The Major Cybersecurity Themes of 2020
By: Harpreet Mangat
With 2020 almost in the books, Axiad takes a look back at the biggest cybersecurity trends of the year.
We’re about to turn the page on 2020. For many of us, that’s something we’ve been waiting to say for quite some time. At the beginning of the year, as is the custom, cybersecurity experts published predictions about trends they expected to see. While no one saw the year unfolding the way it did, let’s take a look back at the 2020 predictions and how they played out.
Somewhat surprisingly, many of the predictions were fairly accurate. While you can argue that many of these predictions were safe— forecasting an increase or continuation of already-existent patterns —after a year like we’ve just seen, it’s still somewhat remarkable that they were mostly correct.
To begin the year, experts were warning of the increase in hacking and cybercriminal activity, with the types of attacks becoming more varied. This was an important theme throughout the year, particularly with regards to healthcare. As 2020 comes to a close, the news trickling out to the public about the SolarWinds and FireEye hack appears to be the most significant security breach of the year.
Many also hypothesized that the use of deepfakes would increase, possibly with implications for elections around the globe. While this did happen to a degree, it doesn’t appear that it made much of an impact. The effect of deepfakes could increase in the future, but their import going into 2020 was eclipsed by other trends.
Two other themes experts predicted were the rise of MFA and an increase in remote working. We’re still waiting on accurate numbers on MFA adoption, but anecdotal evidence suggests continued growth this year. Remote work is one of the most important storylines of 2020 in almost every industry, with the amount of growth massively outpacing predictions due to Covid-19. At the beginning of 2020, more than half of CIOs expected an increase in remote workers. While there was no way to prepare for the totality and pace at which they were forced to do so, these companies likely faced a smoother transition this year because they were already planning for this change.
If those were the predictions, what was the reality? Looking back at 2020, we see four areas as the most important cybersecurity trends that emerged: remote workers, cyberattacks, the rise of MFA, and regulatory hurdles such as CMMC and PSD2.
The remote work phenomenon
To be clear, remote workforces are not a new thing for many companies. It’s a trend we’ve been watching for some time and written about previously, with roots in both technological expansion and worker attitudes created by the 2008 recession. But wow, did 2020 blow the doors open here.
In March, businesses scrambled to figure out a way to maintain operations with offices closed. Given the condensed timeline and pressure, most were remarkably successful in doing so. In the months since many businesses have pledged to keep their workers remote even once the pandemic subsides. While this model of work appears to benefit both businesses and employees, it also comes with substantial security questions.
What types of devices are remote workers using to connect to company systems and applications? Are those devices also for personal use, or are they provided by the company solely for work purposes? It’s essential that companies have a defined policy on this, and security procedures in place to verify these devices.
The use of passwords and the issuance of temporary passwords are problematic for workers in and out of the office. This is especially true for remote workers who may be connecting via a less secure network or have login issues that require online communications. While passwords should be a thing of the past, for some companies, they’re not yet. Workers are often tasked with remembering dozens, if not hundreds of passwords. This leads users to either write them down or duplicate them.
While 91% of people understand that repurposing passwords is a security risk, 66% still do so. When applied to a corporate environment, this is an unacceptable security risk. Even companies who have moved to other credentials still issue temporary passwords via email to solve login issues, particularly for remote workers. It’s a perfect opportunity for hackers to circumvent other security procedures you have in place, and one you shouldn’t engage in. You can—and should—eliminate passwords from your organization by implementing our next 2020 trend, multi-factor authentication.
The rise of MFA
Like remote work, MFA was already an established trend, making it low-hanging fruit for expert predictions. Still, by last fall, only 57% of businesses were utilizing MFA. Considering public knowledge about password vulnerabilities, that statistic is disconcertingly low. While we don’t yet have accurate numbers for 2020, we’ve almost certainly seen an increase in the usage of MFA. The benefits of MFA from a security standpoint are well documented, and we recommend every company implement it. But even for those who have an MFA solution, challenges remain.
While MFA does drastically increase your authentication security, it’s important to note that it isn’t a standalone solution for all of your security issues. Too often, we see companies institute MFA only to become complacent, thinking that it will solve a range of security issues. Many companies rightly understand the security threats that are coming from outside their organization, but fail to acknowledge that human error is still the leading cause of a security breach. The biggest issue here is that even in organizations that implement MFA, many users still circumvent controls to access company systems and resources.
It’s for this reason that the concept of zero-trust architecture is gaining steam, even if not commonly known yet. With regards to MFA, zero-trust means that rather than trust that everyone accesses company assets correctly every time, you need a system that ensures they do so. A solution that requires MFA adherence in all instances is the only way to realize its security benefits.
New regulatory hurdles abound
For defense contractors and businesses that rely on e-commerce in the European Union, 2020 was a year to prepare for new compliance initiatives. While we won’t dig in too deep on the implications of both, here’s a brief explanation of what they are and what they mean.
The Cybersecurity Maturity Model Certification (CMMC) combines, consolidates, and expands existing DoD contractor compliance standards. In order for contractors to respond to RFPs (starting now for many contracts, but universally by 2026), you need to be CMMC compliant. There are five maturity levels you can demonstrate, and to reach the third level you need to have implemented MFA. Throughout 2020, government contractors have been gearing up to meet the new standards. If you’d like to know more about CMMC, you can read about it here.
For players in the payments ecosystem who do business with parties in the European Union, 2020 has been about preparing to meet the Payment Service Providers Directive (PSD2). The regulation is an attempt to reinforce security in the payments marketplace and reduce fraud. Like CMMC, authentication plays a big part, with PSD2 requiring 2FA.
2020’s biggest data breaches
While companies were navigating a rapidly changing security landscape in 2020, hackers were busy exploiting it. Cybercrime, as it seems to every year, rose again. Phishing attacks and credential theft remain constant threats to enterprises, with healthcare being targeted significantly.
Companies like Twitter, Zoom, Unacademy, and Nintendo fell victim this year -causing financial and PR headaches. From a logistics standpoint, tens-of-millions of users’ data and personal information was exposed. Cybersecurity threats will continue to increase as we move towards cloud-based business models. Combating them is going to take a holistic approach that’s forward-thinking, rather than just defensive. For many enterprises, this might mean building specialized security teams or hiring external firms.
The healthcare industry was a favorite target for hackers this year, particularly via ransomware, creating a perfect storm for IT teams in a sector already dealing with new challenges related to Covid-19. As healthcare companies transition to telemedicine and remote employment, figuring out how to do so safely will have to be at the forefront.
The industry, with deep pockets and troves of personal data, is particularly inviting for hackers. Companies like Blackbaud, Luxottica, and Health Share of Oregon popped up in the news for all the wrong reasons. Within this all-important sector, the consequences reach further than just bad press and financial setbacks. Experts say that in some cases, these attacks have led directly to the deaths of patients.
If this had been written at the beginning of December, that would have been a sufficient synopsis of the year’s most significant data breaches and trends. But in that past week, the news regarding the SolarWinds and FireEye hack has changed the narrative. While we’re still collecting details, it appears that a long-term, sophisticated attack infiltrated the systems of multiple U.S government agencies, the IT infrastructure of numerous foreign governments, and dozens of U.S.-based companies.
State-based hacking has been on the rise in recent years and that’s where fingers are being pointed in this attack. While we don’t yet know the quantity and sensitivity of the data compromised, the breadth and length of the hack both pose serious threats. We can’t say anything with absolute certainty yet, but when it’s all said and done, this may end up being the most significant cybersecurity development of the year.
One last look back
Cybersecurity is changing – remote work is gaining popularity, regulators are standardizing security procedures, hackers are exploiting any weaknesses they can find, and businesses are trying to stay one step ahead. If you’d read that last sentence a year ago, it likely wouldn’t have seemed revelatory. In a year like no other, the concepts that underpinned cybersecurity remained surprisingly consistent with years past.
But that doesn’t tell the whole story. Looking back at the year from a cybersecurity standpoint, the trends we saw in previous years were hyper-accelerated. The necessity and adaptive ability of organizations to make transitions towards remote work can’t be overstated. And like everything else in 2020, Covid-19 was the central figure in how it all played out.
About the Author
Harpreet Mangat is the V.P. of Marketing and Talent Management at Axiad. Harpreet has over 10 years of UK and US experience within healthcare, logistics and technology industries. Harpreet’s management experience includes roles in branding, internal and external communication, multi-channel marketing, digital and print advertising, employee engagement, public relations and social media.