Cyber Security Expert Predictions for 2020
Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic
“Identity theft will take a new direction with the increased use of deep fakes What has been concerning in 2019 is the increase in identity and credential theft, and I see this becoming much more problematic in 2020. The rapid advancement of Deep Fake technology is taking identity fraud to a whole new level of online challenges and risks, not only are they stealing your digital online identity, but also your digital voice and digital face. This means that cybercriminals can take digital identity theft to a new level and could have the ability to create an entire digital clone of you. I see this becoming a major problem area in the cyber space and even more so in political campaigns as the general public will not have the awareness to distinguish what is real from fake. In today’s internet data without context is dangerous
Government Use of machine intelligence (typically referred to as Artificial Intelligence) to be put to the TEST In 2020 AI will become an important strategy with many governments around the world using AI to improve and automate many citizen services however acceptable use and limitations of the scope will also be applied. This will help determine the full scope on how much data should be collected, for how long and for exactly what usage to limit abuse of such sensitive data. For government to be successful with AI they must be transparent with their citizens. We must embrace AI moving forward but with responsibility and caution.
IoT Security This year, the use and abuse of IoT devices has risen and doesn’t look to be slowing down as we go into next year. IoT differs from computers as they have a specific purpose and cannot be re-programmed, therefore organisations need to view and assess the risks specific to the function or task of the device in order to increase the security. Organisations, in particular the manufacturers of IoT devices, will need to adapt their security approach to ensure that these fast-growing endpoints are secure. The new Californian and Oregon IoT legislation coming into effect in January is a step in the right direction, but more must be done. IoT security is about focusing on the risks not the device.
Human Factor Cyber awareness is evolving to become more human friendly. We are now seeing a difference in approach to security evolving into company culture. Boards and top-level executives are now learning how to communicate accordingly on cyber security topics, meaning that security teams and their goals are becoming a lot more aligned with the business’ goals.“
Brian Vecci, Field CTO at Varonis
“Ransomware Will Evolve from Smash & Grab to Sit & Wait Ransomware isn’t the most pervasive or common threat, it’s simply the noisiest. In 2020 attacks will become more targeted and sophisticated. Hackers will pivot from spray-and-pray tactics. They will instead linger on networks and hone in on the most valuable data to encrypt. Imagine an attacker that encrypts investor information before a publicly traded bank announces earnings. This is the type of ransomware attack I expect we’ll see more of in the coming year, and organizations that can’t keep up will continue to get hit.
Fake News Will Become Fake Facetime Forget fake news: 2020 will be the year of the deepfake and at least one major figure will pay the price. Thanks to leaky apps and loose data protection practices, our data and photos are everywhere. It will be game-on for anyone with a grudge or a sick sense of humour. It raises the ultimate question: What is real and what is fake?
A Political Party Will Cry Wolf In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results. Foreign influence has been an ongoing theme, and few prospects are more enticing than affecting the outcome of a U.S. presidential election. With so much at stake, a nation state attack is practically inevitable. The federal government has failed to pass meaningful election security reform. Even if an attack doesn’t influence the results, it’s likely that those who don’t like the outcome will claim interference, and this scenario will discredit our democracy and erode trust in the electoral process. If we want to maintain the integrity of our elections and avoid political upheaval, real change needs to happen in how we store and protect our data.
CCPA…Cha-Ching! Once January hits, the fines will roll in. A recent report released by California’s Department of Finance revealed that CCPA compliance could cost companies a total of $55 billion - and this isn’t even taking into consideration the firms that fail to comply. In 2019, we saw GDPR’s bite finally match its bark, with more than 25 fines issued to offenders, totalling more than $400M, and the same is likely to happen in the U.S. under CCPA. In 2020, at least 5 major fines will be issued under CCPA, racking up upwards of $200M in fines. While a federal regulation is still a ways off, at least 3 other states will begin to adopt legislation similar to California, though none will be as strict.“
Attivo Networks - Carolyn Crandall, Chief Deception Officer
2020 will be the year of API connectivity. Driven by the need for on-demand services and automation, there will be a surge in requirements for the use of technology that interconnects through APIs. Vendors that don’t interconnect may find themselves passed over for selection in favor of others with API access that add value to existing solutions.
DevOps capabilities will continue to increase their significance in moving projects to products, with only 9% of technology professionals responsible for the development and quality of web and mobile applications stating that they had not adopted DevOps and had no plans to do so. This will drive an increased focus on DevSecOps and how opensource software is managed within projects.
We will begin to see more examples of the theft of encrypted data as cybercriminals begin to stockpile information in preparation for the benefits of quantum-computing where traditional encryption will become easy to crack. The advances in quantum computing that Google has recently published bring this possibility closer to becoming reality.
Significant issues will surface around the lack of adequate detection of threats that have bypassed prevention defenses. To combat this, in 2020, we will see the addition of deception technology into security framework guidelines, compliance requirements, and as a factor in cyber insurance premiums and coverage.
Jeremy Hendy, CEO at Skurio
The imitation game: spear-phishing swindles will persist Threat actors are shifting away from the scatter-gun phishing approach to well-researched, bespoke emails, cleverly personalised to appear as convincing as possible. In fact, according to Europol, spear phishing is now the number one cyber threat to organisations. Throughout 2020 we’ll continue to see a rise in this form of attack and it’s not only the largest enterprises that will be preyed upon. In fact, all businesses will need to be prepared for more CEO fraud attacks – a well-crafted email, imitating communications from a trusted executive, usually convincing someone to make an urgent money transfer. It’s made to look like the ‘real deal’ and it works. These usually happen as a result of leaked email credentials finding their way on to dark web marketplaces, which can be used for account takeovers (ATO’s) for even more specific and credible phishing emails.
SMEs hit hardest by cyber skills shortage - more attacks and breaches for everyone, but more focus on small and medium businesses There’s a real dearth of cyber security talent and smaller businesses will be hardest hit through next year. Skilled professionals will be increasingly hard to find and difficult to retain. Market forces will put the option of full time, in-house security specialists, commanding high salaries, out of reach for many smaller businesses. Instead, they’ll need to think creatively and look at how they can plug the gap through outsourcing and affordable service-based solutions. This is imperative as under-resourcing can cause real security risks. Bad actors are aware of the lack of defences in smaller businesses and they are an easier target to break into. Cybercriminals increasingly target SMEs, who are less likely to have the technology, people and processes in place to block or defend against those attacks.
GDPR: be prepared for second wave of fines and repeat offenders In 2019 the regulators bared their teeth and showed that sky-high penalties were more than a hollow threat. Precedents were set with the first wave of multi-million pound GDPR fines, reflecting the sheer amount of data that was compromised. In 2020 we’ll see the wider impact on consumer behaviour. GDPR is all about putting the safety of customers’ data front and centre; those companies that have been breached are likely to see frustrated customers voting with their feet and taking their business elsewhere. In 2020, as we see the second wave of fines, regulators will also face the challenge of how to deal with ‘repeat offenders’. It’s reinforced the importance of early breach detection for compromised credentials. Companies can also get proactive about planned attacks, which can be identified through chatter on Dark Web forums by threat actors.
Risky connections Organisations will be managing an increasingly complex web of third party and supplier connections. More connections mean more risk, exposing them to threats beyond their control. Due diligence when working with new partners or suppliers is critical but the reality is that they simply can’t control every aspect of their third party’s security. What they can do is manage this risk by availing themselves of technology that provides visibility of data outside of the corporate network.
Cloud adoption will continue to gather pace, which is brilliant for productivity and digital transformation, but is often happening without the consent of the IT organisation. Shadow IT and the culture of Bring Your Own App will continue, with many organisations using more apps than they have employees. All of these trends together will create a perfect storm of vulnerability for organisations.
Digital Trust – the new customer metric for business success The flipside of cybersecurity is Digital Trust. Consumers will lose confidence in repeat offenders who do not take care of their personal data. We’ve seen the first wave of GDPR fines but, more importantly, huge publicity and bad press for companies who have had breaches which weren’t well managed. The public are becoming more and more aware of the value and currency of their personal data and will punish companies who don’t look after this responsibly.