Threats & Risk: Cyber Crime Sector Focus in 2021

As we enter 2021, we have hope.

Following a full year of COVID-19 dominated sadness, changing lifestyles, alterations to how we do business, work, educate our children and socialise with our friends and family - a glimmer of hope is on the horizon. Vaccines that may (slowly) return life to something resembling how we lived before, hold the key to a positive year and maybe (by 2022) recovery on a global scale.

However, history tells us that human kind can only deal with one "threat" at a time - and in our panic and confusion at the prospect of a global health pandemic - we let a very different kind of threat grow, evolve and cement itself in our day to day personal and professional lives.

Cyber Crime.

In 2020, cyber crime reached a critical landmark. COVID-19 acted like an accelerant, and cyber criminals having been making hay from the outset.

Cyber crime is now more profitable than the entire illegal global drug trade, combined.

Let that sink in for a moment.

How much is that, actually?

Well, by 2022 cyber crime will be worth in the region of ￡5 Trillion. An unimaginable figure, yet it`s a number that is put into better context when I say that cyber security spending will be in the region of ￡105 Billion.

Which means, that for every ￡1 spent on cyber security defence, the criminals will make around ￡3,333!

And by the way, for the most part these are not the hoody-wearing back bedroom hackers we all think about when imaging cyber criminals. This is organised, highly sophisticated cyber crime - often state sponsored.

Sophisticated as it may be, its success relies (in 90% of cases) on one critical factor; You.

Human nature, which in nearly every successful cyber attack is the door-opener to a data breach or malicious attack. Our instinctive tendency to "trust" and not fact-check, is our greatest weakness. In turn, we put our employers, employees and businesses at risk - every single day.

That`s the reality we live in, and it is why Pulse primarily focuses its efforts on employee education, awareness, critical controls and compliance processes. It is, quite simply, the smartest place to start your cyber security and compliance journey.

The Threats we Face in 2021

This year I believe we`ll see an accelerated pattern of attacks on three key business sectors, for similar yet unique reasons - of which I`ll elaborate shortly. These sectors possess/process personal data of such nature that they attract (unwelcome) attention from nefarious threat actors, and in addition are (to varying degrees) apathetic and in some cases arrogant, in respect of the cyber crime threat.

So here goes - my Top 3 sectors for cyber attack in 2021!

Health & Social Care

No surprises here, care is THE primary sector for data breaches and cyber attacks, globally.

Why?

Well, the sector processes highly sensitive personal data - and a cyber criminal can do a LOT with that kind of resource. Health data is worth in the region of 10x that of your credit card details, when sold on the dark web. You really don`t need to worry too much about your card details quite so much, in that kind of context.

The sector is generally unaware that it has responsibilities toward personal data, many small business owners are lifestyle entrepreneurs who got into care for all the right reasons - and sadly find themselves in the midst of a constant compliance quagmire - with cyber security being the final straw. For many, they don`t have the head-space to even register for their NHS Data Security & Protection Toolkit (approx 65% of care providers in England are yet to do so, and have already missed two key deadlines). All of which, when combined, makes the care sector rich pickings for a switched-on cyber criminal.

Prediction: Continued pain for the care sector, with an accelerated breach rate month by month. By the end of 2021, I expect to see a care related breach being reported every week - and GDPR fines becoming the norm. We will see some care providers go out of business, as result of data security apathy. As the ICO often quotes, "Ignorance is No Defence".

Accountancy

Accountants are unique, well that`s what they like to think and tell us.

They`re not, actually.

Accountancy practices are businesses, they process sensitive personal and financial data, and many think they are immune to cyber attack - partly because they invest in cloud based technologies from renowned 3rd party SaaS providers and "did the GDPR stuff" back in early 2018.

Ouch.

Most don`t know that one such SaaS provider suffered a catastrophic cyber attack in May 2019, and that (as Data Controllers under the GDPR) it is the accountancy firm (not SaaS provider) that is responsible for where, and how, their client data is processed.

Most also sent staff home to work in March/April 2020 with no risk assessment on home working environments, accessing critical data from home with a wide range of insecurities in place. No firewall, inadequate anti-virus on personal laptops or devices, no 2FA, WiFi router still accessed by its default password...it goes on.

The risk of cyber attacks rose in 2020, yet the defences were lowered - so it doesn't take a cyber security expert to do THAT math and come up with the right equation.

A disaster in the making.

Accountancy firms have a great deal to do in 2021 to close their weaknesses off to attack, to ensure home working is secure (that means a risk assessment on EVERY home office, if staff continue to work at home) and to question, check and approve all of their 3rd party suppliers in respect of supply chain security.

Prediction: Based on the breach data I am seeing (you only need to watch Nick Espinosa`s "Breaches of the Week" podcast to get a sense of reality here folks...), I expect to see several significant UK-based accounting firms suffering malicious cyber attacks in 2021. I also predict at least one SaaS provider will be attacked, successfully, this year. If I`m right, the ripple effect into the UK accounting industry will be HUGE, and may determine how seriously accountants take cyber security in 2022 and beyond. For certain, a wake up call is long overdue.

Education

Schools and colleges face an unprecedented task in 2021, with questions now arising about whether GCSE and/or A Level exams should even take place this summer. Educators are doing an amazing job, responding quickly to an ever changing landscape - to ensure our young people receive the best possible education, albeit in unprecedented circumstances.

They also store, process and share (often insecurely, I`ve seen it first hand!) children's personal data.

All of which may result in a reduced focus on data security, which (when combined with the fact our kids are again being taught online) could lead to some interesting breaches in 2021.

Schools must ensure that their supply chains are secure, 3rd parties practice solid data security practice - and that staff are provided adequate cyber security and GDPR training and awareness.

One in five schools and colleges have fallen victim to cyber crime, according to data provided by Ecclesiastical. Of those that suffered a cyber attack, 71% downloaded malware and 50% experienced phishing attacks. This would strongly suggest a lack of training amongst school employees, and represents a critical weakness.

Prediction: Schools and education supply chains will continue to be a threat target in 2021, with educators under ongoing pressure to maintain teaching quality - and the added stress of will they/won`t they when it comes to exam season. This all combines to create a significant threat scenario, and I predict a major supply chain incident along with individual schools making "schoolboy" (sorry) errors on a regular basis. By which I mean, phishing attacks and downloading of malware.

Conclusion and Next Steps

So that`s it, 2021 summed up in a few paragraphs. Of course, there`s a strong chance I`m completely wrong and the headlines this year turn out to be very different. Either way, I do believe that all of the above will probably happen. and maybe even on a greater scale than I have predicted.

If so, we will hopefully see some changes:

1. Apathy will turn to Fear
2. Fear will turn to Panic
3. Panic will (hopefully) lead to some Action - and from that point your cyber security journey will begin

Then...hopefully...you`ll realise that this is a Journey that can (and will) never end.

Cyber criminals will always be two or three steps ahead, which means our best efforts should always be focused on threat mitigation, education and awareness within our organisations, and the development/evolution of a truly cyber security focused business culture.

Good luck, and remember - I`m here to help whenever you need me.

Richard