With the work-from-home shift showing little signs of letting up and new IT spending habits taking shape, organizations should prepare themselves now for an adjustment in security strategy in 2021.

The obvious ramifications of remote work from a security operations perspective has meant an increase in threats, as well as a doubling down of the cloud-first mentality which has helped organizations maintain business as usual and nimbly react to new WFH dynamics.

What does 2021 hold? Assuming remote work remains the norm, security operations teams can expect to have to grapple with a continuation of attack surface growth, all as tenuous finances make IT and security budget growth a dubious proposition. 

Free Download: A Technical Guide to Remote Security Operations

So as businesses look to next year, with the real possibility you will need to prioritize spending, what areas should you focus on? Determining where the largest sources of alerts will emanate from could be a good indicator of where your investment concentration should lie. Here are three alert sources that will be active again in 2020, but perhaps in new and more difficult ways.


Before the pandemic, email-based attacks were already the top instigator for successful data breaches. But the remote boom has further exacerbated the ease by which malicious senders can dupe unsuspecting users into clicking links and opening attachments, many of which have been themed around COVID-19 (some of which spreading ransomware). And with a resurgence of the virus underway, expect incoming malicous email alerts to continue to dominate your attention. Worth also noting: The rise in phishing attacks especially is prompting some organizations to explore the benefits of zero-trust architecture.


Endpoints devices, from laptops to smartphones to IoT objects, are a malicious hacker’s best friend. And they become an even greater ally to the bad guys in remote environments. According to a recent Dark Reading article: “Businesses have realized they can’t create a traditional network perimeter for remote devices connecting to corporate access through untrusted networks. Further, they don’t have the same control over remote endpoints that aren’t on their network; devices they don’t even own.” That means endpoints may be behind on updates and patches. And not only are endpoints attractive malware launching points, they are also susceptible to device and application authentication issues.


Cloud deployments have sharply risen in 2020 as organizations have turned to rapidly adopting online collaboration tools and other resources to efficiently transition to remote work. But while the convenience of cloud is undeniable, migration presents notable risks. For example, a recent survey by Check Point determined that misconfigurations are the top threat to cloud security, with three-quarters of respondents saying they are “very” or “extremely” concerned about cloud security and 68% naming misconfigurations as their biggest cloud worry. 


All of these detection sources will result in a continued overload of alerts – and false positives. They will need to be streamlined to enhance decision making and reduce resolution times. Security orchestration, automation and response (SOAR) can ingest alerts and logs, integrate with a hodgepodge of third-party detection tools, and delineate end-to-end incident response steps through playbooks. Discover SOAR with a free download of the Siemplify Community Edition.

Dan Kaplan is director of content at Siemplify.