Consulting Services team at BSI outlines key cyber security trends for 2021

2020 saw the impact of commodity attacks that evolved to combine traditional attack skills such as phishing, remote desktop protocol, brute force and network vulnerability exploitation with ransomware to maximise return on investment for attackers. Ransomware will continue to rise in number and sophistication in 2021 across all sectors and organisation sizes.

Stephen O’Boyle, global practice director for cyber, risk and advisory at the BSI, commented: “The cyber world is a haven for cyber criminals. We’ve seen how unscrupulous ransomware attackers can be as attacks on healthcare during the global pandemic persisted and ramped up. The trends of 2020 clearly highlighted new techniques to shorten time to pay. Attackers began to leverage brand and reputational impact by exfiltrating key data sets before encrypting and posting samples online and threatening full disclosure of data.”

O’Boyle added: “Ransomware will remain very lucrative and, in 2021, will continue to evolve. Until the cost or perpetrating a ransomware attack becomes more than the financial return, we can expect to see an increase in activity.” 

Dominance of privacy regulations

It’s anticipated that 2021 will see data protection continue to dominate the regulatory landscape with main events focused on the UK’s transition from the European Union (EU), the impact of the Court of Justice of the European Union Schrems II case ruling on Privacy Shield, the California Consumer Privacy Act (CCPA) anticipated increase in lawsuits, cookie consent management monitoring and the anticipated arrival of the ePrivacy Regulation.

O’Boyle observed: “High impact compliance issues will dominate the data protection landscape in 2021 and require important reviews of compliance frameworks for organisations across the globe. With the UK becoming independent of the EU, adopting a risk-based approach is required for companies selling goods or services in the UK or who are monitoring UK-based data subjects. They will need to assess whether they fall under the scope of Article 27 under the General Data Protection Regulation.”

Likewise, the almost 5,000 organisations who have used the Privacy Shield for data transfers will need to revise their transfer mechanisms and update or introduce Standard Contractual Clauses following the Schrems II decision. An upswing in CCPA lawsuits and the passage of new California Privacy Rights Act, Brazil’s Lei Geral de Proteção de Dados, New Zealand’s Privacy Act and imminent changes to Canada’s Personal Information Protection and Electronic Documents Act will keep data privacy and legal teams scrambling to stay on top of compliance requirements. 

New PCI DSS v4.0 Standard

Payment Card Industry (PCI) Data Security Standard (DSS) v4.0 is expected to be published mid-2021, providing more flexibility for achieving and maintaining compliance. The new standard will run parallel with Version 3.2.1 for 18 months to allow organisations time to adopt and migrate to meet the new security obligations. 

Version 4.0 will allow for an outcomes-based approach, as well as the usual prescriptive control set and validation processes that Version 3.2.1 provided. It will introduce more flexibility and support methodologies and enhance validation methods and procedures including new future dated controls.

“We see it as an advantage when used in environments such as the cloud that are evolving rapidly,” commented O’Boyle. “As the standard attempts to keep up with evolving technology and threat landscapes, we will see control areas such as encryption and monitoring develop to take account of these landscape changes. It’s important that organizations subject to the PCI DSS are aware of the upcoming changes and effectively plan to include these in their annual roadmap.”

Cloud-delivered defence

Cloud migration will continue to advance in 2021 as it’s used by organisations to protect assets, preserve user experience and add value. It will certainly be of benefit to those operating a hybrid working environment. 

SASE, a Gartner-defined concept, comprises the interconnection of network and security components in a cloud-delivered model that meets organisations’ digital and security needs. Organisations benefit from a focus on technologies that secure cloud applications, data, devices, networks and users. There are advantages to be had from convergence, cloud scalability and security visibility. SASE provides a unified route in moving to a zero trust model.

“Remote working has amplified the move to cloud, with many workforces connecting to applications and accessing information from remote locations outside of traditional corporate networks,” asserted O’Boyle. “With SASE, companies are enabling remote connectivity resilience and security for an increasingly distributed workforce. Cloud hosting solutions have meant that the challenge of consistently protecting employees and data is adding real value for many organisations and this will continue to grow in 2021.”

Purple teaming

2021 will see the continued rise and shift towards the hybrid security methodology of purple teaming with organisations investing in attack and adversary simulations (red teaming) and defensive techniques (blue teaming) together. Working harmoniously, both teams are used to maximise the information resilience capabilities of an organisation through continuous feedback, knowledge transfer and the adoption of Best Practice.

“It’s estimated that attackers go undetected on a network for an average of 146 days which is a long time for them to gain access to privileged information,” concluded O’Boyle. “As attacks increase, being able to verify the effectiveness of existing security controls and vulnerabilities is essential. Purple teaming will become more popular as more and more organisations begin to understand the benefits of performing attack simulation tests for their organisation and, more importantly, gain assurance that they can respond in a timely and effective way.”