Sometime around the end of June, we carried out an interesting exercise in the Licel office.
We looked back at a few technology trend articles for 2020 from around this time last year.
In them, authors wrote confidently about how this year would pan out. About how our lives might be changed by a number of tech innovations.
Reading these articles a few months into a global pandemic that had completely reconfigured daily life was a strange experience.
It was a little like gazing through a window into some kind of alternate dimension. Into a world unscathed by covid-19 where 5G dominates the headlines.
Back in the real world, it was becoming obvious as early as January that this year might be a bit different to the norm. By then, fragments of information were arriving on our phones of a strange virus emerging from a market in Wuhan.
Some people will see 2020 as proof of the futility of guessing what the world will look like more than a few weeks from now. But the truth is we were surprised by how many of the predictions from this time last year held true.
Indeed, if anything the pandemic actually seemed to have quickened some of these trends.
That makes us feel a little calmer about making predictions for trends that will impact cybersecurity in 2021.
Sure, there’s a chance that the world might be a very different place come next summer to the one we imagine today. But we’re pretty confident that the seven trends we’ve outlined below are ones that first sparked before covid-19 and will burn brighter still in the post-coronavirus world.
We predict a more mobile, remote world. Both for individuals and for businesses. A world where bad actors look to profit from new ways of working and from the wider anxieties the pandemic has created.
In other words, we predict a world where robust protection from cyber threats will become more important than ever before.
SoftPOS set to revolutionize how we receive payments
One trend that we’ve already seen fast-tracked by covid-19 is the ability to take payments via an app on your phone. Soft POS (software-based point of sale) technology is making it easier for businesses to be more mobile.
SoftPOS allows businesses to operate where their customers are. And this has obvious benefits for companies in city centers that have emptied of office workers due to the pandemic.
While the promised vaccines of spring 2021 will no doubt encourage some workers back to their offices, it’s unlikely everyone will go back to the way things were before. Besides, covid-19 has taught businesses that they need to be less static.
Both of these trends mean that a way to take payments easily via your phone - without having to invest in a dongle - will be welcomed.
The coronavirus has also made people much less likely to use cash in 2020. Visa ran a poll earlier this year that found that almost half of their respondents wouldn’t shop somewhere that required them to handle cash or a card reader others had used. Again, our newfound hygiene habits might be tested by the arrival of a vaccine. But it’s hard to imagine cash making a comeback, which makes the arrival of SoftPOS even more timely.
So, how does the arrival of SoftPOS impact cybersecurity?
Well, any financial transaction that moves digital opens up a potential attack surface for hackers.
EMVCO and PCI both have standards that are a great place to start to find out how to reduce this surface area. But put simply, keeping SoftPOS apps safe for end users involves using a multi-layered approach to protection. This includes obfuscating valuable code, and using cryptography to protect calls for sensitive logic.
Device attestation is also crucial. This is the ability to check that the device isn’t rooted, that it hasn’t been debugged, and that it isn’t using an emulator. It’s also an important check to make sure there haven’t been any attempts to hook sensitive methods and exfiltrate important data or key material.
Read more about the arrival of SoftPOS and how to keep it safe.
Secure elements to control machine-to-machine communication
In recent years, rogue drones entering airport airspace have caused delays and cancellations.
It’s a trend that’s likely to continue. And one that points to other serious security risks in military and retail settings, where drones are taking on more responsibility.
This topic was covered by Daniel Huebner from Infineon during a great Java Card Forum webinar session in November. In it, he argued the case for moving the most sensitive credentials of an IoT device (like a smart meter) to a dedicated, external secure element.
Daniel explained that an IoT SAFE applet could sit inside a Java Card secure element and make the communication between the device and the cloud much safer.
For one, it would shrink the attack surface, making it tamper resistant. And it would separate the authentication keys and credentials from the main MCU firmware.
But let’s get back to drones.
Infineon have used this secure element in drones to control where they can go. In other words, stopping them from entering no fly zones.
So, how does it work? Well, GPS sensors send data to the IoT safe applet, where it is signed with a key provided by an official authority. This signed key is then sent to a cloud service, where air traffic control decides whether to authorize it or not.
Without authorization, the drone simply wouldn’t function in certain areas. But conversely, permissions could be given for drones to carry out certain tasks in sensitive areas. One example is checking the rotors in a wind farm. A secure space that drones typically aren’t allowed into.
As we delegate more and more tasks to IoT devices and remote controlled drones and driverless cars, this secure element could be vital for cybersecurity and business confidence.
Virtual companions and more sophisticated AI
Sticking with the IoT theme, 2021 is likely to see us hand over more and more of our daily tasks to intelligent assistants like Alexa.
It could even be the year when the first steps are taken in the move from virtual assistants to virtual companions - an idea referenced by David Mattin in his fascinating New World Same Humans newsletter.
The rise in anxiety levels during the covid-19 pandemic together with the move to remote working represents something of a perfect storm. There are now millions of people who are physically isolated from friends and colleagues. People in need of guidance, support, organization, and even therapy.
This helps to explain the popularity of mindfulness apps like Headspace and Calm. But for some, these apps on their own aren’t quite enough. Virtual therapy apps like Woebot - where users can get cognitive behavioral therapy - might just be a pointer to the future. Because while a vaccine will go some way to opening up the world again, it is likely to be an increasingly remote world for many.
In a more isolated, lonelier world, we might start to expect more from virtual assistants than simply changing our Spotify playlist and checking the weather forecast.
We might begin to desire more of a conversation. More of a companion.
Sadly, hackers are likely to be happy with this trend, too. They’d see an opportunity to reverse engineer a virtual assistant app and then pass it off as their own. Tricking people into downloading a bogus one before sending them phishing emails or texts.
Or they might try to carry out a man-in-the-middle attack. Hijacking the communication channel between the end user and the virtual companion would make them the recipient of the user’s questions. And that would allow them to ask personal questions of their own. Questions to glean information about someone’s habits and movements for a given week.
That’s why the apps that control virtual assistants need to be protected.
They need code obfuscation to defend against dynamic analysis. And they need communication hardening to guard against man-in-the-middle attacks.
You can find out more about virtual companions in an article we wrote earlier this year.
The need for guidance and the danger of social engineering
The widespread uncertainty that has defined 2020 has led people to look to authorities for guidance.
Wherever in the world you’re reading this, you’ll probably remember one specific moment from the spring where you were told by an authority figure to stay home.
This was an entirely unfamiliar scenario for all of us. In no time at all we had to get used to a new way of living and rules to follow. And in this new normal hackers saw an opportunity. Because the more anxious and desperate people are, the more likely they are to trust emails, texts and telephone calls from supposed authorities.
Bad actors figured out fairly early on in the pandemic that they could abuse this vulnerability. They could masquerade as a trusted voice there to guide people.
They knew that people were more emotional and as such were likely to act with less caution than usual.
Social engineering became so rife so quickly that just a few months after covid-19 entered the vernacular, Google were detecting 18 million malware and phishing messages per day.
People had to get used to glancing down at their phone to see another bogus message. Their bank telling them that their transaction couldn’t be processed. Or their mobile phone operator letting them know about a way for them to optimize their contract.
“Just click on this link.”
The coronavirus won’t be with us forever. Life will get back to how it was before. But the uncertainty isn’t likely to go away anytime soon. Not in a world full of fake news and conspiracy theories. A world where the truth is harder than ever to pin down.
As a business you can help to even the odds, though. You can prove to your customers that you care about safeguarding their personal data.
Make use of in-app protection to counter dynamic analysis. That way hackers can’t reverse engineer your app and then pass off their own version as the real deal.
And make it clear to your customers the ways you will and will not contact them. That way you educate them about social engineering so they can tell what’s real and what isn’t.
Smart devices will make the customer journey seamless
The integral role the mobile phone has played in plotting a route out of the covid-19 crisis reinforces just how important the device has become.
Track and trace apps were implemented around the world (with varying levels of success). And when the first lockdown ended and we ventured outside again in the summer, we scanned QR codes and ordered meals with a few swipes of a screen.
This is just one more example of how a crisis can speed up existing trends. It wasn’t like we weren’t already glued to our mobiles before covid-19. But in the aftermath it looks like they - and other smart devices - will play a vital role in the marketing journey.
As Gartner explains in a great article about strategic tech trends in 2021, we could see the emergence of what’s being termed “total experience”, with smart devices at the forefront.
In that article, Gartner cites the example of a forward-thinking telecoms company that changed its approach during the pandemic. When they reopened, they allowed users to book an appointment via their existing app. Then, when the customer came within a certain distance of the store, the app sent them a notification with social distancing guidelines and tips for what to expect inside.
The telecoms company also used a range of digital kiosks and set things up so that employees could use their own tablets to co-browse the customer’s devices. That way the customer didn’t have to physically touch a device other than their own.
This trend is a little like the SoftPOS one. We were already heading in the direction of a more device-driven, less hands-on type of customer service. But the unique social distancing dynamic of the pandemic has given it a kick.
Lots of trends are born of necessity in a certain moment in time. But they stick around because they meet a specific emotional need and make life easier for people.
The idea of utilizing the devices we carry around with us every day to make the customer journey more seamless is the perfect example of this.
Even after the vaccines arrives next year, expect businesses to continue using the tricks they learned during the pandemic. They could use their apps to promote specific events. Or they might use beacons around the store that lock onto the bluetooth LE on your phone, notifying you about a special offer on a nearby item.
This trend will impact cybersecurity in 2021 because more mobile comms between company and customer means more attack vectors for hackers.
Businesses will have to make sure they secure the most sensitive parts of their apps and libraries. And they’ll need to employ communication hardening to stop man-in-the-middle attacks.
A more remote world is a zero trust world
The world of work is unlikely to ever be the same again.
There’s an acceptance now across industries that bosses might have a hard time convincing employees to go back to commuting for a couple of hours each day.
Not now that people have realised they can work just as well from home.
Some companies like Twitter have announced that their employees can work remotely indefinitely.
There are also likely to be more freelancers out of both choice and necessity. Some will have seen the pandemic as the perfect chance to start afresh doing something they love. Others might have lost their job and look upon freelancing more pragmatically.
Either way, we’re predicting a much more remote world in 2021. And a more remote world is likely to equate to a zero trust world.
We’ve written a lot about the concept of a zero trust world here at Licel. In essence what we mean is that the real world is very different to the one you might imagine your app being used in.
The real world is full of malware, and jailbroken and rooted devices. There are a billion Android devices out there that don’t even receive the latest updates and so are at risk from attacks.
In 2021 the digital landscape will be very different to previous years. More remote working means more fragmentation of devices, OS and networks. Businesses will need to design for the things they can’t control as well as the things they can.
Thriving in a zero trust world is about a mentality shift as much as anything else. It’s about being prepared for the worst rather than assuming existing security measures will be enough.
Knowing that you can’t rely on the security provided by Android and iOS is actually quite liberating. It means that you take ownership for your app’s security and implement protection mechanisms yourself.
That way you get the peace of mind that your app will be safe to use whatever the environment your end user finds herself in.
The drive to digitize to stay competitive
The companies that seemed to cope the best during the pandemic were those that understood that the static business is a thing of the past. The ones that realized that they had to be more mobile. More digital.
Other trends that we’ve already covered in this article - like the rise of SoftPOS, and the move to a more remote world - seem to reinforce this idea.
But there’s a danger in companies thinking they have to quickly digitize their operations in order to stay competitive.
When the digitization process is rushed and not properly thought through, gaps can appear. And these gaps can become vulnerabilities that hackers can target further down the line.
Let’s take apps as an example. Some businesses might decide that they need an app in the post-coronavirus world so they can stay close to their customers and notify them along the customer journey. But designing and developing an app takes time. Particularly if you want to do so with security as a key consideration - which is a must in a world of increasingly sophisticated cyber attacks.
A company could decide to speed up the process by developing a hybrid app. But securing hybrid apps is different to securing native apps. The protection techniques available to do so aren’t quite as robust.
It’s a challenging position that businesses find themselves in. They need to adapt to a changing world and digitize in order to satisfy their customers and stay competitive. But at the same time, digitizing too quickly without proper planning can lead to a security breach. And a security breach can destroy a company’s reputation for good.
For that reason, security should always come before speed.
Your customers will forgive you for delaying the launch of your latest app. They won’t forgive you for misplacing their personal data.
Find out about our 7 security by design principles to get a steer on how to develop your apps safely.