A review of cyber security predictions for 2021

Why predict?

Even for those working in the tumultuous world of cyber security, 2020 was especially chaotic as the world’s best laid plans went up in a COVID-fuelled flames. “You’re on mute” sums up 2020 for me. We are a hostage to fortune so what is the sense in studying cyber security predictions? 

Every age has its pundits who declare that the world too chaotic and unpredictable to make it worthwhile managing risk, yet the world is not more unpredictable now than it was 100 or even 1000 years ago, even if the risks are more complex.

Making predictions is as much art as science, but by using foresight to lay out the range of future challenges we are likely to face, we can be better prepared to meet them. Paranoid optimism - the combined effect of vigilance, realistic fear and a positive outlook - sharpens your foresight and strengthens your ability in a fast-changing world.

This blog presents a review of predictions for 2020. It aims to stimulate foresight and to identify the themes and predictions that will better enable you to cope with whatever 2021 throws at us. 

"Paranoid optimism...sharpens your foresight and strengthens your ability in a fast-changing world."

(Risto Siilasmaa, Former Chairman, Nokia; Founder of F-Secure)

Quick review of 2020

Verizon’s Data Breach Investigations report (DBIR) catalogued nearly 4,000 data breaches in 2020, large and small. 80 of the largest breaches of the year identified by ZDNet, are summarised in the charts below.

Key trends: 

• Credential theft, phishing and errors cause two thirds of breaches
• The quietest month was April when even the criminal world was in lockdown
• From May 2020, there was a steep rise in ransomware attacks which now account for 27% of malware incidents. This year, ransomware attacks comes with menaces for failure to pay
• Attacks on web apps more than double the results from last year to 43% of all breaches. As workflows move to cloud services, it makes sense for attackers to follow. 

This is what is happening today. Let’s look at what the cyber security experts predict for 2020.

Analysis of cyber security predictions for 2021

Prediction sources

25 companies were selected, ~80% of whom published predictions last year. Most operate global, well-resourced threat intelligence units that use unique and verifiable primary sources, and the quality of their work is high. Collectively, they made 170 predictions, but some sources are better at it than others. Counting how often the word ‘will’ accompanies a prediction shows why discernment is required. Credit to BeyondTrust, Digital Shadows and Splunk for sticking their necks out by making definitive statements.

I have tried to weed out the pseudo-predictions: commentary on current trends, and overly-general; nakedly self-serving; or safe predictions like ‘cyber attackers will identify and exploit new vulnerabilities.’

New to the fold in 2020 are Outpost24, Tessian and Thycotic. Returning to the fold this year are Cisco and AT&T. Mimecast, IBM, McAfee and Experian have yet to publish predictions for 2021.

2021 prediction headlines

• Range: the range of prediction topics has never been greater. Historically, it is around 30. This year, it is 58, perhaps reflecting an increased desire to be original and working alone from home, having more time to reflect.
• Quality: 47% of the 170 predictions are unique, bold, significant or eye-catching. This is a steady rise from <40% of several years ago and a credit to the forecasters’ effort to provoke the readers’ critical faculties. 17% of the predictions were unremarkable: they define a trend; they are vague; or they are of limited practical value.
• Prediction type: 60% of predictions focus on what attackers will do to us; 40% on what we will do to defend ourselves. 
• Focus: a third of the predictions focus on: ransomware, cloud computing, artificial intelligence (AI) and machine learning (ML), authentication and data privacy. 
• Deepfakes: the raft of interest last year in deepfake predictions has sunk almost without trace.
• Cloud security predictions provide a conundrum: cloud tech will become the primary threat vector; and we will adopt it because cloud services will make us more secure. 
• Blockchain was a thing in 2019, but this year it does not feature in a single prediction. The same goes for GRC.
• Artificial intelligence (AI) and machine learning (ML) predictions this year appear to have been made with whisky-fuelled courage. It remains to be seen how much longer AI/ML will remain at ‘peak hype.’
• Best reads: BeyondTrust, Fortinet and Forrester deserve credit for making the most thought-provoking predictions.
• Prediction effort: 5 years ago, it was the AV vendors that produced lavish cyber security prediction reports. These days, it is the access control and network perimeter tech vendors, reflecting how the marketing battle has migrated.
• SolarWinds: all these forecasts were published before the SolarWinds hack - the most significant hack of the year. Expect a lot more interest in supply chain risk in 2021.

Common predictions

• Attack surface: the intelligent edge is a target (BeyondTrust, Fortinet).
• Attackers may use API software intermediaries as entry points into organisations. As APIs become more prominent in the enterprise space, their attack surface becomes more visible (LogRhythm, Trend).
• Deepfakes: an array of potential uses of deepfake technology for cybercrime and fraud is likely to be seen in the wild (eg scenario in which ‘your CEO’ requests over Zoom that a wire transfer is made) (BAE Systems, LogRhythm).
• Mobile devices will be highly targeted. We will see companies roll out new mobile device policies and infrastructure to allow employees to continue working remotely (AT&T, Carbon Black).
• People: the challenge we will face in 2021 is people. Businesses must prioritise people’s wellbeing and their security to succeed (Proofpoint, Tessian).
• Ransomware: we expect ransomware to continue its rapid growth in 2021, with ransomware varieties increasing along with frequency of attacks. Ransomware is now a national security issue for countries around the world, and it will only get worse (BAE Systems, Carbon Black, Digital Shadows, FireEye, Outpost24, Symantec, Thycotic).

Unique predictions

• Cloud providers’ robust tool sets will lead to a contraction in the market for cloud security tools (Splunk).
• Security teams needs to work faster and be able to adapt to the speed provided by the cloud (Palo Alto).
• Trojans will evolve that target the edge (Fortinet).
• Home routers: we predict that cyber criminals will offer access to hacked routers as a new service for threat actors aiming to break into home networks (Trend).
• Data privacy: GAIA-X (the next generation of a European data infrastructure) won’t displace Amazon, Google, and Microsoft anytime soon (Forrester).
• Humans: the primary role of humans will be to ensure that security systems have been fed enough intelligence to not only actively counter attacks but to anticipate attacks so that they can be avoided (Fortinet).

Bold predictions

• Pattern of Life analysis will be further automated and many sophisticated attacks will be generated without human intervention (Forbes).
• Recycling: expect a massive push to recycle and use vintage computer hardware at home and in some businesses. New companies specializing in the sales, repair, and support for these older systems at reasonable rates have started to crop up (BeyondTrust).
• Audits and budget cuts will lead to uptake of risk quantification tech (Forrester).
• Defender confidence is on the rise. As IT and security continue to work together to enable business continuity, we’ll see the narrative around the two teams working poorly together quickly fade (Carbon Black).
• Dismissal: a CISO from a Global 200 firm will be fired for “toxic security culture” (Forrester).
• Smart car attacks: in 2021, we believe the dearth of major smart car attacks will be broken and a hacker will leverage smart chargers to do it (Watchguard).

Significant predictions

• Mortal harm: we will see the first instances where a computer virus actually causes harm to a relatively healthy individual outside of the healthcare system (BeyondTrust). 
• Ransomware will adapt to hit cloud repositories - not just OneDrive and SharePoint, but S3 and Azure too (ProofPoint).
• Ransomware group profits will enable them to develop nation state capability (Kaspersky).
• The supply chain will become an even weaker link in security (Tessian).
• Pandemic workforce disruption will drive a greater focus on endpoint security and the zero trust model (Splunk).

Eye-catching predictions

• Machine Learning Training Data will be poisoned (also known as adversarial ML)(BeyondTrust).
• A board meeting of a major company conducted using video conferencing software will be exposed, resulting in a high-profile scandal (LogRhythm).
• Insider threat: 33% of data breaches will be caused by insider incidents (Forrester).
• Data privacy: far-reaching digital changes like “cookie-less” browsers will outpace proposed changes to European privacy legislation (Forrester).
• Logistics: the delivery personnel will be the primary attack vector based on their roles and the pressure to deliver items in a timely fashion. The end game will be theft of merchandise, with high-valued items potentially held for ransom (BeyondTrust).
• Booby-trapped smart chargers lead to Smart car hacks (Watchguard).

Which sources should one trust?

Little information is published about the methods used to make predictions. They could be the result of a methodical process or brainstorming over Zoom. Whose predictions are most likely to be right?

Most of those offering predictions for 2021 did so for 2020, which gives us the opportunity to see how they performed. Predictions for 2020 were categorised as: true; partially true (eg ‘Third-party data breaches will dominate the threat landscape’: the SolarWinds hack is undeniably significant but ‘dominate’ would be over-egging the cyber security pudding); too early to tell; and not true. The results are shown below.

Analysis of 2020 predictions

40% of the predictions for 2020 came true. Since 2016, the percentage of correct predictions has varied between 40% and 54, so this year we are at the bottom of the range. 23% of predictions were partially realised. It is too early to tell if 18% of the 2020 predictions are true, but 20% are definitely not true.

Hats off to Checkpoint who can lay claim to being the most accurate forecaster having made 9 predictions in 2020, 8 of which came true or partially true. Credit should also go to BeyondTrust, Proofpoint and FireEye who were not far behind.

• It is no surprise that the highest proportion of predictions to come at least partially true are the unremarkable ones (88%).
• At the other end of the scale, only ~40% of bold and eye-catching predictions are at least partially true. 35% of the eye-catching predictions are plain wrong
• Only 35% of the common predictions came at least partially true. The wisdom of crowds appears not to have worked for these predictions.

A special mention goes to IBM who made the only bold prediction in 2019 to come true in 2020: “Ransomware operators will ramp up demands on their victims, demanding millions to be paid in Bitcoin.”

In 2020, the cyber security pundits correctly identified: the rise of ransomware in terms of prevalence and sophistication; increased attacks on cloud services; exploitation of AI by defenders; and the criminal exploitation of cryptocurrencies. They were correct not to make a big deal about threats to open banking - at least so far. 

Of the commonest predictions that have failed to come true, those expecting deepfakes and attacks on mobile IT to be making headlines, will have to wait a bit longer.

Interestingly, although the COVID-19 pandemic was erupting in China as the 2020 predictions were being published, no one called out the pandemic.

Are we failing to see the forest for the trees? 

The COVID-19 pandemic which took us all by surprise in 2020, but should it have done?

When it comes to thinking big thoughts, this is something governments are good at. The UK’s National Security and Strategic Defence Review, originally published in 2010 and regularly updated, provides a macroscopic perspective on risks that could turn UK society on its head. (This is purely an example, many other countries conduct similar reviews). Listed as one of the six Tier 1 risks to national security is an influenza or respiratory disease pandemic. Tier 1 threats in terms of probability and impact present the greatest risk (see figure, right). 

What is interesting in the 2021 predictions is that although we live in an increasingly interconnected world, none of the 170 predictions touch on the other Tier 1 risks: terrorism, geopolitics beyond Brexit, and international instability or conflict. I would have expected to read something about: data privacy and the mounting distrust of the social media giants Google, Facebook and Twitter; a catastrophic failure at AWS G-Cloud or Azure; or superpower conflict played out in cyberspace.

COVID - what next?

Much has been written about the long term impact of COVID. A review of COVID predictions conducted in June 2020 forecast the following for cyber security:

• cyber attack vector is shifting from corporate networks to home users and vulnerabilities within teleworking technologies.
• supply chain: expect a move away from just-in-time supply chains and development of local ones.
• value for money - businesses will expect more for less with more IT security services being outsourced.
• cashless payments - Coronavirus will accelerate automation. “It’s pulling the future forward”. Mass adoption of cashless payments. 

Pushback on AI

This year, artificial intelligence AI and ML- related predictions for 2021 have burgeoned, saying that AI and ML will be at the root of the wonderful and dreadful things that will happen to us. Much is promised, but as a commentator at Splunk quipped, “Today’s AI is as naive as a week-old puppy.” It is also vulnerable to being turned from the benign purpose for which it was created.

If AI is to benefit the whole of society - not just the digital giants (Facebook, Google, Twitter), there are some things we need to sort out first: transparency; an ethical framework to govern its use; and accountability for autonomous use of AI technologies.

Explainable AI (XAI) would be a step in the right direction. XAI is about using AI methods and techniques that can be understood by humans, in contrast to "black box" solutions where even their designers cannot explain how the AI arrived at a specific decision. XAI would also improve the user experience of a product or service by helping end users trust that the AI is making good decisions. This is especially true for social media software which profoundly affects our lives but is the most hidden. 

"Hypnosis might be therapeutic so long as you trust your hypnotist, but who would trust a hypnotist who is working for unknown third parties? Who? Apparently billions of people."

(Jaron Lanier, digital pioneer and web critic)

Expect pushback from regulators and consumers. Expect too, that it will feature in the next James Bond film. 

In 2021, exercise some paranoid optimism

So we missed the pandemic and we are not so good at seeing the wood for the trees. We are also terrible at making risk-based decisions: we trust celebrity endorsements, people in suits, anything printed - especially charts and precise numbers even when they are wrong.

We are prone to the illusion of certainty, but we are very good at coping. Whatever cyber security risks we face, we can vaccinate ourselves from their effects by exercising vigilance, realistic fear and a positive outlook. The most resilient companies are those that have thought through how to operate without internet access, or even without IT. 

Happy new year and hold onto your hats in 2021!

Sources consulted

Major strategic trends of 2020 that will certainly feature in 2021 are described in Robin Oldham’s short and excellent summary. They comprise trust and transparency, security of software supply chains, and ransomware. 

Each year, Dan Lohrmann publishes his typically excellent review of cyber security predictions in the Government Technology journal. He takes a prosaic approach, based on a wider trawl of predictions than mine. VMWare, owners of Forcepoint, has compiled a list of predictions from other companies in a recent blog. 

If you want to learn more about why humans are bad at making risk decisions and the steps that can be taken to correct for biases, my blog summarises the work of a variety of scientists and experts: How the world's best risk decision makers decide. If you are interested in where AI will take us, read AI - more artifice than intelligence?

Thanks once again to the companies that invested time and effort in producing these predictions. This blog salutes the forecasters: AT&T, BAE Systems, BeyondTrust, Carbon Black, Checkpoint, Cisco, Digital Shadows, FireEye, Forbes, Forcepoint, Forrester, Fortinet, Kaspersky, LogRhythm, Outpost24, Palo Alto, Proofpoint, Security Scorecard, Sophos, Splunk, Symantec, Tessian, Thycotic, Trend and Watchguard.