In 2021 organisations’ interest in cyber sovereignty and the origins of cyber security products and services will take primacy over cost savings when building or transforming cyber capability. Throughout 2020, the pandemic and the associated strain on global supply chains, employment dislocation and the need to support remote workforces exposed increased cyber security risks.
Increasingly organisations will examine products’ source code and hardware design specifications. Internet-connected devices will be screened to assess security and backdoor vulnerabilities and meet minimum standards of cyber resilience.
There will also be a drive to better understand the origins and vulnerabilities of the technology we use. The Australia Government’s decision to exclude high-risk vendors from participating in 5G infrastructure has triggered an ongoing discussion around the way supply chain decisions are made for both hardware and software. Increased self-reliance, privacy legislation and cyber regulations will continue to inform decision making. Outsourcing and offshoring will be exposed to greater scrutiny.
The release of the Australian Government’s 2020 Cyber Security Strategy and associated critical infrastructure legislation sharpened local boards’ focus on cyber security. Throughout 2020 CyberCX regularly briefed ASX50 boards on the implications of the new legislation.
2021 will see boards and executives increasingly held accountable for cyber security risk management. These developments shouldn’t be seen as unnecessary legislative burdens. Rather, they should be seen as providing much needed clarity around obligations and creating a level playing field. A security baseline will drive innovation, stability and profitability.
Organisations will increasingly appoint board members who have a strong understanding of matters pertaining to cyber risk, threat intelligence, security technology and vulnerabilities.
The comments by the Prime Minister following a large-scale nation-state attack on Australia in June 2020, and the subsequent release of the 2020 Cyber Security Strategy, marked a step-up in Australia’s regulatory response to cyber security. The Government sees an increasing role of the private sector and has telegraphed changes to corporations, consumer, privacy and data protection laws.
CyberCX has been working closely with the government as part of the regulatory consultation process. Government will increasingly look to legislative solutions to better protect institutions, organisations and individuals from cyber threats. In 2021, two regulatory documents will have significant impact on the cyber security landscape:
- The Security of Critical Infrastructure Act 2018 (SOCI) will establish a foundation to improve the resilience of Australia’s most vital critical infrastructure entities. The legislation is ambitious and a necessary first step to regulate the diverse and connected nature of Australia’s critical systems and better mitigate cyber security risk.
- The Council of Financial Regulators (CFR) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry.
Artificial Intelligence powered cyber
As with many industries, Artificial Intelligence (AI) and Machine Learning (ML) are likely to play a greater role in cyber in 2021. Initially this trend will appear in AI powered vendor products, however, will start to accelerate in the form of bespoke automation and orchestration approaches to common, complex cyber tasks. CyberCX believes that AI and ML solutions will increase in 2021 within Security Operations Centres (SOC), cyber simulation and advanced computer- based awareness training applications. AI will enable smart technology and smart people to deliver better cyber outcomes.
Action on supply chain risk
Action on supply chain risk will not only include the flagged trend towards building sovereign supply chain resilience. The perennial problem of software supply chain risk management will warrant further action. Software relies on a complex accumulation of legacy code, plugins, modules and functionality, some of which are very dated and insecure. Most often the problems of embedded legacy software within the software supply chain remain unseen. However, when software supply chain problems do occur, they manifest in the form of vulnerabilities, exploits and when exploited , breaches. In the year ahead, CyberCX expects to see:
- Independent validation of vendor software;
- Rationalisation of the number of cyber validated suppliers and vendors used by organisations;
- Increased penetration testing and manual validation of software quality; and
- A rise in vendor contract terminations due to inattention to secure software development practices.
Evolution of workforce
Employee induced security breaches and extended periods of remote working will remain prevalent in 2021 and far beyond. CyberCX predicts:
- Greater monitoring, auditing and enforcement of corporate cyber security compliance policies;
- Increasingly restricted and controlled digital environments in high risk areas, where Intellectual Property (IP), financial data or Personally Identifiable Information (PII) is concerned;
- A renewed investment in cyber education and behavioural change programs; and
- A greater focus on measuring returns from these cyber security investments.
Traditional in person operational activities, such as job interviews will also have to cater to a permanently remote workforce in some industries, with all the associated cyber implications.
Cyber insurance will continue to mature and evolve in 2021. As an industry, cyber insurance is still in its infancy and has not yet become a mainstream solution to transfer digital and operational risk. CyberCX sees a need for a more thorough, quantitative approach to developing cyber policies, calculating premiums and determining policy exclusions. The variation in policies and fees remains significant. A number of CyberCX clients have expressed concern that their existing policies do not provide adequate coverage, or no coverage at all, particularly if their insurer uncovers a known vulnerability that subsequently excludes them from making a claim. CyberCX expects the discussion around to cyber insurance to feature prominently in 2021, as organisations place greater scrutiny on policy fine print and the coverage afforded.
Evolving threat landscape
2021 will continue to see a rise in state-based attacks on high-profile Australian and New Zealand public and private organisations. Timely threat intelligence and reporting capabilities will be in high demand. This may be in the form of outsourcing analysis to an external third-party or building an organic capability internally. Traditional threats actors other than nation states – such as hacktivists, criminal groups and opportunists will remain persistent throughout 2021 – with ransomware remaining lucrative. Ransomware attacks may evolve in 2021 from availability and confidentiality focused attacks to integrity based Ransomware.