2021 Predictions for Security Awareness

Travis Good
January 12, 2021

2020 is over. Many people are breathing a sigh of relief, though 2021 feels a lot like 2020 so far. Cybersecurity and security awareness are two areas whose growth was not massively altered by Covid in 2020. But the trends in security awareness are going to be shaped by the changes that went into place in 2020 and are not going away in 2021.

1. Remote Cybersecurity

The changes that Covid accelerated in 2020 are here to stay. Today and going forward, regardless of how companies adjust work from home policies in the future, remote work is a part of how all work is done. Even if it is only partially remote, or a few days a week, practices that enable and support remote work are essential.

One of the key areas that needs to support remote work is cybersecurity. Remote work is redefining the perimeter of the company network and footprint. Companies now have endpoints to their networks from employee homes, AirBNBs, and coffee shops. Employees need support from cybersecurity in the form of tools and education so that those employees can make the right decisions when working remotely. 

2. Awareness in Workflow

There’s been a shift in work beyond the physical location of employees. This shift is to where, digitally, work is done. Workflow platforms like Slack and Microsoft Teams are leading this charge. These workflow platforms are the new operating system for technology companies, and increasingly for all companies. Through integrations, Slack and Teams serve as the hub for other tools such as Office 365, Google Workspace, Github, PagerDuty, calendars, etc.

Security awareness training has lagged behind these other tools. Exiting 2020, security awareness is administered and delivered outside workflow platforms. As more core tools integrate with workflow platforms and as more workflows are done via these platforms, security awareness increasingly feels outside the flow of work. It feels bolted on. This shapes the perception of cybersecurity being a silo and not integrated into day to day work or company culture.

In 2021, we will start to see more integration of security awareness training into the workflow of employees. It won’t look like what we think of as security awareness training today. The end goal of this change is to deliver training where people work and to drive targeted content based on the work being done. Not all of this will happen in 2021, but the trend will start this year.

3. Attacks on Cryptocurrency

Despite shutdowns related to Covid and structural issues in the economy, the cryptocurrency market had a banner year in 2020. So much so, that more and more companies are starting to carry cryptocurrency, most commonly Bitcoin, on their balance sheets as an asset class. Bitcoin and other cryptocurrencies are yet another target for money-driven attacks.

In 2021, as more cryptocurrency is held by companies, it will increasingly become a more common threat vector. Attackers, via phishing and spear phishing attacks, will try to gain access to cryptocurrency accounts and wallets. This is a trend that will only increase over time

With cryptocurrency being new for companies, the ways it is managed may not be as mature as traditional capital and banking. This adds to the risk of these scams.

4. Integration of the Entire Workforce

As employees work from anywhere and establish new and dynamic endpoints into company systems and data, cybersecurity is everybody’s job. Security, as a group, cannot succeed if it functions as a silo. All employees need to be a part of your cybersecurity program.

Some employees will be security champions within their groups. But all will need to integrate cybersecurity thinking and vigilance into their day to day work.

5. Compliance-Focused Security Expands

The last several years have seen an explosion in the demand for security audits and certifications. This explosion has been driven by risk-based requirements to more effectively manage 3rd party risk.

All companies work with technology partners. Those partners are 3rd parties. The security of those 3rd parties affects the security of the companies that use them.

Companies that sell products to other businesses need ways to prove they have an established security program. Most commonly in the United States this is done with a SOC 2 report. In some industries, such as healthcare or finance, the reporting requirements are specific.

Regardless of the report type, the need for this proof of security and compliance will grow in 2021. This will drive demand for security auditors and for automated evidence collection platforms that make it easier for companies to complete reports like SOC 2 reports.

----

What should you be doing in 2021 to improve your cybersecurity program? The most important thing is to be proactive. The value of data, the number of threats, and the overall cost of breaches is growing. Implementing effective security awareness, giving employees tools to make the right decisions, and proving your commitment to security to your partners are imperatives to managing these risks.