BSI forecasts 2021 cybersecurity trends
The Consulting Services team at BSI, the business improvement company, has outlined five key trends, across the cybersecurity and data governance landscape for the year ahead, demonstrating how vital information resilience will continue to be for many organizations across the globe in 2021.
- 1. Evolution of ransomware
Ransomware will continue to rise in number and sophistication in 2021 across all sectors and organization sizes. 2020 saw the impact of commodity attacks that evolved to combine traditional attack skills such as Phishing, Remote Desktop Protocol (RDP) brute force and network vulnerability exploitation with ransomware to maximize return on investment for attackers.
Stephen O’Boyle, Global Practice Director - Cyber, Risk and Advisory at BSI says: “The cyber-world is a haven for cybercriminals and last year we saw how unscrupulous ransomware attackers can be as attacks on healthcare during the global pandemic persisted and ramped up.”
- 2. Dominance of privacy regulations and data management
It is anticipated that 2021 will see data protection continue to dominate the regulatory landscape with main events focused on the UK’s transition from the EU, the impact of the Court of Justice of the European Union (CJEU) Schrems II case ruling on Privacy Shield, the California Consumer Privacy Act (CCPA) and an anticipated increase in lawsuits, cookie consent management monitoring and the anticipated arrival of the ePrivacy Regulation.
“High impact compliance issues will dominate the data protection landscape in 2021 and will require important reviews of compliance frameworks for organizations across the globe.
“The 5,000 Privacy Shield organizations will need to revise their transfer mechanisms, and update or introduce Standard Contractual Clauses (SCCs) following the Schrems II decision. An upswing in CCPA lawsuits and the passage of new CPRA – California Privacy Right Act, Brazil’s LGPD (Lei Geral de Proteção de Dados), New Zealand’s Privacy Act and imminent changes to Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) will keep data privacy and legal teams scrambling to stay on top of compliance requirements,” said Stephen.
- 3. New PCI DSS v.4.0 Standard
PCI DSS v4.0 is expected to be published mid-2021, providing more flexibility for achieving and maintaining compliance. The new standard will run parallel with Version 3.2.1 for 18 months to allow organizations time to adopt and migrate to meet the new security obligations.
“Version 4.0 will allow for an outcome-based approach, as well as the usual prescriptive control set and validation processes that Version 3.2.1 provided. It will introduce more flexibility and support methodologies, enhance validation methods and procedures including new future dated controls, which we see as an advantage when used in environments such as the cloud that are evolving rapidly. according to O’Boyle.
- 4. Cloud delivered defense - Secure Access Service Edge (SASE)
Cloud migration will continue to advance in 2021, used by organizations to protect assets, preserve users experience, and add value and will be of benefit to those operating a hybrid working environment. SASE, a Gartner-defined concept, comprises the interconnection of network and security components in a cloud-delivered model that meets organizations digital and security needs.
“Remote working has amplified the move to cloud with many workforces connecting to applications and accessing information from remote locations outside of traditional corporate networks. With SASE, companies are enabling remote connectivity resilience and security for an increasingly distributed workforce. Cloud hosting solutions have meant that the challenge of consistently protecting employees and data is adding real value for many organizations and this will continue to grow in 2021.” said O’Boyle.
- Purple teaming - a powerful security testing concept
2021 will see the continued rise and shift towards the hybrid security methodology of purple teaming with organizations investing in attack and adversary simulations (Red teaming) and defensive techniques (Blue teaming) together.
“It is estimated that attackers go undetected on a network for an average of 146² days, which is a long time for them to gain access to privileged information. As attacks increase, being able to verify the effectiveness of existing security controls and vulnerabilities is essential. Purple teaming will become more popular as more and more organizations begin to understand the benefits of performing attack simulation tests for their organization, and more importantly gain assurance that they can respond in a timely and effective way.” concluded Stephen.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-us