2021, if we apply the rights lessons throughout our organizations.
Jeremy Swenson is a disruptive thinking security Entrepreneur at Abstract Forward and a Sr management consultant in tech risk, process improvement, and data governance at Tata Consulting Service’s Financial Services vertical. Over 15 years he held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving their processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.