This is a guest post by Chad Warner, Internet safety enthusiast at Defending Digital.
2020 is bound to include cybersecurity surprises, but by looking at recent years, we can make a few predictions. Watch for these cybersecurity trends (listed in no particular order) to play a role in 2020.
Businesses continue to migrate data, processing, and architecture to the cloud. Attackers know this, and have been shifting their efforts accordingly. We’ve already seen major organizations suffer from data breaches and leaks due to poorly secured third-party services and supply chain vendors.
Remember the Capital One data breach of 2019? Former Amazon Web Services employee Paige Thompson allegedly accessed the personal information of 106 million Capital One credit card applicants and customers, and stole data from more than 30 other companies. How? A firewall misconfiguration allegedly allowed access to the data.
In 2020, attackers will escalate their pursuit of targeting weaknesses in the cloud.
Businesses should carefully evaluate the security of cloud providers, and ask their supply chain partners about the cloud services they use. They should also carefully configure authentication and permissions on any cloud resources, and monitor for misuse.
Each year, a larger share of computing by users moves from desktop and laptop computers to mobile devices such as phones and tablets. As of December 2019, over 53% of Web traffic was from mobile devices, according to Statcounter. As this happens, mobile devices become more targeted by malware, phishing, and other attacks. Personal mobile devices that are used in or for business are especially dangerous, because they are generally not as secure as corporate devices.
Mobile banking malware can steal credentials and funds. In the first half of 2019, Check Point observed a 50% increase in such malware.
Companies should seriously consider mobile device management (MDM) software for managing mobile devices. They should also take into account how personal devices access corporate resources, whether on company property or away from it.
Phishing continues to be effective, so there’s no reason for attackers to stop using it in 2020. AIG reported that in 2018, phishing was the top cyber insurance claim, above ransomware and data breaches.
Phishing attempts are becoming more sophisticated and targeted, with more convincing messages and fake websites.
Barracuda reported that spear-phishing (targeted phishing) is 20 times more effective than the average phishing email.
Phishing isn’t limited to email; phishing is also effective when done via text/SMS (smishing) and voice (vishing).
Businesses almost certainly already have spam-filtering in place for email, but may not have filtering solutions in place for other channels (text/SMS, phone calls, social media, etc.). Regardless of what filtering is in place, businesses would be wise to train employees to recognize and properly respond to phishing attempts.
In 2019 in the US, ransomware attacks affected at least 966 government agencies, educational organizations, and healthcare providers, costing approximately $7.5 billion, according to Emsisoft.
Ransomware remains a problem in 2020. It will likely pose a greater threat to businesses and local governments than in past years. Businesses may be disrupted by ransomware attacks on their supply chains, making it more important for businesses to ensure that their suppliers, vendors, and partners have strong cybersecurity.
As more data, processing, and architecture moves to the cloud, expect an increase in ransomware that targets cloud resources.
Businesses can reduce the risk of ransomware with strong anti-malware protection. And regular, robust backup systems (also known as disaster recovery systems) allow companies to restore data in the event of a ransomware incident. Organizations can also consider cyber insurance as another layer of protection against the financial damage of ransomware.
The Internet of Things (IoT) is known for the poor security of smart devices and their services. Because they’re non-traditional IT devices, they’re often overlooked by businesses, and even by IT departments and IT service providers.
Attackers will likely take advantage of these factors to increasingly use smart devices for espionage, extortion, and service interruption in 2020.
“While more than 80% of today’s new buildings incorporate at least an element of IoT, many smart devices and systems do not have strong authentication systems, or are not protected with any kind of security solution at all,” reports ESET.
“Despite the increased attention to security claimed by device manufacturers, these IoT devices do not have sufficient security controls to prevent remote exploitation,” says Independent Security Evaluators.
“These [IoT] systems continue to be vulnerable to state actors looking to disrupt operations, to corporate and government espionage and to attackers looking to benefit financially from theft and ransomware,” according to Joe Lareau, a senior security engineer at Exabeam.
Companies should research the security of IoT devices before purchasing them. It’s important to secure devices once they’re installed, with strong passwords, multi-factor authentication, permissions, etc. IoT devices should be included in the scope of a company’s network security measures.
After the 2016 election in the US, there was a massive investigation into alleged Russian interference. Americans were asking, “Who did this? How did they do it?” One reason is for seeking justice. Another is to take out the person behind the attacks — thus, preventing future attacks. increase security, to prevent future interference. In the same way, after a cyberattack on a business, there are benefits to knowing the real identity of your perpetrators, their attack methods and maybe the motivation. which can also lead to why who perpetrated the attack, and how.
“The faster you act, the quicker you will be able to disrupt the adversary and prevent future attacks, directly yielding greater financial savings and identity protection. Part of taking action, however, requires knowing who the bad actor is in the first place – in other words, attributing and uncovering the identities of cyber adversaries,” says Amyn Gilani at 4iQ.
Figuring out who’s behind a cyberattack can be complex. In recent years, sophisticated attackers have gone to increasingly great lengths to cover their tracks, or even plant “false flags” (misleading clues) to make it seem as if someone else is to blame. For these reasons, identity attribution takes skill. In 2020, expect attackers to take even greater steps to avoid being identified, making attribution more difficult.
Companies should establish policies and processes for investigating cyberattacks. They should also consider partnering with firms such as 4iQ, which have expertise, tools, and data to aid in identity attribution.
Passwords are frequently targeted by attackers, and released en masse in data breaches. Plus, users are notoriously poor at creating strong passwords and storing them securely.
For these reasons, businesses are looking for ways to shift from passwords to other forms of authentication. In 2020, hardware tokens, biometrics, and other forms of authentication will become more common.
Gartner predicts that by 2022, 60% of large and global enterprises, and 90% of midsize enterprises, will use passwordless authentication methods in more than 50% of use cases.
Businesses should watch for opportunities to replace passwords with hardware tokens and use other forms of secure authentication, train employees how to use them. At the very least, they should, and teach employees not to reuse or share their credentials.
How many protests, marches, boycotts, or other forms of activism have you observed lately? Especially with 2020 being an election year in the US, don’t be surprised to see higher rates of hacktivism, such as website defacement and denial of service (DOS) attacks.
Hacktivists can be in the US or outside of it, and can target businesses, nonprofits, and government entities.
“There has been an increase in hacktivism in general in the first quarter of 2019. We did see quite a bit of geopolitically motivated hacktivism—Venezuela, Libya, Pakistan and India, Brazilian groups. They’re really on both sides of each conflict,” according to Adam Meyers, vice president of intelligence at Crowdstrike.
Recent tensions between Iran and the US have led to the defacement of US business websites.
Companies should evaluate their threat model (their risk of being targeted, and the damage that could be done). They should then take steps to secure and monitor their websites, social media accounts, and other public-facing properties.
Have you lost count of how many emails you’ve received about companies updating their privacy policies and terms of service? Companies have raced to comply with privacy-protecting legislation such as GDPR (from the EU, May 2018) and the California Consumer Privacy Act (CCPA) (January 2020).
As data breaches have hit the headlines more and more, consumers have become louder in their shouts for privacy protections. In 2020, expect to see businesses put effort into complying with legislation, and consumers continuing to demand more.
Also, expect to see more software, hardware, and services offering to protect privacy, following the path of software, hardware, and services to provide security.
Businesses should (if they haven’t already) update their privacy policies, and be prepared to answer questions about how they handle customer data. They should audit their internal processes to ensure compliance with any applicable privacy regulations. Once the work is complete, businesses can benefit from publicizing their efforts.
Attackers have just begun to take advantage of deepfake technology. By creating believable but fake audio and video, attackers can spread false information, influence opinion, and manipulate people to take action they otherwise wouldn’t have.
In 2020, expect it to be increasingly used to commit business fraud and influence politics, especially in an election year in the US.
The issue has attracted so much attention that in January 2020, Facebook announced it would ban deepfakes that are intended to mislead.
Just as companies have trained employees how to recognize phishing and scams, they must train employees the warning signs of deepfakes, and how to report suspected deepfakes.
Combine the increasing frequency of data breaches with the tighter regulations related to privacy and security, and you understand why in 2020 more businesses are purchasing cyber insurance.
Interestingly, it’s possible that attackers will be drawn to organizations that have cyber insurance, knowing that their policies could make those organizations more likely to pay than those that lack cyber insurance. Josephine Wolff, Assistant Professor of Cybersecurity Policy at The Fletcher School, Tufts University, says, “The lesson that many governments seem to have drawn from these attacks is … that what they most need is more insurance coverage to help pay the ransoms demanded of them – a phenomenon that only contributes to more ransomware and better-funded criminals.”
Businesses should seek legal counsel about cyber insurance. They must understand the terms of any policies they purchase, to be aware of exceptions and meet any necessary requirements.
What will it take to address the above issues in 2020? Skilled cybersecurity professionals, and lots of them. Yet the US has a skills shortage in many areas of cybersecurity.
Cybersecurity Ventures predicts that by 2021 there will be 3.5 million unfilled cybersecurity jobs globally. In response, the Harvard Business Review noted that “The majority of chief information security officers around the world are worried about the cybersecurity skills gap, with 58 percent of CISOs believing the problem of not having an expert cyber staff will worsen.”
In a survey conducted in 2019 by Enterprise Strategy Group (ESG), 53% of respondents reported a “problematic shortage of cybersecurity skills.” That’s the highest percentage reported in the last four years.
As businesses and government entities compete for talent in 2020, expect workers from other areas of IT to migrate to cybersecurity, and workers in other industries to make career changes into cybersecurity. You may also see industry associations and federal and state governments take steps to rapidly grow the cybersecurity talent pool.
Companies should look beyond 2020 to estimate the cybersecurity skills they’ll need in coming years, then plan how to fill any gaps with training, new hires, or outside firms.
Reading a list of trends is worthless unless you do something about it. I recommend that you go through the list again, asking yourself, “Is my organization ready for this? How, specifically?”
If you’re not ready, then ask yourself, “What can we do to be prepared?” These questions will spark conversations worth having with your cybersecurity team, in 2020 and beyond.
Chad Warner runs Defending Digital, a website with Internet safety, security, and privacy tips.