16 December 2020: Instead of predicting more malware, ransomware attacks and data theft, the cyber security industry needs to stop trying to prevent access to IT systems and take a new data-centric approach, says Nigel Thorpe, technical director at SecureAge, who looks at some predictions that should come true in 2021, but probably won’t.
“Organisations should accept the reality that it is just not possible to keep all cybercriminals out, all of the time,” says Thorpe. “The attack surface is getting bigger as the remote and hybrid office provides a softer point of entry into the corporate network, while the insider threat is also extended as third-party service providers gain greater access to data and systems. But this acceptance of reality won’t happen quickly, because the traditional methodology is for organisations to add more layers of defence to stop bad actors getting in; or to accept the inevitable and have incident response plans and procedures in place to recover.”
Other things that should happen in 2021 but are unlikely, include:
The Zero Trust model will be extended to data
You can build as many micro-perimeters with authentication and access controls as you like, but if a cybercriminal – insider or external – gains user access, then data is there for the taking. And relying on full disk encryption on a running system is about as useful as a Secret Santa. What should happen is that security is built right into all data using file-level encryption. This approach ensures that even if stolen, data remains protected and unusable by the cybercriminal. This is the simplest solution that gets to the heart of the problem without disrupting the way people or applications work. However, this extension of Zero Trust into the data won’t happen because of the belief that more doors and more monitoring will keep data safe. But this is just more tinkering around the edges of the problem.
IoT devices in the home will be recognised as a back door to the corporate network
The growth of connected devices from smart light bulbs to digital assistants can give cybercriminals access to home networks. From there, the jump to an employee’s laptop and into the corporate network is relatively easy. But IoT security is still woeful and is not going to change anytime soon.
Even trusted technologies for securing remote workers such as multi-factor authentication (MFA) and Virtual Private Networks (VPNs), do not defend against a cybercriminal who has hacked their way onto the home PC.
All data will be considered equal
Cybercriminals aggregate data stolen or purchased on the dark web to build personal profiles for use in identity theft. This means that all data is a security risk and should be protected. But the traditional approach is to only protect and encrypt the ‘important’, sensitive data, which means picking and choosing – so called data classification. Others use full disk encryption, but this check-box approach to data security does not protect information on a live, running system. In a recent Ponemon report, sixty-nine percent of respondents say discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. Thirty-two percent say that classifying which data to encrypt is as difficult and one of the major hurdles. If this is the top concern, why not just encrypt everything?
We will stop relying on everyone being an IT security expert
More of the population now recognise a suspicious link or email attachment, but it is still too easy to click on something that releases ransomware or other malware and no amount of IT security education will eliminate this risk. Blocking all unauthorised processes is the only way to stop all malware from working; but most organisations still rely on the ‘human firewall’. The better approach is to behave like the doorman at the nightclub – if you’re not on the list, you’re not coming in.
“We can’t keep predicting more attacks and breaches every year and still approach the problem in the same way as we have always done,” says Thorpe. “It’s time we stopped simply doing all we can to prevent access to the things we want to protect and focus on the data itself.”
About SecureAge Technology
SecureAge Technology is a rapidly growing data security company that places security and usability on equal footing. Headquartered in Singapore, we are trusted by governments, research institutes, and forward-thinking organisations to protect them from the most advanced and persistent cyber threats in the world. What makes SecureAge different, is we have built a reputation for data-centric and intuitive security solutions that protect data not only when it is stored, but also when it is in use, and in transit. We have achieved this by holding strong reign on our belief that users shouldn’t have to become cybersecurity experts to escape data liabilities. Instead, encryption should be inherent, invisible, and instinctive. To protect data when it is most vulnerable, security must take place at the file-level, operate silently in the background, and support the way in which people collaborate. That’s why our users can divert their resources to focus on other challenges – SecureAge users enjoy 100% file-level security, every file, every place, and every time.