The Future of Passwords, Cloud Security and Ransomware Attacks

By Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic

What started out as normal year became the year that no one had imagined. A year where individuals, organizations and society would face so many adversaries, challenges, and unexplainable loss because of a global pandemic.

The reality is no industry or business was left completely unscathed by the COVID-19 pandemic as many organizations had to adapt their business models and rethink strategies for the sake of business continuity. For many businesses, it was the rapid shift to remote work, that put their technology infrastructure and security measures to the test due to the huge increase in activity on cloud, SaaS, and collaborative applications.

Organizations had to hastily adapt security measures to protect company devices that had never previously left the organization's managed network which has a strong protective fabric of firewalls, IDS, DMZ's, and security solutions to keep cybercriminals out. Solutions that supported remote access and security got increased priority. Laptops going into the security unknowns of public internet relied on endpoint protection solutions to keep company data secure as many employee's home networks still have default credentials and security disabled leaving them exposed.

Remote work meant that in 2020, cybersecurity needed to start at the endpoint and with the employee working on the frontline where strong cybersecurity awareness training was essential for preparing an employee to be a stronger defense mechanism.

As we look ahead of 2021 to what will hopefully be a more prosperous year, what are some of things that businesses should prepare for? Well, here are some trends organizations should expect to see emerge in the new year.

Passwords replaced with stronger alternatives

In recent years, there has been a lot of buzz about the possibility of a "passwordless" world. The truth is passwords are not completely disappearing anytime soon. However, they are continually moving out of the limelight and into the background for users as alternative log-in and verification methods such as biometrics, PIN's, behavior analytics and multifactor authentication grow in prominence. In 2021, we will see user interaction with passwords continue to decline. Passwords will still exist but predominantly be hidden from view of the users as authentication and authorization will occur behind the scenes.  As we move away from relying on employees to configure and change complex passwords and instead delegate these tasks to experienced password manager or privileged access security solutions, we will see a dramatic increase in the strength of organizations' authentication security measures and reduce one of the biggest causes of cyber fatigue.

The biggest financial cyber threat to organizations will remain ransomware

In 2020, we witnessed thousands of ransomware attacks across the world, including hundreds of attacks directed towards the healthcare and transportation industry at a time when they were already under extreme pressure. As we start the new year, ransomware attacks will without a doubt continue to be the biggest cyber security challenge and threat organizations will face. In 2021, ransomware will continue to evolve, and organizations will need to remain prepared and vigilant. Organizations should ensure enough budget and resources are allocated towards security solution investments to not only reduce the risk, but also allow for a proper incident response plan and resiliency should these attacks occur.

Data privacy concerns will continue to force compliance initiatives

As seen in 2020, ordinary users of the internet and indeed the media became more concerned about the level of personal information and data which popular social platforms and sites collect from users and visitors. Many citizens still do not know how much of their data is collected or how it is stored and retained on certain platforms. Next year, as the focus on citizens' privacy and regulatory compliance adherence grows, the pressure for companies to provide adequate security measures and implement least privilege policies that protect the data they have been entitled to collect or process, will continue to mount. Ultimately, the issue of data privacy will start to evolve into a "Data Rights Management" movement meaning that it will become more about how the personal data is used and what monetarization results from the data.  Imagine a browser plugin that calculated the value of the data you share with internet platforms and the cost of each click or time staring at an ad, that would make the real impact transparent.          

Every user is now a "Privileged User"

In 2021, we will also continue to see that almost every employee at an enterprise is now classified as a ‘privileged user' with access to confidential and highly sensitive data within an organization. It used to be considered that privileged access was only reserved for the domain administrator or the root account who held the "Keys to the Kingdom". However, many of today's data breaches have not been because of a compromised domain account but instead emerged from the privileged accounts held by employees who have access to important data. There is no doubt that every user is now becoming a privileged user as most users have access to some type of sensitive data within an organization.  As not all users will have the same level of privileged access, organizations must take a risk-based approach and apply the appropriate security controls to each user based on the level of access they have to privileged data. 

Cloud Security to become the First Choice Security Strategy

As we move into 2021, organizations around the world will not only continue to have a cloud first strategy in place but this will also expand to include a cloud first choice security strategy. In 2020, as remote work was widely adopted, organizations became more experienced in utilizing and quickly accelerating to cloud solutions. In 2021, as many enterprises will look into the possibility of implementing a more permanent hybrid or completely remote work structure, cloud security will enable those employees to access business applications using privileged cloud access security.

##

About the Author

Joseph Carson is a cybersecurity professional with more than 25 years' experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Thycotic. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP). Carson is a cybersecurity adviser to several governments, critical infrastructure organizations, and financial and transportation industries, and speaks at conferences globally.