Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic is partly the catalyst for most of these trends in conjunction with it being a presidential election year like no other. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.
By Jeremy Swenson, Security Entrepreneur and Senior Management Tech Risk Consultant
1. Disinformation Efforts Accelerate Challenging Data and Culture
Advancements in communications technologies, the growth of large social media networks, and the “appification” of everything increases the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo, Bloomberg, 05/18/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram. Yet even state-sponsored and private news organizations are increasingly the weapon of choice creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside.
Bots and botnets are often behind the spread of disinformation, complicating efforts to trace it and to stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter app having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions.
We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues; it is a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it, which in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2020 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA, 12/22/2020). This negatively impacts culture by setting a misguided example of what is acceptable.
There were several widely reported cases of political disinformation in 2020 including misleading texts, e-mails, mailers, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers (PBS, The Hinkley Report, 11/24/20). Moreover, huge swaths of confused voters aligned more with speculation and emotion/hype than unbiased facts. This dirtied the data in terms of the election process and only begs the question of which parts of the election information process are broken. This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat said disinformation.
2. Stalkerware Grows and Evolves Reducing Mobile Privacy
The increased use of mobile devices in conjunction with the pandemic induced work from home (WFH) growth has produced more stalkerware. According to one report, there was a 51% increase in Android spyware and stalkerware from March through June, vs the first two months of the year (Avast, Security Boulevard, 12/02/20); and this is likely to be above a 100% increase when all data is tabulated for the end of 2020. Inspired by covert law enforcement investigation tactics, this malware variant can be secretly installed on a victim’s phone hiding as a seemingly harmless app. It is not that different from employee monitoring software. However, unlike employee monitoring software, which can easily be confused with this malware; stalkerware is typically installed by fake friends, jealous spouses and partners, ex-partners, and even concerned relatives. If successfully installed, it relays private information back to the attacker including the victim’s photos, location, texts, web browsing history, call records, and more. This is where the privacy violation and abuse and or fraud can start yet it is hard to identify in the blur of too many mobile apps.
3. Identity & Access Management (IAM) Scrutiny Drives Zero Trust
The pandemic has pushed most organizations to amass WFH posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities (Andrew Conway, Microsoft, 08/19/20). Zero trust moving to need to know only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), improved need to know policies, group membership reviews, and state of the art PAM tools for the next year.
4. Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries
This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set the default to disable badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be revaluated.
5. Data Governance Gets Sloppy Amid Agility
Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept the Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories, and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics, although well-intentioned to make emergency response faster. It created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.
6. The Divide Between Good and Bad Cloud Security Grows
The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud-scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disasters.
7. Phishing Attacks Grow Exponentially and Get Craftier
The pandemic has caused a hurricane of phishing emails that have been hard to keep up with. According to KnowBe4 and Security Magazine, there has been a 6,000% increase in phishing e-mails since the start of the pandemic (Stu Sjouwerman, KnowBe4, 07/13/20 & Security Magazine, 07/22/20). Many of these e-mails have improved their approach and design, appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year (Security Magazine, 07/22/20). With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased by 50% (Security Magazine, 07/22/20).
COVID-19 is the catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should to dashboard this with machine learning and AI tools.
Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed and updated often – embracing need to know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.
Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.
IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and security perspective.
About the Author
Jeremy Swenson is a disruptive thinking security entrepreneur and senior management tech risk consultant. Over 15 years he has held progressive roles at many banks, insurance companies, retailers, healthcare organizations, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.