We’re finally at the finish line of 2020, and we couldn’t be more excited to turn the page to the new year.
2020 was a bittersweet year for cybersecurity. The industry continued to boom despite a global pandemic, there have been plenty of jobs to go around, and the industry’s importance continues to gain traction in the public sector
However, 2020 also featured some of the largest and most intrusive security breaches in recent memory, including the recently revealed FireEye and SolarWinds attack. So, while there’s a lot to celebrate, there’s plenty of room for growth and maturity, too.
Let’s take a moment to reflect on the year by highlighting five of the most important cybersecurity stories from 2020.
While Zoom is currently being showered with endless praise for its massive growth and success in 2020, it hasn’t always been rainbows and sunshine for the video chatting application.
A story from Tom’s Guide walks us through Zoom’s numerous security issues from 2020. The article contains a complete timeline of events, starting with multiple zero-day exploits and private video leaks, continuing on with several reports of information scraping and phishing campaigns, and ending with many patches following a large public outcry.
To be fair to all parties involved, Zoom’s competitor Microsoft has had their fair share of problems with Microsoft Teams, too. Additionally, Zoom has made security improvements a big part of their strategy moving forward. This change can be seen with their hiring of Jason Lee as their new CISO back in June and rolling out end-to-end encryption for all in October.
Zoom is now considered generally safe for widespread use today, despite their many security issues throughout the year.
The cybersecurity skill gap is something that’s been talked about for years, and 2020 was no different.
However, the headline from InfoSecurity Magazine is a little different this time around. A report from (ISC)2 states that for the first time since records began, the skill shortage in cybersecurity has fallen. This fall is attributed to more employees joining the industry and the COVID-19 pandemic creating uncertainty on the demand end.
The 2020 Cybersecurity Workplace Study revealed that 700,000 additional security pros have joined the industry this year, a 25% increase from last year’s estimate. This means that the shortage in skills dropped from 4.07 million last year to 3.12 million in 2020.
However, while this is great news on the surface, some of the gap’s fall is due to a reduction in security jobs due to budget cuts caused by COVID-19. The irony in this number is that (largely due to the pandemic), security has never been more important.
Overall, the article is a bittersweet one. On one hand, there are more people available than ever to plug the security shortage in the industry. On the other hand, many organizations are cutting back on security budgets and staff to combat revenue lost from the pandemic.
Piggybacking on the last article’s relation to COVID-19 is an article that details the impact the pandemic has had on the industry and how we can move forward.
Security Magazine’s article from mid-December discussed the massive digital transformation precipitated by COVID across the globe, and especially in America. Simply put, because our digital footprint has increased so dramatically in America, we’ve never been more at risk for cybercrime. The “scary reality,” according to the article, is that COVID may be setting up a “perfect storm” for a cybercrime pandemic.
Traditional cybersecurity professionals were able to protect a much smaller digital footprint with a concentrated effort, but today’s digital ecosystem creates a far greater number of attack vectors for hackers. The widespread adoption of online portals, digital apps, remote work, and Internet of Things devices creates a much larger perimeter — a perimeter many security teams aren’t prepared to defend.
This mass online adoption turns the discussion of a data breach from “if” to “when” cybercriminals will exploit our vulnerabilities. This requires a large change of mindset for employees across the globe. No longer is cybersecurity a big-ticket issue reserved for IT specialists. Cybersecurity is now something all individuals must consciously put effort towards in order to secure the perimeter.
Our next story is about as hot-button as hot-button issues come, but is all the more reason for it to be included in 2020’s cybersecurity year-in-review.
NPR, along with many other publications, have reiterated claims that there’s been “no evidence” that the 2020 presidential election was compromised. This report was first issued by the Department of Homeland Security. In a statement published back in November, this election was described as the “most secure in American history.”
The statement from the DHS goes on to say “While we know there are many unfounded claims and opportunities for misinformation about the process of our elections, we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too.
However, despite the statement, there has been plenty of controversy around election security in the weeks following Election Day. Namely, President Trump fired top election security official Christopher Krebs and also launched an election fight including over 50 lawsuits.
While 2020 was considered a tumultuous year for cybersecurity before this report, the breach of SolarWinds and FireEye sent the industry into a frenzy.
While the initial report was released on December 8th, Microsoft and FireEye confirmed the SolarWinds supply-chain attack on the 14th, ZDNet reported. Known victims of the attack include the US Treasury, the US NTIA, and FireEye themselves.
As you likely know by now, the attack was carried out against SolarWinds on behalf of a foreign government by deploying a malware-laced update for the company’s Orion software. This update infected the networks of “close to 50” organizations in total and shows off the true risk of a vulnerable supply-chain, especially for large organizations like SolarWinds.
The attack was considered so significant and so dangerous that it warranted a rare meeting of the US National Security Council at the White House. While the true damage of the attack is currently unknown, the event is likely to send shockwaves across the industry through both organizational shifts and regulatory policy.