Cybersecurity has always been a never-ending race, but the pace of change is accelerating. Companies continue to invest in technology to run their businesses. Today, they are integrating more and more systems into their IT networks to support remote work, improve customer experience and drive value, creating new potential vulnerabilities.
At the same time, adversaries - no longer limited to individual actors - include highly sophisticated organizations that leverage tools and capabilities integrated with artificial intelligence and machine learning. The scope of the threat is growing, and no organization is immune. Small and medium-sized businesses, municipalities, and state and federal governments face these risks just as much as large enterprises. Today's most sophisticated cyber controls, however effective, will soon be obsolete.
In this environment, leaders must answer key questions, "Are we prepared for accelerated digitization over the next three to five years?" and, more specifically, "Are we looking far enough ahead to understand how today's technology investments will impact cybersecurity in the future?"
Many organizations are recognizing the need to radically change their cybersecurity capabilities and ensure the resiliency of their technology. The solution is to strengthen their defenses by looking to the future - anticipating the emerging cyber threats of the future and understanding the multitude of new defensive capabilities that companies can use today and others they can plan to use tomorrow.
Businesses can only address and mitigate the disruptions of the future by being more proactive and forward-looking today. Over the next three to five years, three major cybersecurity trends that cut across multiple technologies will have the greatest impact on businesses.
Mobile platforms, remote work, and other changes are increasingly dependent on rapid access to ubiquitous and large data sets, increasing the likelihood of a breach. The web hosting services market is expected to generate $183.18 billion by 2026. Companies are collecting much more data about their customers, from financial transactions to electricity usage to social media views, in order to understand and influence buying behavior and more effectively forecast demand. By 2020, each person on Earth will create an average of 1.7 megabytes of data per second. With the increased importance of the cloud, companies are increasingly tasked with storing, managing and protecting this data3 and addressing the challenges associated with exploding data volumes. To implement such business models, companies need new technology platforms, including data lakes that can aggregate information, such as vendor and partner channel assets, across environments. Companies aren't just collecting more data, they're centralizing it, storing it in the cloud and granting access to it to a range of people and organizations, including third parties such as suppliers.
Many recent high-profile attacks have exploited this expanded access to data. The Sunburst hack in 2020 involved malicious code distributed to customers during regular software updates. Similarly, in early 2020, attackers used compromised employee credentials from a large hotel chain's third-party application to access more than five million customer records.
The stereotypical hacker working alone is no longer the primary threat. Today, cyberhacking is a multi-billion dollar enterprise with institutional hierarchies and research and development budgets. Attackers use advanced tools, such as artificial intelligence, machine learning and automation. In the next few years, they will be able to accelerate - from weeks to days or hours - the end-to-end attack lifecycle, from recognition to exploitation. For example, Emotet, an advanced form of malware targeting banks, may change the nature of its attacks. In 2020, leveraging advanced AI and machine learning techniques to increase its effectiveness, it used an automated process to send contextualized phishing emails that hijacked other email threats - some related to COVID-19 communications.
Other technologies and capabilities are making already known forms of attacks, such as ransomware and phishing, more prevalent. Ransomware-as-a-service and crypto-currencies have significantly reduced the cost of launching ransomware attacks, which have doubled in number each year since 2019. Other types of disruptions often trigger a spike in these attacks. During the initial wave of COVID-19, from February 2020 to March 2020, the number of ransomware attacks worldwide spiked 148 percent, for example. Phishing attacks increased by 510 percent from January to February 2020.
Many organizations lack sufficient cybersecurity talent, knowledge, and expertise, and this gap is growing. In general, cyber risk management has not kept pace with the proliferation of digital and analytic transformation, and many organizations do not know how to identify and manage digital risks. To complicate the problem, regulators are tightening their guidance on companies' cybersecurity capabilities - often with the same level of oversight and attention applied to credit and liquidity risks in financial services and operational and physical security risks in critical infrastructure.
Cyber risk management has not kept pace with the proliferation of digital and analytic transformation, and many companies do not know how to identify and manage digital risks.
At the same time, companies are facing more stringent compliance requirements due to growing privacy concerns and high-profile breaches. There are now more than 100 cross-border data flow regulations. Cybersecurity teams must manage additional data and reporting requirements stemming from the White House's executive order on improving the nation's cybersecurity and the advent of mobile operating systems that ask users how they want data from each app to be used.
For each of these changes, defensive capabilities can be developed by organizations to mitigate the risk and impact of future cyber threats. Clearly, these capabilities are not a perfect match for individual developments, and many of them apply to multiple developments. Leadership teams need to consider all of these capabilities and focus on those that are most relevant to their unique business situation and context.
Mitigating the cybersecurity risks associated with on-demand access to ubiquitous data requires four cybersecurity capabilities: zero trust capabilities, behavioral analysis, elastic log monitoring, and homomorphic encryption.
To counter more sophisticated attacks conducted by AI and other advanced capabilities, organizations should take a risk-based approach to automation and automated responses to attacks. Automation should focus on defensive capabilities such as security operations center (SOC) countermeasures and labor-intensive activities such as identity and access management (IAM) and reporting. AI and machine learning should be used to stay on top of evolving attack patterns. Finally, the development of automated technical and organizational responses to ransomware threats helps mitigate risk in the event of an attack.
Increasing regulatory oversight and gaps in knowledge, talent, and expertise reinforce the need to build security into technology capabilities as they are designed, built, and implemented. In addition, capabilities such as security as code and software nomenclature help organizations deploy security capabilities and stay ahead of regulators' demands.
Digital disruption is inevitable and will result in rapid technological change. Organizations making large-scale investments in technology, whether out of innovation or necessity, must be aware of the cyber risks associated with it. Attackers exploit the vulnerabilities that new technologies introduce, and even the best cyber controls quickly become obsolete in this accelerating digital world. Organizations looking to position themselves as effectively as possible over the next five years will need to take a relentlessly proactive approach to building long-term defensive capabilities.