Topic: Connectivity

Back in January, we took a slightly different approach to the annual trend prediction blog post and instead sounded off about what the cybersecurity community predicted would NOT happen in 2021. At the time, industry veteran and Vice President of Security Strategy at Lightstream, Rafal Los took to social media to ask, “What’s the thing that probably won’t happen in cybersecurity in 2021?” Now that we’re midway through the year, we wanted to check in and see how accurate their anti-predictions were.

Tied for #1: Password Elimination & Meaningful Asset Management

Raf’s social media followers resoundingly agreed in January that we wouldn’t see an end to passwords as a means to protect our assets, and it shouldn’t come as a surprise to anyone that this forecast was 100% accurate. We still don’t have a better way to protect our personal and enterprise data, as thumb print and facial recognition technology have not yet evolved to ironclad status.

And though the work-from-home trend is not as strong as it was at the start of the year, the unpredictability of the COVID-19 virus continues to cause skepticism about re-implementing a full-time, on-site work strategy. That means remote workers continue to be at risk for identity-related breaches, and maintaining control of computer-related assets, including software, unauthorized devices and loss of security is still a major priority for corporate IT.

Asset management remains a significant challenge, particularly for the mid-sized business market that lacks the deep pockets to afford the security measures that large corporations have in place. Therefore, IT professionals must utilize the remainder of the year to adopt new ways to improve the identification, tracking and management of employees, applications and devices that access resources.

#2: Widespread Zero Trust Adoption

Most of Rafal Los’s respondents shared the sentiment early in 2021 that while the adoption of Zero Trust principles was imperative for the advancement of cybersecurity, they weren’t confident about it being widely adopted in the immediate future. As it turns out, we’re happy to report that this prediction may have been short sighted.

It’s possible that they underestimated COVID-19’s ability to accelerate the adoption of a Zero Trust model. It seems that the pandemic and resulting rise in cybersecurity attacks have fueled investments in new cybersecurity strategies as well as the buzz surrounding Zero Trust security.

According to CISO Mag, a recent report highlighted that more than three-quarters (78%) of companies around the world say that Zero Trust has increased in priority and nearly 90% are currently working on a Zero Trust initiative (up from just 41% a year ago).

The security of every organization depends on a new way of thinking, and the Zero Trust model of “never trusting, always verifying” is profoundly beneficial in an environment where remote working continues to be a trend. Lightstream’s Managed Security Services platform incorporates automation, Zero Trust concepts, best practices and industry-specific compliance to help IT leaders manage costs effectively, reduce complexity and improve the efficiency and efficacy of data center, network and cloud security.

#3: Fully Patched Environments/Systems

At the outset of 2021, Rafal Los’s social media followers were spot-on in their prediction that fully patched environments and systems would be highly unlikely this year. A perfect example of this is Microsoft’s so-called Printnightmare vulnerability that continues to be an issue as of the date of this blog post. Microsoft released a patch for this Print Spooling vulnerability in June of 2021. However, as we explained in January, much like how water usually finds a way to break through that patch in your garden hose, attackers are experts in finding ways to circumvent applied patches when the underlying cause is not fully remediated.

This patch, like so many others released by software providers, can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.

The process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems, enterprise applications (whether in the cloud or on-premises), browsers and end-user applications is an ongoing process that requires considerable time and resources. Therefore, we stand by our advice for enterprise IT to consider outsourcing this initiative to a trusted provider.

#4: Elimination of Phishing

We were far from shocked when many of Raf’s social media followers were emphatic that phishing scams would continue to haunt corporate IT in 2021. In fact, Digital Information World reported that a recent study found that phishing site volume in Q1 of 2021 outpaced Q1 of 2020 by 47 percent. They further reported that phishing is an ever-growing problem particularly for e-commerce and cryptocurrency platforms, but that social media and other sites and platforms that offer financial services also continue to experience phishing at a high rate.

According to the Federal Trade Commission (FTC), scammers were increasingly causing a threat to online retail shoppers, the rental car market, job searchers, and those seeking mortgage relief. They also warned against government imposter scams. The FTC recently issued the following alert:

COVID opened the door for scammers to double down on their worst practices, while preying on consumers during an unprecedented pandemic.

Moreover, Harvard Business Review recently reported that 2021 has seen a dramatic increase in business-related phishing scams, with high-profile ransom attacks against critical infrastructure, private companies, and municipalities grabbing headlines on a daily basis. Lightstream recommends that IT professionals take a multi-faceted security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur.

#5: Unification of C-Suite & Security Professionals

Some of Raf’s respondents forecasted that there would continue to be a dangerous rift between security professionals and the executives/boards they support. A June 2021 Security Magazine article stated that because the majority of security leaders are three steps away from the CEO, only 37% of security professionals believe their organization values and effectively leverages the expertise of the cybersecurity leader. Furthermore, cybersecurity leaders shared they have assumed more accountability and risk, but struggle to achieve the desired security posture, because they are not seen as influential or valued members of their peer group. If you ask us, the next six months represent a major opportunity for companies to develop strategies to ensure accountability “goes both ways.”

#6: Effective Use of Machine Learning

Despite the skepticism expressed by Rafal Los and his social media respondents earlier this year, it seems that enterprise budgets for Artificial Intelligence (AI) and Machine Learning (ML) have been on the rise in 2021. Inside Big Data reported in July that The AI industry is growing and we’re seeing a shift in priorities to more organizations viewing deployment of practical AI as a core strategy and moving away from mere experimentation. Several media outlets are reporting an uptick in the use of machine learning in healthcare and finance, with AI and ML being used to improve consumer experience and engagement, automate business practices, predict cardiovascular disease and mortality, and translate brain signals from paralyzed patients.

Contact Lightstream to find out how we can help you unify strategies to build secure, generational capabilities that can help your organization accomplish its goals in 2021 and beyond.

If you’re scoffing at the predictability of a trend-related blog post in January, we couldn’t agree more. In an effort to be slightly less predictable, we’re taking a different approach by letting you in on what the cyber security community predicts will not happen this year. Industry veteran and Vice President of Security Strategy at Lightstream, Rafal Los recently took to social media to ask, “What’s the thing that probably won’t happen in cyber security in 2021?” Some of the responses from his followers were expected, others, not so much. So, without further ado…let’s take a look at their anti-trends for the coming months.

Tied for #1: Password Elimination & Meaningful Asset Management

Let’s face it, passwords and asset management seem like they’ve been a thorn in the side of the security industry since the invention of the computer. In fact, the first computer password was developed in 1961 at the Massachusetts Institute of Technology, for use with the Compatible Time-Sharing System (CTSS). Yet 60 years later – long after CTSS has given way to the modern Windows and OSx systems in use today – the general consensus is that passwords won’t be going away anytime soon. What is driving this skepticism?

For starters, we still don’t have a better way to protect our personal and enterprise data. Thumb prints and facial recognition are promising, but they still haven’t proven themselves to be ironclad. Adding to that are the security challenges COVID-19 has forced enterprises to overcome. With many companies now operating in work-from-home (WFH) environments and the very real possibility that this will be an ongoing strategy in the post-pandemic economy, remote workers are at a huge risk for identity-related breaches. Corporate IT is struggling to maintain control of computer-related assets, including software, unauthorized devices and loss of security.

Knowing that passwords are here for the foreseeable future and that asset management has never been more challenging, 2021 presents an opportunity for IT leaders. This is a critical time to adopt new ways to improve the identification, tracking and management of employees, applications and devices that access resources.

#2: Widespread Zero Trust Adoption

It’s hard to argue that the adoption of Zero Trust principles is anything but required for cybersecurity to advance. So, despite Zero Trust being at the foundation of Lightstream’s offerings, and what analysts and professionals feel is the future of security, there appears to be a lack of confidence in it being widely adopted in the coming months. It could be that many see Zero Trust as a tool or a widget to be installed – when in fact it’s a rethinking of the way systems interact and behave. Zero Trust goes at the root of security – identity and data – oddly the two things cyber security understands the least. There is something of significance here, but we’ll save that for a future article.

Enterprises should widely embrace a model that shuns the assumption that everything behind the corporate firewall is safe, or that there is such a thing as “behind the corporate firewall” anymore. The security of every organization depends on a new way of thinking, and the Zero Trust model of “never trusting, always verifying” would be hugely beneficial in an environment where remote working is becoming the norm. Lightstream’s Managed Security Services platform incorporates automation, Zero Trust concepts, best practices and industry-specific compliance to help IT leaders manage costs effectively, reduce complexity and improve the efficiency and efficacy of data center, network and cloud security.

#3: Fully Patched Environments/Systems

“Patching. It was a problem in 1999, and the social media responses prove that it continues to be a problem in 2021. What makes this such a difficult task?” ponders Rafal Los. Patching is the process of applying ‘fixes’ to existing deployed software packages, most often from the vendor, when flaws are identified and resolved. Similar to applying a physical patch to a garden hose to prevent water from leaking out, the purpose of the cyber security patch is to cover the vulnerability, keeping attackers from exploiting the flaw. Much like how water usually finds a way to break through that patch in your garden hose, attackers are experts in finding ways to circumvent applied patches when the underlying cause is not fully remediated. Therefore, enterprises must ramp up their vulnerability management strategies in the coming year.

The process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems, enterprise applications (whether in the cloud or on-premises), browsers and end-user applications is no small feat. It’s an ongoing process that requires considerable time and resources, which makes it an initiative that enterprise IT might best consider outsourcing.

#4: Elimination of Phishing

It’s clear that no one expects phishing to go away, nor do we expect people to stop clicking on phishing lures – yes this includes you, security professionals. So, it’s not a huge shock that this is among the anti-trends predicted for 2021. Phishing scams are becoming more sophisticated every day, so it’s imperative that corporate IT do their best to stay one step ahead of attackers. This may involve taking a multi-faceted security approach to lessen the number of phishing attacks and reduce the impact when attacks do occur.

#5: Unification of C-Suite & Security Professionals

There are many cynics in the cyber security industry that see a lack of executive accountability (with the exception of the Chief Information Security Officer). This threatens to further deepen a dangerous rift between security professionals and the companies/boards they support. Therefore, there is a major opportunity for companies to develop strategies to ensure accountability “goes both ways,” as we like to say.

#6: Effective Use of Machine Learning

People are still broadly skeptical of Machine Learning in cyber security. This subset of artificial intelligence has been significantly hyped since its inception, yet it still hasn’t fully come to fruition. Rafal Los considers that while it sounds exciting, perhaps we might be a bit premature in the belief that systems can learn from data, identify patterns and make decisions without human intervention. Besides, we’ve all seen what happens when machines become “artificially intelligent” – and we’re pretty sure we don’t like the ending of that movie.

Other Notable Anti-Predictions

There were several other responses to Raf’s social media posts worth mentioning. While you’d be hard pressed to find someone that expects the number of breaches to go down or malware volume to decrease, they surprisingly didn’t make it into the top six predictions. Could that be due to industry optimism, or perhaps it’s just that we’re all tired of talking about these topics? On the flip side, the elimination of WindowsXP systems made the top 10, which is astonishing since it officially became unsupported way back in 2014 (seriously, what’s it going to take?).

Software-security-related items appear several times, making it obvious that there are some who still have little faith in software security. Rafal Los blames the contentious relationship between security professionals and developers. According to Raf, a typical security professional/developer exchange [still] goes something like this:

Security professional: “You’re doing it wrong.”

Developer: “You don’t know what you’re talking about. Show me.”

Security professional: “It’s not my problem. Fix it.”

Clearly, this is another area where there is major room for unification in 2021.

Contact Lightstream to find out how we can help you unify strategies to build secure, generational capabilities that can help your organization accomplish its goals for 2021 and beyond.