The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts.
So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over?
Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog.
1. Increased use of AI to launch and defend against attacks
First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”
How we did
We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.
88% of security professionals expect AI-driven attacks will soon become mainstream.
What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI.
While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly.
It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.
2. Spear phishing: phishing attacks get personal
Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware.
We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees.
How we did
While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier.
And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.
The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)
You can find out more about how to switch to remote working safely in our latest ebook.
3. Organisations are adopting more data encryption
At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year.
How we did
Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’.
However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats. Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.
Start 2021 right. Protect your business from 98.5% of security threats by getting Cyber Essentials certified.
4. Robotic Process Automation (RPA)
Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters?
How we did
In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027.
However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you.
5. The next wave of GDPR fines is on its way
2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same.
How we did
If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators.
These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.
So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.
6. Greater threats to cloud security
The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities.
How we did
Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months.
This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.
7. 5G and IoT devices on the rise
Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?
How we did
Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing.
As for IoT devices, they continued their inevitable march to ubiquity. Experts estimate that the number of active IoT devices installed in 2020 reached 31 billion. This represents an 8 billion rise from 2019 and many are predicting a similar increase in 2021.
8. The cybersecurity skills gap
The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online.
We thought that it would become one of the defining trends of 2020. Were we right?
How we did
The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged.
However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.
10. Employee training for threat awareness
Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020.
How we did
Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously.
Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.
All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021.
Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.