Emerging digital threats are among the top five risks that multinational companies will face in the coming year, according to a report from Control Risks.
Nicolas Reys, a director who heads up the global cyber threat intelligence practice, part of the broader cybersecurity department at the global risk consultancy, spoke with SC Media about how companies can position themselves to rebound from a year complicated by the pandemic, climate change challenges and deteriorating U.S.-China relations.
As the report says, the agile adoption of emerging technologies is essential, but with that comes increased cyberthreats and digital nationalism challenges. How so?
Cyberthreat and digital nationalism trends have evolved in parallel to the adoption of emerging technologies for years. They have intersected at times in the past when threat actors identified vulnerabilities in new technologies or governments legislated retrospectively on tech. In 2021 that collision will be more violent than before. We expect that the speed at which businesses have had to implement new technology in the wake of the pandemic has ineluctably led to security and risk management oversights. These will be exploited by threat actors. At the same time, the criticality of technology to national economies and the well-being of population has never been more critical, leading to regulators scrutinizing this space increasingly. Technology has become inherently subject to global politics and essential to the survival of businesses. They will have to adapt to more pervasive threats and regulations while balancing the demands of rapid adoption.
Did multinational companies with more mature digital transformation fare better as the pandemic swept the world?
Yes, they did, especially those that had invested in automation and cloud services for workforces. The ability to nearly seamlessly move from in-office to home and on-premises to the cloud was key for businesses to adapt to the chaos brought by the pandemic. Those businesses who had invested in digital transformation across their IT and OT assets were able to do so faster and better. They proved more resilient and able to deal with the onslaught of threat actors who targeted remote workers, focusing their security teams on what mattered.
What types of regulation do you expect to rise in 2021 and what will their affect be on digital transformation and the adoption of emerging technologies?
Regulations in 2021 will focus across three key axioms. Data privacy and localization, as we have seen in California, the European Union and China amongst others, will continue to grow with key jurisdictions such as India and Brazil set to implement legislation in the year ahead. Secondly, systems-driven regulation will grow in 2021. Compliance requirements for the security of critical IT and OT networks across jurisdictions will continue to emerge in tandem with data-centric regulations, mandating standards to be respected by enterprises, especially those operating anywhere in the critical infrastructure supply chain. Lastly, we expect more procurement-oriented regulations to come into place in 2021 and beyond. National security considerations and vendor-specific prohibitions will grow as emerging technologies increasingly become part of broader geopolitical disputes. Businesses will have to plan ahead for what may become rapid and binary decisions by governments across the world.
Will companies have to choose between supply chains that comply with national security and regulatory requirements? What kind of balance can multinationals strike in response?
Yes, and in many ways this has been experienced by enterprises operating in critical infrastructure over the past few years. Companies will need to anticipate what suppliers may become the focus of governmental restrictions based on their political profiles. Resilience increasingly implies considerations across security, operations and compliance in the technology landscape. For many multinationals, the core principles of resilience and supply chain compliance already co-exist with their normal operations in the fields of corporate security, fraud and compliance. It is those principles that should be applied to technology supply chains. From effective cyber due diligence to considerations on security and political risks, multinationals will have to adapt what they already do in other areas of their business to their technology procurement.
Where will cyberthreat actors find opportunities in the coming year?
Several major opportunities have emerged in 2020 and will continue to grow in 2021. The increased flexibility of workforces and the reliance on cloud services to operate is an opportunity that threat actors have exploited throughout the pandemic. Targeting SSO, mobile and personal devices have proven an effective entry point for many threat actors. In addition, software supply chains will face increased targeting by threat actors. Large multinationals’ investment in perimeter defenses is being subverted by the targeting of key suppliers by threat actors. Widely deployed technologies and their update servers are an increasingly attractive target for threat actors to compromise and they will attempt to do so in the coming year. The regulatory obligations to promptly disclose data breaches on sensitive and personal information emerging across jurisdictions will also generate additional opportunities for threat actors. Their awareness of the time-to-disclose for companies will enable them to put additional pressure on their victims, particularly in extortion cases.
What can companies do to ensure they successfully navigate the complexities of 2021?
Planning for resilience is key for cybersecurity in 2021. Detection and response capabilities have improved significantly in the past few years and cooperation across industries is improving. However, dealing with the increasingly multi-faceted nature of cyber risks is forcing companies to adapt existing risk management mechanisms to the digital realm. Holistic resilience, compliance and security operations taking technology into account is a must for organizations to succeed in 2021. Understanding their own technology’s exposure to regulations and geopolitics will be key to anticipating potential changes in the global landscape that will impact them. On the threat side, companies are increasingly looking to automation in the prevention and detection of cyber threats. These investments will pay off and will help with navigating 2021. On top of that, building resilience will be important in 2021. The re-emergence of wide-ranging disruptive threats – from ransomware to industrial sabotage – is putting the onus on recovery. Focusing on scenario-planning for large-scale disruptive events will be tremendously beneficial in 2021.
What actions (or maybe more accurately, inaction) might companies take that would hobble their ability to navigate 2021’s complexities?
Returning to the thinking that technology is an IT issue puts organizations at risk in the 2021 landscape and so will expecting that governments will revert to non-involvement in the regulation of technology. Failing to plan ahead for evolution in the threat landscape will put companies on the backfoot in 2021. Threat actors continue to adapt to a changing landscape, so should organizations.
Could you address the role that the pandemic played on the cyberthreat landscape?
The pandemic played the role of a significant accelerant on the cyberthreat landscape. Both from an exposure to risks and from a threat actor perspective. Companies pushed digitization projects very quickly, leading to a prevailing concern that rigorous security considerations may have given way to the need to adapt to the pandemic. Simultaneously, threat actors accelerated their transformation, especially with regards to disruptive operations. Cybercriminal groups professionalized significantly throughout 2020, with the emergence of cartels working together to launch hybrid ransomware and data leak extortion at a scale and level of proficiency that had not been seen before. This is largely down to the success that these groups had holding companies for ransom amidst the pandemic. Nation-states also accelerated their operations globally, from industrial espionage targeting healthcare and pharmaceutical companies, to disruptive operations for political purposes, the pandemic emboldened the use of cyber capabilities to pursue national and foreign strategic priorities for many states.
Ransomware continued to dominate the landscape in 2020. Will the same be true in 2021? What kind of ransomware attacks can we expect and who will the targets be?
Ransomware will continue to dominate the landscape in 2021. Cybercriminal groups are continuing to improve their tactics, techniques and procedures, whilst increasing cooperation across specialized groups. The process of cartelization witnessed in 2020 will lead to more impactful ransomware operations in 2021. The challenges faced by organizations in responding to ransomware attacks will be compounded by the increased number of entities sanctioned by governments. Ransomware operators have increasingly diversified their tactics to also include data leak extortion in combination with ransomware. This will continue in 2021. We also expect to see an increased focus on the IT and telecommunication sector and in particular the targeting of software and infrastructure supply chains by ransomware operators. As we have seen in 2020, the targeting of a technology company can disrupt thousands of organizations at once, something criminals are paying close attention to. We also expect to see more nation-states deploy ransomware attacks as part of their operations in order to distract and disrupt cybersecurity responses by enterprises.
How did governments and law enforcement do in meeting the threats of 2020? Are they well positioned to spurn them in 2021?
Governments and law enforcement increased their mobilization throughout 2020 to support organizations in countering cyber threats. National CERTs and intelligence sharing bodies worked effectively to support many organizations across national jurisdictions. In 2021, we expect to see a continuation of this increased public-private partnership. The reality of cyber threats today is such that no government alone can effectively protect an entire economy, public-private partnership must be utilized and work effectively to detect and respond to cyberattacks.