13 January 2021
The Consulting Services team at BSI outlines five key trends, among many, across the cybersecurity and data governance landscape for the year ahead, demonstrating how vital information resilience will continue to be for many organizations across the globe in 2021.
1. Evolution of ransomware
2020 saw the impact of commodity attacks that evolved to combine traditional attack skills such as Phishing, Remote Desktop Protocol (RDP) brute force and network vulnerability exploitation with ransomware to maximize return on investment for attackers. Ransomware will continue to rise in number and sophistication in 2021 across all sectors and organization sizes.
Stephen O’Boyle, Global Practice Director - Cyber, Risk and Advisory at BSI says: “The cyber-world is a haven for cybercriminals and this year we have seen how unscrupulous ransomware attackers can be as attacks on healthcare during the global pandemic persisted and ramped up. The trends of 2020 clearly highlighted new techniques to shorten time to pay. Attackers began to leverage brand and reputational impact by exfiltrating key data sets before encrypting and posting samples on-line and threatening full disclosure of data. Ransomware will remain very lucrative and in 2021 it will continue to evolve - and until the cost or perpetrating a ransomware attack becomes more than the financial return, we can expect an increase in activity.”
2. Dominance of privacy regulations and data management
It is anticipated that 2021 will see data protection continue to dominate the regulatory landscape with main events focused on the UK’s transition from the EU, the impact of the Court of Justice of the European Union (CJEU) Schrems II case ruling on Privacy Shield, the California Consumer Privacy Act (CCPA) anticipated increase in lawsuits, cookie consent management monitoring and the anticipated arrival of the ePrivacy Regulation.
“High impact compliance issues will dominate the data protection landscape in 2021 and will require important reviews of compliance frameworks for organizations across the globe. With the UK becoming independent of the EU, adopting a risk-based approach is required for companies selling goods or services in the UK or who are monitoring UK based data subjects. They will need to assess whether they fall under the scope of Article 27 under the General Data Protection Regulation (GDPR).”
“Likewise, the almost 5,000ˡ organizations who have used the Privacy Shield for data transfers will need to revise their transfer mechanisms, and update or introduce Standard Contractual Clauses (SCCs) following the Schrems II decision. An upswing in CCPA lawsuits and the passage of new CPRA – California Privacy Right Act, Brazil’s LGPD (Lei Geral de Proteção de Dados), New Zealand’s Privacy Act and imminent changes to Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act) will keep data privacy and legal teams scrambling to stay on top of compliance requirements,” said Stephen.
3. New PCI DSS v.4.0 Standard
PCI DSS v4.0 is expected to be published mid-2021, providing more flexibility for achieving and maintaining compliance. The new standard will run parallel with Version 3.2.1 for 18 months to allow organizations time to adopt and migrate to meet the new security obligations.
“Version 4.0 will allow for an outcome-based approach, as well as the usual prescriptive control set and validation processes that Version 3.2.1 provided. It will introduce more flexibility and support methodologies, enhance validation methods and procedures including new future dated controls. We see it as an advantage when used in environments such as the cloud that are evolving rapidly. As the standard attempts to keep up with evolving technology and threat landscapes we will see control areas such as encryption and monitoring develop to take account of these landscape changes. It is important that organizations subject to PCI are aware of the upcoming changes and effectively plan to include these in their annual road map,” according to O’Boyle.
4. Cloud delivered defence - Secure Access Service Edge (SASE)
Cloud migration will continue to advance in 2021, used by organizations to protect assets, preserve users experience, and add value and will be of benefit to those operating a hybrid working environment. SASE, a Gartner-defined concept, comprises the interconnection of network and security components in a cloud-delivered model that meets organizations digital and security needs. Organizations benefit from a focus on technologies that secure cloud applications, data, devices, networks, and users including advantages of convergence, cloud scalability and security visibility. SASE provides a unified route in moving to a Zero Trust Model.
“Remote working has amplified the move to cloud with many workforces connecting to applications and accessing information from remote locations outside of traditional corporate networks. With SASE, companies are enabling remote connectivity resilience and security for an increasingly distributed workforce. Cloud hosting solutions have meant that the challenge of consistently protecting employees and data is adding real value for many organizations and this will continue to grow in 2021.” said O’Boyle.
5. Purple teaming - a powerful security testing concept
2021 will see the continued rise and shift towards the hybrid security methodology of purple teaming with organizations investing in attack and adversary simulations (Red teaming) and defensive techniques (Blue teaming) together. Working harmoniously, both teams are used to maximize the information resilience capabilities of an organization through continuous feedback, knowledge transfer and adoption of best practice.
“It is estimated that attackers go undetected on a network for an average of 146² days which is a long time for them to gain access to privileged information. As attacks increase, being able to verify the effectiveness of existing security controls and vulnerabilities is essential. Purple teaming will become more popular as more and more organizations begin to understand the benefits of performing attack simulation tests for their organization, and more importantly gain assurance that they can respond in a timely and effective way.” concluded Stephen.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-ie
Notes to editor