Predicting a global pandemic that reshaped how we interact with each other and our devices at a fundamental level would be nigh impossible, but we have seen an acceleration in the shift to cloud-based services. This shows the adaptability of organizations looking to evolve and thrive during an unprecedented event. However, this shift has also left some businesses vulnerable to exploitation. My one-line forecast is that we should expect a cloud migration trend to continue or even accelerate in 2021 while organizations tackle common and emerging issues in the areas of security and inclusion. If you work for an organization, you should include these as your new year’s resolutions:
Resolution 1: Get Cloud Certified
In 2020 companies have rushed the migration of businesses and workloads into a cloud computing environment, leaving cybersecurity behind and playing catchup. You can learn more about this migration by watching our panel at the Cybersecurity Thought Leadership presentation in November.
Cloud skills are typically one of the top skill sets organizations are looking for. This is particularly true as, during the last year, workloads changed rapidly, consumer patterns shifted, and workloads were hurled into a cloud service provider environment. As a hiring manager, this one of the more challenging skillsets to hire for.
The rapid changes to workload requirements stemming from the pandemic strain organizations’ existing data center infrastructure. This often fuels new or increased consumption of resources from cloud service providers as major cloud service providers are able to grant access to additional capacity in minutes or seconds. In order to keep pace amidst these rapid changes, IT teams need to make certification and hands-on cloud training a priority. Training is often challenging to implement because there isn’t a lot of expertise in operating training programs. This training often falls into two categories: general staff awareness and knowledge; and the specific skills and tools that a security team needs to secure a workload.
Another aspect is to promote general awareness of cyber risks, as these actions are key to remind staff to stay vigilant. You can even have fun with it and take it to another level with prizes for those who report phishing campaigns.
Listen to your teams
When it comes to supporting the security team, take the time to listen to their concerns and feedback. Then action on it. Often security teams are aware of issues before they happen but can’t get buy-in from business leadership. There are five highly impactful security controls that can massively boost your cyber resilience:
1. Inventory your devices and software.
2. Update your defenses.
3. Devise real passwords.
4. Prevent phishing and malware.
5. Back up your data (and regularly test your backups).
These are basic security hygiene activities, but it is shocking how often these are neglected by businesses. It’s hard to quantify the value of preventative security – until the event takes place. We can see the effect of this on the rising count of data breaches increasing year over year, and how in many cases an update or earlier action could have prevented it.
It’s hard to quantify the value of preventative security – until the event takes place. We can see the effect of this on the rising count of data breaches increasing year over year, and how in many cases an update or earlier action could have prevented it.
As more data is exposed, more is available for attackers to use in account takeover attacks, credential testing attacks, or other types of automation. This, together with the ever-extended practice users have to reuse their passwords across accounts, makes attacks a threat for multiple organizations.
Make training more accessible
As an industry, we need to remove barriers of entry to robust security training to address the skills shortage while continuing to raise awareness. You can, for example, hire (junior) candidates that can hit the ground running – a training and mentoring pipeline is key to building out your teams. You can help by providing staff access to tuition funding for targeted areas or by doing “lunch & learns” and rewarding presenters.
According to AWS Academy, 68% of IT decision-makers report a skills gap among employees. From my observations, this stress has increased in the current remote work environment. When it comes to a particular skill gap, 29% of IT decision-makers say they have trouble finding candidates with cloud computing skills, leading to difficult security scenarios for an organization.
Resolution 2: Learn From Human Diversity
With the rapidly shifting landscape of 2020, many businesses went into survival mode as they transformed processes from offline to online or from on-premises to the cloud. Tackling security issues created or leftover from the migration is every organization’s top priority to ensure that the possibility of a data breach as a result of poor basic security hygiene is minimized. However, these changes can follow the company’s biases and impact a segment of the population who use your services differently.
With good security hygiene, it is possible to accidentally exclude segments of the population from using your services. When we solve problems using our own biases, it is key that we recognize those exclusions and iterate over our solution to extend it to everyone. We all have our abilities and limits, and designing for people with permanent disabilities can benefit everyone. Not everyone can type out a captcha or type out a code within a time constraint.
Take a virtual look around your teams – particularly those selected for special task forces, your leadership teams, and your peers. These are the individuals that you’re designing for, first and foremost. Depending on the group, this can end up with products that are designed for people of a specific gender, age, literacy, or physical capability. The results are then designed for what has been perceived as normal when there is no such thing as ‘normal’. The interaction of someone with all their senses honed on your product will vary greatly from someone distracted by their cats (disclaimer: I have two cats, and they are distracting as I write this). Making the wrong assumption can ignore or alienate large market segments or a particular user base.
There are many mismatched expectations that folks may consider when designing or iterating over their products and solutions. My cats like hugs, so often I may only have one hand available to interact with a service (similar to a new parent). This situational challenge is temporary, but may prevent me from writing an email or text message on my mobile device, or typing an MFA code from my phone on my laptop. Yet, that same situation challenge may persist for months for someone with a broken arm. Or their entire lifetime if they’ve lost an arm.
By learning from diversity and including multiple viewpoints in the design process, we can better address these constraints and biases early on in the product development process. By leveraging inclusion as a key design principle, we all benefit from increased access and reduced friction. Some tools that help bypass these limitations are user validation tools like passive biometrics, as they don’t require someone’s finger, face, or one-time password to validate the user. Instead, the user session can be validated based on how they behave with the device inherently – so that I can still hug my cat and log into my banking app at the same time. Cat hugs are a priority.
Resolution 3: Defend Against Devices
The expanding number of online-operating devices continues to increase exponentially, placing significant pressure on service providers to offer the best consumer experience they possibly can.
Attackers leverage the wealth of data available from data breaches to create false (but legitimate-looking) identities and devices for denial of service attacks (DoS), username hijacking, new account fraud, account takeover, and other types of automation attacks. Every successful attack or service degradation has devastating impacts on an increasingly online society, particularly in consumer trust. Few non-technical individuals have a good grasp on how the Internet works, while many technical individuals don’t fully understand it.
Expect device security and trustworthiness to join digital identity as a priority issue in 2021.
In short: Prioritize Cybersecurity – it’s only gonna get worse
Companies will continue to accelerate the migration of workloads to cloud service provider infrastructure, driven by fluctuating norms. Working with a cloud service provider will enable organizations to adapt their workloads to scale and adapt to changes in consumer behavior rapidly.
On the consumer front, the large number of data breaches is weakening trust in digital systems and fueling attackers’ sophisticated ploys. It’s important to secure your consumer-facing solutions before attackers use stolen information to exploit your business and damage your brand.
I recommend deploying both network-level and application-level protection to your consumer-facing solutions. In the application realm, you can leverage behavioral biometrics to identify anomalies and trigger step-up verification appropriately upon detection of suspicious traffic. For other application and also payment-related risk trends in 2021 you can read this complimentary report by Aite.
Using behavior analytics and passive biometrics as a key indicator of suspicious application interactions can help organizations detect and trigger multifactor authentication and additional verification during critical processes (like login, checkout, or money movement), ultimately mitigating threats.
Using key technologies like passive biometrics and behavioral analytics can help reduce consumer friction and also break down barriers for inclusion. This will be increasingly relevant as society becomes more dependent on Internet-based services.
If you’re interested in the cloud technologies involved in running NuDetect, take a look at the NuData Case Study hosted at the AWS Global Summit Toronto 2019 Keynote. For new or existing AWS customers, you can leverage our AWS PrivateLink integration or check out our Amazon Partner Network listing.