2019 was an interesting year for cybersecurity, with a wide variety of data breaches that drove a growing awareness of the essential nature of cybersecurity and perhaps a deserved respect for those in the industry.
Can we expect more of the same in 2020, or will companies embrace solutions that security professionals have been harping on about for years? Only time will tell, but hackers are unlikely to change their tactics in 2020 (why change what works?). Their methods will grow more sophisticated as technology evolves, and their targets will vary according to the location of usable data (for example, now that ISPs in the U.S. can monetize their customers’ data, expect breaches in this area). As if I planned it… this leads to our primary cybersecurity concern.
Data breaches occur because the targeted companies hold valuable data, data that is worth selling or holding for ransom. Data repositories are an attractive target because cybercriminals are quick to exploit human error and other vulnerabilities such as delayed software patches using the same penetration testing tools used by their ethical counterparts. This is unlikely to change in 2020.
However, regulations such as the EU’s GDPR will be fully enforced in 2020. It is worth emphasizing that compliance is necessary for companies outside the EU, with some exceptions. The California Consumer Privacy Act (CCPA) is almost a U.S. version of GDPR and takes effect in January 2020) and several countries have introduced similar data protection laws, which may induce companies to prioritize data privacy and related cybersecurity processes in their operations. This is due in no small part to the reputational damage and financial penalties that result from a data breach. Unfortunately, protecting against data breaches is complicated by a security skills shortage.
The demand for cybersecurity roles exceeds the number of available candidates. It is generally accepted at this point that by 2021, worldwide, there will be more than 3.5 million vacant cybersecurity roles. Perhaps 2020 will be the year employers will invest in training their existing security staff in additional security skills? Perhaps they will lower the entry requirements, allowing those with IT skills to retrain in desired security areas?
Then again, companies may decide to outsource, paying others to enhance their security posture remotely or by using AI-based software solutions for vulnerability assessment.
My prediction… although I’m not Nostradamus, I believe many companies will be too cheap (or simply not have the budget) to invest in their employees, perhaps scared that they would train them, make them more employable and thereby allow them to take more lucrative job offers elsewhere. Prove me wrong, but I believe companies that value their staff will ensure additional training takes place. If so, they will have a wide range of internationally recognized certifications to choose from.
Whatever happens, each company will need to enhance cybersecurity by hiring additional staff, training the existing, or outsourcing.
While cybersecurity is a skill in demand, with zero unemployment, for the most part, senior roles are risky. If a data breach occurs, it is often the CIO or CSO that ends up ‘resigning’ or being fired. As a mid-level security employee, where is the incentive to take on a leadership role if your head ends up on the chopping block when any employees fall victim to a phishing or ransomware attack? Perhaps, 2020 will be the year those directly responsible for a breach to take their share of the blame and senior staff are not used as a PR exercise in damage control?
The more endpoints your company creates, the more attack vectors are available to cybercriminals. Makes sense in a weird way, doesn’t it?
- If you use cloud solutions, you are open to cloud-based attacks.
- If you try to make everything in your company ‘smart’ using Internet-enabled devices i.e. connected to the IoT, then you open additional attack vectors. This is especially true if the device is not built with security in mind (with default passwords or pairing PINs that cannot be changed, for example) or utilizes vulnerable connection protocols.
- If you allow employee-owned mobile devices without using mobile device management (MDM), you create vulnerabilities, since IT do not have full access to protect company data or lack the ability to wipe the device if lost or stolen. Malware on employee-owned devices will be a valid concern in 2020, given that half of the organizations surveyed by Kaspersky in 2019 were compromised in this manner.
Fingers crossed that 2020 will be the year that companies add only the endpoints necessary for business operations and that they reconsider the benefits of BYOD.
Expect next-generation authentication technologies to become more prominent, given the inherent weaknesses of the traditional username/password method. Multi-factor authentication and biometrics are just two of the possible options involved. Note that facial, voice and fingerprint recognition are easily circumvented and compromised data is much more of an issue than changing a password or token. The use of network tokens and similar methods are also a viable solution BUT all these methods are only an improvement if the data required to verify them is secure. THAT data will be used by hackers to circumvent authentication.
My final prediction relates to risk management. Data breaches are on the rise, more common etc. and companies in targeted industries, despite following security best practices, are often breached by concentrated attacks on their networks. Cyber insurance is one way to reduce the financial risk of a data breach, now even more important due to the financial penalties levied on those who fail to comply with regulations in and outside their jurisdiction.
I believe this will drive cyber insurance adoption in 2020, especially if insurers provide policies that demonstrate their understanding of the cybersecurity landscape and related threats to companies, but it must be more than service outage compensation or equipment failure. With increased adoption, cyber insurance costs for everyone should decrease…Of course, the premium involved will be based on your company’s existing security posture and underwriting cyber risk has its challenges, given the variables involved.
In conclusion, predictions on cybersecurity trends are just that, predictions. Expect more of the same, a failure of security awareness training/human error resulting in publicized data breaches. The primary difference in 2020 is that customers now expect their data to be protected and are happy to see companies punished for failings in this area. Perhaps 2020 is the year companies will reassess just how much data they should store on users and where they should store it…
The use of AI/machine learning to detect and block threats is likely to increase in 2020; hacker counterparts will then use AI to develop new attacks. And the game continues… Whatever happens in 2020, two things remain true; cybersecurity will only become more important for companies and security awareness is essential for all who connect to the company network, given that phishing and ransomware attacks will become more sophisticated.