2020 Cybersecurity Landscape: 100+ Experts' Predictions

As we charge into the third decade of the 21st century, it’s time to ask: so what will happen next with cybersecurity? We reached out to 100+ cybersecurity experts with diverse backgrounds for their predictions and below are the responses. This is the most comprehensive post predicting the Cybersecurity landscape in 2020.

Experts Comments

Dot Your Expert Comments

Raveed Laeb

November 22, 2019

Product Manager

KELA

2019 saw a major increase in the trend of cybercrime “service-ization”.

Scope of Threats Expands with the Rise of the Darknet “Service-ization” Trend: 2019 saw a major increase in the trend of cybercrime “service-ization”– i.e. cybercriminals buying and selling services rather than goods in the cybercrime financial ecosystem. This ongoing trend will continue to rise in 2020, as more cybercriminals are actively interested in accessing sensitive organizational networks by using commodity malware and services being offered in the Dark Net, as well as via inter-group relations (such as the Emotet-Trickbot-Ryuk ecosystem). While this serviceization trend is on the rise, the level of skills one needs to leverage is declining, thus expanding the scope of threats to enterprises. Read Less

Steve Morgan

December 02, 2019

Founder of Cybersecurity Ventures and Editor-in-Chief at Cybercrime Magazine

Cybersecurity Ventures

Cybersecurity Facts, Figures, Predictions and Statistics: The Next 5 Years

Looking ahead... the latest facts, figures, predictions, and statistics from Cybersecurity Ventures. See more at CybersecurityVentures.com - There will be 3.5 million unfilled cybersecurity jobs by 2021 — enough to fill 50 NFL stadiums — according to Cybersecurity Ventures. This is up from Cisco’s previous estimation of 1 million cybersecurity openings in 2014. The cybersecurity unemployment rate is at zero percent in 2019, where it’s been since 2011. Cybersecurity Ventures predicts that cybercrime damages will cost the world $6 trillion annually by 2021 – exponentially more than the damage inflicted from natural disasters in a year, and more profitable than the global trade of all major illegal drugs combined. Ransomware damage costs are predicted to be 57X more in 2021 than they were in 2015. This makes ransomware the fastest growing type of cybercrime. Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017, and just $325 million in 2015, according to Cybersecurity Ventures. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016. Global spending on security awareness training for employees — one of the fastest growing categories in the cybersecurity industry — is predicted to reach $10 billion by 2027, according to Cybersecurity Ventures (up from around $1 billion in 2014.) Cybersecurity Ventures predicts that the total amount of data stored in the cloud — which includes public clouds operated by vendors and social media companies (think AWS, Twitter, Facebook, etc.), government-owned clouds that are accessible to citizens and businesses, and private clouds owned by mid-to-large-sized corporations — will be 100X greater in 2022 than it is today. Despite promises from biometrics and facial recognition developers of a future with no more passwords — which may, in fact, come to pass at one point in the far-out future — a report from Cybersecurity Ventures finds that the world will need to cyber protect 300 billion passwords globally by 2020. There were nearly 4 billion Internet users in 2018 (nearly half of the world’s population of 7.7 billion), up from 2 billion in 2015. Cybersecurity Ventures predicts that there will be 6 billion Internet users by 2022 (75 percent of the projected world population of 8 billion) — and more than 7.5 billion Internet users by 2030 (90 percent of the projected world population of 8.5 billion, 6 years of age and older). Ransomware attacks on healthcare organizations are predicted to quadruple between 2017 and 2020, and will grow to 5X by 2021, according to Cybersecurity Ventures. Cybersecurity Ventures predicts that the healthcare industry will spend more than $65 billion cumulatively on cybersecurity products and services from 2017 to 2021. Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021 — and the cybersecurity market will continue growing by 12-15 percent year-over-year through 2021. Cybersecurity Ventures predicts that the global blockchain market will exceed $40 billion by 2025. In 2019, Cybersecurity Ventures expects that Fortune 500 and Global 2000 chief information security officers (CISOs) will reduce the number of point security products/solutions in use at their corporations by 15-18 percent. That trend is expected to continue over the next 5 years. Cybersecurity Ventures predicts that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021 (up from 70 percent in 2018), although many of them will be unfilled due to a lack of experienced candidates. Cybersecurity Ventures predicts that women will represent 20 percent of the global cybersecurity workforce by the end of 2019. This recalculates a 6-year old figure based on a limited survey that concluded women held just 11 percent of cybersecurity positions. Read Less

Prof John Walker

November 20, 2019

Visiting Prof

NTU

The Dark Side of 2020

Sadly, what we have encountered thus far in the world of Cyber Insecurity in 2019, I expect 2020 will see as continuance successful Hacks and Security Breaches still happening on a Global Scale, alongside a GDPR vision which is yet to grow real teeth. I am also having expectations that the role of the CISO will remain extant, notwithstanding some organizations are reviewing what this position should represent in 'real' operational terms. I am also conscious from past visits, that event such as Infosecurity will continue to look back at what has been, rather than embracing the predictability of that is awaiting us around the bend – the dangers of what I call the ‘Rear View Mirror Effect’. In 2019 I have seen the employment of OSINT in its adverse profile utilized by Hackers and Criminal Organization to Target and Footprint to gather the Dark Digital Footprint of their intended victim/victims to assure a higher than average hit rate of their criminal missions – whilst at the same time, I anticipate that the corporate world will still be devoid of understanding the real threat posed by OSINT to their Business and Enterprises - I see thus carrying on well into 2020. . My last prediction is almost obvious – with the advent of the Greatest Show on Earth taking place on 20 October 2020 in Dubai, it makes an obvious target in both Hacking and Geopolitical Profiles, and I have very high anticipation that such a golden, diamond laden target will receive much adverse attention on the lead up, and during the event! Read Less

Andy Swift

December 12, 2019

Head of Offensive Security

Six Degrees

IBM has developed an interesting proof of concept strain that researchers are learning from.

There are two major developments I see influencing the cybersecurity landscape in 2020 – one that is already causing headaches for security professionals and even governments, and another that is (at the time of writing at least) purely theoretical.Mozilla and Google have recently implemented DNS over HTTPS (DoH) in their Firefox and Chrome browsers. DoH transfers domain-name queries over secure HTTPS servers to DNS servers, preventing third parties (both malicious and benevolent) from seeing the websites that users visit. Whilst providing an additional level of security and privacy to individuals, DoH could prove to be a nightmare for software vendors and IT admins in 2020. With DoH servers hard coded into web browsers, the likes of web filters could be deemed ineffective as users avoid pre-configured DNS servers and effectively bypass enterprise policy. Mozilla has given the UK Government assurances that DoH will not be enabled by default in UK-based Firefox browsers, but this doesn’t mitigate the need for organisations to take steps to ensure their enterprise policies – and cybersecurity postures – include provisions for DoH in 2020. The second development I see playing a factor in 2020 is less immediate, but in many ways much scarier. AI-based antivirus applications are becoming increasingly popular, as software vendors seek to utilise machine learning to not only address but also anticipate zero-day attacks. The flipside of the coin, though, is the rising spectre of AI-based malware. We’ve yet to see evidence of AI-based malware in the wild, but – given the fair assumption that someone, somewhere is working on developing intelligent malware strains that utilise AI and machine learning – we need to take the threat of AI-based malware seriously. With non-AI-based malware like WannaCry and NotPetya causing damage far beyond their intended target organisations back in 2017, the impact of an AI-based malware strain on the likes of critical national infrastructure, transport networks and nuclear power stations as it learns and mutates could be catastrophic. IBM has developed an interesting proof of concept strain that researchers are learning from, but the truth is we don’t yet know what AI-based malware is truly capable of. If AI-based malware changes from theory to reality in 2020, we could all feel its impact on both our professional and personal lives. Read Less

Rohit Ghai

November 20, 2019

President

RSA

In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management.

The emergence of the “cyber savvy” board: Accountability for cyber and risk incidents moves up the organizational hierarchy and becomes a central issue for the CISO, C-Suite and Board of Directors. In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management and information security as a way to prepare the business for a digital future. Gradually, this will become a “new normal” for the enterprise as investors pressure leadership for clear strategies on how they are managing digital risk. Expect to see a cyber incident at the edge in 2020: The continued proliferation of IoT devices will make edge computing an essential component of enterprise IT infrastructure in 2020. To power these systems, 5G will become a bedrock for organisations looking to speed up their IT operations. With this innovation and speed will come greater digital risk. A security incident in the New Year will serve as the wake-up call for organisations leaning into edge computing. It will remind them that threat visibility across is essential as their attack surface expands and the number of edge endpoints in their network multiplies. The identity crisis will worsen: Businesses are coming to realise that mismanaged credentials and passwords are often the weakest link in a security chain and identity compromise continues to be at the root of most cyber incidents. Next year, we will see identity risk management become front and centre in cyber security programs as organisations adopt more and more cloud solutions; as workforces become more dynamic with gig workers and remote employees and as the number of identities associated with things or autonomous actors continues to dwarf the number of human actors on the network. Read Less

Anna Chung

December 23, 2019

Principal Researcher

Unit 42, Palo Alto Networks

Prioritising highly-automated security solutions that cover multiple environments will increase visibility.

Within the Deep and Dark Web, ransomware attacks are expected to continue in 2020. This year, my team and I came across an increasing number of threat actors selling ransomware, ransomware-as-a-service, and ransomware tutorials. Underground products and services like these enable malicious threat actors who are not technically savvy to enter the game. Threat actors will continue exploring new methods to monetise compromised IoT devices, beyond IoT botnets and IoT-based VPNs, due to the uncapped profit potential. IoT devices remain a popular target among hackers, mostly because IoT security awareness and education is not as prevalent as it should be, and the number of IoT devices will continue to grow at an exponential rate as 5G develops and becomes mainstream. We’re continuing to see instances where the failure to configure containers properly is leading to the loss of sensitive information and as a result, default configurations are posing significant security risks to organisations. Misconfigurations, such as using default container names and leaving default service ports exposed to the public, leave organisations vulnerable to targeted reconnaissance. The implications can vary greatly, as we’ve already seen simple misconfigurations within cloud services lead to severe impacts on organisations. “When a company is beginning to address or prepare for these types of attacks, it’s important they never expose a Docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is not exposed to the internet. Key recommendations include: Incorporate Unix sockets – Using these allow you to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon. Leverage the firewall – Whitelist incoming traffic to a small sets of sources against firewall rules to provide an extra added layer of security. Caution against the unknown – Never pull Docker images from unknown registries or unknown user namespaces. Employ always-on searches – Frequently check for any unknown containers or images in your system. Identify malicious containers and prevent cryptojacking activities – When a new vulnerability in the internal container environments is revealed, it is critical to patch it up quickly as attackers will be on a race to exploit any systems they can access. Having tools that actively scan your environment for known vulnerabilities and provide alerts on dangerous configurations can help to maintain the security of all container components consistently and over time. Integrate security into DevOps workflows – This will allow for your security teams to scale their efforts in an automated way. Developers have a lot of power in the cloud, and your security needs to be able to keep up. Maintain runtime protection – As your organisation’s cloud footprint grows, being able to automatically model and whitelist application behavior becomes a powerful tool for securing cloud workloads against attacks and compromises. Many data breaches today are driven by financially motivated cyber threat actors, and this type of attack prefers targets that have rich personal identifiable information (PII), including financial institutes, hospitals, hotels, airlines, and almost all e-commerce sites. From an underground economic perspective, this is data that can be quickly monetised and resold multiple times. Different data has different buyers, but overall speaking in regard to PII, payment information is preferred due to the card-not-present type of fraud. Therefore, sites that process and collect individual payment information typically are more attractive to attackers in this instance. While we have seen a certain amount of cyber-offensive behavior using AI, such as identity impersonation by using deep faking, we are still in the very early stages of seeing the full potential of AI-enabled attacks. On the flipside, we are seeing an increase in cyber defenders using AI to detect and mitigate threats. Businesses and CSOs should prioritise security awareness training for all employees, going beyond just explaining how cyber-attacks occur and how they may impact an organisation as a whole, but educating their workforce at individual level on proactive steps they can take to identify and prevent security attacks. Simple exercises like issuing phishing email detection tests or software update reminders, help raise security awareness among employees to make for more secure daily operations and help reduce the success rate of attacks. One of the major security challenges facing today’s digital age is the fact that there are too many devices and security policies in place, making it difficult to monitor and maintain. Prioritising highly-automated security solutions that cover multiple environments will increase visibility and control over the entire operational environment by simplifying the management process, reducing costs and freeing up more time to identify the existing pain points and future roadmaps. Read Less

Bojan Simic

December 18, 2019

CTO

HYPR

We will see an increase in IoT hacks that target critical infrastructure.

1) MFA strategies will shift to passwordless logins eliminating the misuse of shared secrets Many of the data breaches occurring today can be directly linked to passwords and the information used to reset them. Hackers are scraping user data for “shared secrets” that will allow them to bypass verification questions. Think: simple and re-used passwords, mother’s maiden name, high school mascot, etc. Companies who recognize this will transform their systems and protocols to eliminate authentication risks linked to traditional password usage and employ alternatives features like biometrics for users. Thus, eliminating a major access point for hackers. 2) Identity Verification across industries will be standardized. In the past few years, a company’s ability to digitally verify an individual’s identity has become easier and widely adopted by businesses that primarily function online. You can open a bank account, or take out a loan without having to step foot into a physical location. Users only need to upload a photo of their ID or digital signature or input their social security number, etc. The options are numerous and offer convenience to the consumer. However, the proliferation of inputs has become unwieldy for regulators overseeing the usage of this information - making it difficult to manage. In 2020, companies can expect a rollout of standardized and approved methods of identity verification to streamline the job of regulating bodies so it’s easier for them to identify bad actors. 3) We will see an increase in IoT hacks that target critical infrastructure. In 2020, it’s estimated that the number of connected devices will reach 38+ billion- triple the 13.4B in 2015. The rise of 5G will make these gadgets more practical and popular as users will have access to reliable and powerful data. IoT devices have always been vulnerable to attack. I predict that a quarter of infrastructure attacks will be owed to IoT devices and their susceptibility to being overtaken. 4) 2020 will be the year of new regulations around data privacy and existing laws will have stricter enforcement In the past two years, GDPR has transformed from a European buzzword to an impending regulation that is changing the privacy practices of organizations all over the world. California has also proposed a privacy act in response to the major breaches of Equifax and Facebook, further solidifying how serious the matter of data protection is. Up until this point, regulatory bodies have allowed a grace period for companies to meet their standards - doling out warnings for those who hadn’t made changes. In 2020, companies who want to operate on a global level will have to kick into high gear and make sure they are 100% compliant. Lest they face major consequences like fines and business closures. 5) Machine learning and AI will be weaponized to execute cyber attacks in an automated manner Earlier this decade, artificial intelligence was a technology only being explored and executed by highly-lucrative companies and private institutions - as they were the only ones who could afford to create the algorithms. Now, AI is being sold to the masses and has become accessible to those looking to develop their own algorithms for only a few hundred dollars. In 2020, encouraged by its effectiveness and cheap price tag, nefarious players will weaponize AI to execute repetitive functions that formally needed a human operator. The elimination of manual hacks will increase the impact of data breaches, as computers will carry out the same “tasks” (filling in forms, copying and manipulation of audio, etc.) in a shorter period of time. More people will be affected without hackers having to extend much effort at all. Read Less

Eyal Aharoni

November 22, 2019

VP Customer Success & Sales Operations

Cymulate

Healthcare will also be an attractive sector for hackers due to its high potential gains.

More Cyber Damage for Local / State Government Entities, Schools; Less for Healthcare: 2019 was a great year for cyber crooks successfully targeting municipalities, schools and universities worldwide with ransomware and spear phishing attacks. As these organizations have proven easy targets, a rise in campaigns is expected in 2020. Healthcare will also be an attractive sector for hackers due to its high potential gains however many in this sector are now investing substantial work and.....Read More

Brian Vecci

November 01, 2019

Field CTO

Varonis

In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results.

Ransomware Will Evolve from Smash & Grab to Sit & Wait: Ransomware isn’t the most pervasive or common threat, it’s simply the noisiest. In 2020 attacks will become more targeted and sophisticated. Hackers will pivot from spray-and-pray tactics. They will instead linger on networks and hone in on the most valuable data to encrypt. Imagine an attacker that encrypts investor information before a publicly traded bank announces earnings. This is the type of ransomware attack I expect we’ll see more of in the coming year, and organizations that can’t keep up will continue to get hit. Fake News Will Become Fake Facetime: Forget fake news: 2020 will be the year of the deepfake and at least one major figure will pay the price. Thanks to leaky apps and loose data protection practices, our data and photos are everywhere. It will be game-on for anyone with a grudge or a sick sense of humour. It raises the ultimate question: What is real and what is fake? A Political Party Will Cry Wolf: In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results. Foreign influence has been an ongoing theme, and few prospects are more enticing than affecting the outcome of a U.S. presidential election. With so much at stake, a nation state attack is practically inevitable. The federal government has failed to pass meaningful election security reform. Even if an attack doesn’t influence the results, it’s likely that those who don’t like the outcome will claim interference, and this scenario will discredit our democracy and erode trust in the electoral process. If we want to maintain the integrity of our elections and avoid political upheaval, real change needs to happen in how we store and protect our data. CCPA...Cha-Ching!: Once January hits, the fines will roll in. A recent report released by California’s Department of Finance revealed that CCPA compliance could cost companies a total of $55 billion - and this isn’t even taking into consideration the firms that fail to comply. In 2019, we saw GDPR’s bite finally match its bark, with more than 25 fines issued to offenders, totalling more than $400M, and the same is likely to happen in the U.S. under CCPA. In 2020, at least 5 major fines will be issued under CCPA, racking up upwards of $200M in fines. While a federal regulation is still a ways off, at least 3 other states will begin to adopt legislation similar to California, though none will be as strict.” Read Less

Gerald Beuchelt

November 24, 2019

Chief Information Security Officer

LogMeIn

People learn differently.

All companies face the challenge of security awareness among employees, contractors, and customers. Without support from all users, technological efforts will be hampered in their effectiveness. Security awareness isn’t just about teaching employees what to do with phishing emails – there’s so much more, including developing products with security in mind. Multi-directional communication is extremely important in a security program, meaning working from the top-down, bottom-up, and side-to-side to get your message across. And yes, it’s true. Security is everyone’s responsibility. People learn differently – some are more receptive to visual, listening, or the ‘hands-on’ approach and some people are attracted to different types of content – funny, serious, the historical background or whatever it may be. And at the same time, providing consistent communication is the key to a strong awareness program. A major challenge for larger companies is maintaining control over the employee/worker identity lifecycle. In terms of culture, it’s a journey to influence behavior change for thousands of employees. Organizations need support from everyone from interns to the C-suite and Board to drive adoption and create a culture of security. At the end of the day, employees want to do the right thing – it’s just a matter of constant education and communication. When it comes to high-tech industries like those in finance or healthcare, the key is to establish and maintain control over BYOD and Bring-Your-Own-App policies and mentality without impacting employee productivity. Read Less

Hagai Shapira

November 22, 2019

Research Team Lead

SAM

A potential DDoS attack may be distributed via an innocent-looking app on the Play.

5G to drive Botnet DDoS attacks: 2020 will be the year of 5G, bringing with it not only faster speeds and bandwidth capabilities to our mobile devices, but also making them highly coveted targets by DDoS attackers. While mobile devices have always been targeted by financial or personal data thieves, 5G's increased bandwidth allows attackers to take control over a relatively small number of mobile handsets and unleash a tremendous amount of damage. A potential DDoS attack may be distributed.....Read More

Gaurav Banga

December 10, 2019

CEO and founder

Balbix

Leaders will shift their focus in 2020

In light of the ever growing cybersecurity skills gap, and an exploding attack surface, infosec leaders will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk, solving the most impactful issues first, CISOs can ensure that even a small team can have maximum possible impact.

Asma Zubair

December 25, 2019

Sr. Manager, IAST Product Management

Synopsys

Organizations need to test their applications throughout the development process.

In 2020, we know that attackers will continue to exploit all applications, end-points, and networks they possibly can. This includes, but isn’t limited to, web and mobile apps (internal or external), IoT devices in smart homes, and even the 5G network as it is being rolled out. Attackers will also continue to use the latest and greatest technologies (be it in machine learning, AI, or open source components that are freely available) to carry out ever-more sophisticated attacks at even greater scale. At the same time, organizations will continue to struggle as they try to balance competing priorities: the need to improve security, reduce time to market, and complete projects within budget and time constraints. As we look to what will change in the year to come, California's SB-327 IoT bill will take effect on Jan 1, 2020 requiring manufacturers to build reasonable security into their connected devices. This is a step in the right direction as it will establish minimum standards and improve security of IoT devices available in the market. I anticipate there will be more legislative activity in 2020, especially in the US. The California Consumer Privacy Act will also take effect on January 1, 2020. I expect more states to follow suit. If done properly, regulations will bring about the accountability needed to improve the overall state of cybersecurity. We saw several high-profile GDPR-related lawsuits, fines, and settlements in 2019. I wouldn’t be at all surprised to see more of these to hit the headlines in the coming year. Organizations tend to focus a good deal of attention to their end-point protection and network security, and this is indeed very important. But applications, another very critical piece in the overall security puzzle, often don’t get as much attention and therefore tend to become a weak link in terms of security. Organizations need to test their applications throughout the development process for security vulnerabilities using methods such as interactive application security testing (IAST), static application security testing (SAST), or dynamic application security testing (DAST). They must also actively work to address the vulnerabilities detected by these testing methods. Read Less

Alex Heid

December 16, 2019

Chief Research Officer

SecurityScorecard

Continuously monitoring of your third-party risk may be one of the few ways to mitigate the financial impact of those breaches.

1. Forecasting cloudy days Organisations seeking to retain their competitive edge will be accelerating their digital transformation strategies from “cloud first” to “cloud only” over the next few years. According to Gartner, the worldwide Infrastructure-as-a-Service (IaaS) public cloud market grew 31.3% in 2018 while the overarching cloud services industry grew 17.5%. More than a third of polled organisations listed cloud services as one of their top three technology investment priorities for 2019. Based on the data, Gartner estimates that the cloud services industry will nearly triple its size by 2022. As companies migrate their mission critical data and applications to the cloud, we predict that malicious actors will focus more on open ports, Distributed-Denial-of-Service (DDoS), and web application attack methodologies. Securing the cloud will need to be a primary initiative for organisations throughout 2020 unless they want to be another news headline. 2. Bringing in The Terminator As more organisations look to mitigate data breach risks and costs, artificial intelligence and machine learning might be one answer to the problem. According to IBM’s “2019 Cost of a Data Breach” report, organisations using fully deployed AI/ML security solutions spent on average $2.65 million compared to the $5.16 million organisations without automation spent. As organisations face the stark reality that data breaches are now a “when” rather than an “if,” more will incorporate new, Big Data, analytic technologies to mature their cybersecurity programs. In combination with increased cloud migration, more companies will mature their cybersecurity programs using AI/ML for greater visibility and control over digital assets. 3. Malicious software phishing for critical infrastructure Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don’t just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies. In August of 2019, emails sent to U.S. utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure. With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence. 4. A flood of data privacy regulations The cybersecurity Magic 8 Ball indicates that “all signs point to yes” when asking whether more regulations would come in 2020. CCPA and NY SHIELD foreshadow 2020’s privacy and security trends. The United States Congress debated a federal privacy regulation in June 2019. Despite being derailed at the end of the year, businesses and congresspeople alike are pushing to create a single, cohesive federal law governing privacy and security. The United States isn’t the only country looking to formalise and consolidate its privacy laws. The Saudi Arabian Monetary Authority (SAMA) cybersecurity framework in conjunction with the GDPR’s extraterritorial impact pressures other Middle Eastern countries to update their privacy regulations. For example, the Dubai International Financial Centre Authority (DIFCA) sent out a call for public commentary in June 2019. 5. More than quantity – also quality If the GDPR and CCPA taught the cyber community one lesson in 2019, it would be that not all laws are created equally. While the GDPR and CCPA are testing just how far a “local” law can reach, India’s Personal Data Protection Bill and the failed New York Privacy Act test the standard of care companies need to provide. Both of these regulations use the term “data fiduciary.” Traditionally used in terms of money, a fiduciary duty requires a company to act in someone else’s (often shareholders’) best interests. If regulations continue to use the term “data fiduciary,” organisations may be held to a higher standard of care than “negligence.” If regulations begin to adopt the term “data fiduciary” in 2020, we predict a cultural shift recognising information as a financially valuable asset. 6. Building a security dam for your supply stream Judging by the increased regulatory and industry standard focus on governance, compliance requirements will continue to focus on protecting your organisation from third-party risks. As more organisations add Software-as-a-Service (SaaS) applications to their IT catalogue, they also share more data with third parties. As new laws are enacted and enforced, companies will see more stringent vendor risk monitoring requirements and increasingly be held liable for losses caused by breaches arising from their supply stream. Continuously monitoring of your third-party risk may be one of the few ways to mitigate the financial impact of those breaches. Read Less

Steve Nice

December 10, 2019

Chief Technologist

Node4

Because of the amount of major credential breaches being reported on in the mainstream press.

In 2020, there’s no doubt that phishing and ransomware will continue to evolve and be the number one threat to businesses, as attackers are always looking for – and exploiting – new attack vectors. Whilst there may be headline grabbing attacks on connected vehicles, TVs etc, phishing and ransomware are still the primary revenues for cyber-criminal gangs, and users will still be blasé about security. Because of the amount of major credential breaches being reported on in the mainstream press, and the ICO’s greater powers when it comes to fining companies, I think we’ll actually begin to see a decrease in these breaches, as companies become more diligent about security. However, there will be new vulnerabilities in 2020, and while older technologies (technical debt) will continue to be exploited, mobile phones will evolve to become a prime attack vector. For example, there could be a ransomware attack on Android phones, where the whole phone becomes completely inoperable unless you pay for a decryption key. Read Less

Anthony Di Bello

December 10, 2019

Vice President - Strategic Development

OpenText

Unfortunately, any technology used for better cyber defense can also be applied by cyber attackers.

Businesses will take steps to protect themselves against the inevitable Over the past few years, businesses have started to take a more proactive approach when it comes to cybersecurity. However, there is still more that can be done and 2020 will be a key year for this adjustment. In 2020, the majority of businesses will accept an uncomfortable reality – a security breach is inevitable. This is not security fatalism, but security realism. The perimeter is gone. CEOs, CIOs and CISOs must embrace that bad actors are already inside the firewall and adopt proven technology that detects suspicious activity quickly enough to respond before a breach becomes a crisis. Businesses must also embrace solutions that provide security without compromising privacy. Businesses will adopt automation to plug the industry-wide skills gap Security teams are understaffed and will remain so in 2020. Sadly, sophisticated attackers are probably as well or better resourced and staffed than most security departments. In 2020, businesses will increase their investment in technology as a force-multiplier for security teams that are already stretched thin. Greater automation and contextualization of security alerts will help teams comb through mountains of false-alarms more quickly to prioritize the real threats. Unfortunately, any technology used for better cyber defense can also be applied by cyber attackers. Cybersecurity is a journey, not a destination. The most secure enterprises will focus on information governance to protect their most valuable information, will use smart automation to deal with cyber threats at scale, and will adopt a zero-trust mindset toward endpoints and identity. Read Less

Rosa Smothers

December 21, 2019

SVP of Cyber Operations

KnowBe4

The media is replete with stories regarding insider threats posed by our acknowledged adversaries and some “uneasy” allies.

Governments such as China, Russia – and as seen more recently with Saudi Arabia’s recruitment of a Twitter employee – will continue to pose counterintelligence (i.e., insider) threats to corporate America and our allies. The media is replete with stories regarding insider threats posed by our acknowledged adversaries and some “uneasy” allies. There is no return on investment to spend millions of dollars in time, money and effort to cyber access to a network when an intelligence service can spend less than $100,000.00 to gain the information they need by recruiting a willing employee with financial (or otherwise) vulnerabilities. Any organization with significant personally identifying information, especially as it relates to people in countries with politically vulnerable populations, should pay special attention to their insider threat education efforts. Read Less

Mark Sangster

December 05, 2019

Vice President and Industry Security Strategist

eSentire

Microtargeting of companies using industry-specific tools to rise in 2020

Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores of sensitive information, and credit vendors, like American Express, to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees. Read Less

Rob MacDonald

December 05, 2019

Director of Security Solution Strategy

Micro Focus

Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics.

As new technology emerges and in the face of the ever-widening skills gap, organisations will need to adapt security processes… “As 5G technologies begin to roll out, the pace in which we see breaches occur will accelerate. To combat this, organisations will need to refocus on driving security integrations across the business, moving to a centralised environment. Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics which.....Read More

HItoshi Kokumai

January 05, 2020

President

Mnemonic Security, Inc.

In 2020 may we expect to see off the 'password-less' hype.

In 2020 may we expect to see off the 'password-less' hype. Assume that the password is removed from cyber security Then digital identity platforms would have only two authenticators - physical tokens and biometrics. Biometrics by its nature requires a fallback measure against false rejection/non-match, and only the physical token could be the fallback measure for biometrics in this 'password-less' situation. Here we have only two scenarios. (1) authentication by a physical token, with an option of adding another token. (Imagine an ATM which dispenses money without asking for your PIN = numbers-only password) (2) authentication by a biometrics deployed in a security-lowering ‘multi-entrance’ method with a physical token as the fallback measure, with an option of adding another token. Its security is even lower than (1). It would certainly be a very nice place for criminals. We should say a loud bye-bye to the hype of criminal-friendly 'password-less' authentication before it is too late. Read Less

David Richardson

January 01, 2020

senior director of product management

Lookout

2FA is dead. Long live MFA.

Mobile Will Become the Primary Phishing Attack Vector -- Lookout expects credential phishing attempts targeting mobile devices to become more common than traditional email-based attacks. Traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from account takeover attacks, but neglects mobile attack vectors, including personal email, social networking, and other mobile centric messaging platforms such as secure messaging apps and SMS/MMS. Moreover, mobile devices are targeted not only because of these new avenues but also because the personal nature of the device and its user interface. Enterprises must realize that when it comes to social engineering in a post-perimeter world, corporate email is not the only, or even the primary, attack vector used.

2FA is dead. Long live MFA. -- Authentication will move from two-factor to multi-factor, including biometrics in 2020. Most companies have implemented one time authorization codes (OTAC) to provide two-factor authentication (2FA), but Lookout, and others in the industry, have already seen OTAC targeted by advanced phishing attacks. To protect against credential theft and to address regulatory compliance, enterprises are increasingly adopting MFA and biometrics using mobile devices. This new approach strengthens authentication and improves user experience, but it is critical that the mobile device is free from compromise.

Threat Actors will Leverage Machine Learning to Operate Autonomously -- One example of where we may see attackers implement machine learning is into the execution of phishing campaigns. Phishing lures and landing pages will be A/B tested by AI algorithms to improve conversion rates, while new domains will be generated and registered by AI algorithms. These enhancements will allow attacks to move faster than most existing solutions could detect them.

2020 Election Hacking Will Focus on Mobile - As cyber attacks have evolved to target mobile devices because of their nature and form factor, so will cyber attacks in the 2020 Presidential Election. Spear phishing campaigns are moving beyond the traditional email-based phishing attacks we saw in the 2016 election cycle to advanced attacks that involve encrypted messaging apps, social media and fake voice calls. Before the next election is over, we will likely see some kind of compromise as the result of a social engineering or mobile phishing attack, particularly as presidential campaigns embrace mobile devices in their canvassing efforts.

Partnerships Are the New Consolidation - Within the past decade there have been many mergers and acquisitions within the security industry. That trend will likely continue, but now vendors will also tightly integrate their solutions to improve enterprise security. And, as we move into 2020 and beyond, a new trend is emerging that will see security vendors forming alliances -- even with those they consider their competitors -- and strategically collaborating to combat threats for the greater good. A recent example of this is the App Defense Alliance, which was launched in late 2019 to combat malicious apps on Google Play. These alliances also have a positive effect on AI solutions, as the corpus of data grows for Machine Learning algorithms to ingest.

Read Less

Jonathan Deveaux

December 25, 2019

Head of Enterprise Data Protection

comforte AG

Companies are subject to various data security and data privacy regulations.

New terminology coming: One term many technology professionals in the U.S. will all be hearing a lot is “DSAR.” What is a DSAR? A DSAR is a “Data Subject Access Request.” It is the act, from a consumer to an organization, requesting the details of how their personal data is being used within that organization. Additional requests from DSARs could be made to delete their data, or to disallow the sale of their data. Technology professionals can look within their organization today and ask how many times are end-users requesting for an ‘audit’ of their data. The question is, can they provide this information if they were asked today? Get ready for this term, as upcoming data privacy laws (such as the CCPA data privacy law going into effect January 1, 2020) may require organizations to respond to DSARs within a certain timeframe. The Return of PCI DSS: For the past two years, data privacy regulations and laws have been getting much of the attention in compliance. The Payment Card Industry Data Security Standards (PCI DSS) have been a principal model when it comes to data security for payment cardholder data. In 14 years, no organization who was or is 100% PCI DSS compliant has experienced a data breach of its payment card data. Many organizations, however, have difficulty in achieving 100% compliance, therefore choose to compensate for this and declare certain data security controls that are in place, while they are attempting to reach the PCI DSS requirement. Word is getting out that when PCI DSS v4.0 is finalized towards the end of 2020, the use of Compensating Controls as a compliance method will be no longer allowed. The PCI Security Standards Council will provide more guidance on this in the coming year. The convergence of data security technologies: Companies are subject to various data security and data privacy regulations that demand different ways of how data should be protected. Up until now, the capabilities to meet the different regulatory requirements are available by mixing products from different vendors. At the same time, several recent surveys have shown that skills-shortage and the complexity of current security solution portfolios are amongst the top challenges for CISOs. The market is asking for simplification and ease of operations. As a result, we will see that the convergence of protection methods like tokenization, format-preserving encryption, and data masking onto single data security platforms will have much attention in 2020. Read Less

Kai Roer

December 21, 2019

Security Culture Advocate

KnowBe4

A combination of training, assessments and a structured process is being implemented to manage the human factors.

In 2020, the use of the term security culture will continue to increase as more organizations understand what it takes to reduce risk and manage security in their workforce. A combination of training, assessments and a structured process is being implemented to manage the human factors that influence security.

Ben Goodman

December 18, 2019

SVP of global business and corporate development

ForgeRock

2020 Will be the Beginning of the End of Passwords.

Consumers already log in to dozens of protected resources everyday: from email, banking and financial accounts, social media, healthcare, government accounts, and beyond. Even when tools like TouchID are leveraged each of these resources currently still have an associated username and password that can be attacked. To save time and remember their credentials for all these sites, consumers reuse the same username and password across several sites. As a result, the user’s exposure from any one security breach on one of those profiles dramatically increases the odds that additional accounts can be compromised as well, allowing attackers to access far more sensitive information. Users can also put their employer at risk of being breached if they use the same login credentials across personal and professional accounts. Organizations have reacted to this risk by increasing their password policies and requiring more and diversified characters, as well as more frequent password changes; however, this still allows users to reuse usernames and passwords across different accounts. To eliminate this issue, passwordless authentication methods, such as using out-of-band steps on smartphones that leverage push notifications, will become widely adopted. In fact, Gartner estimates that 60% of large and global enterprises, as well as 90% of midsize organizations, will leverage passwordless methods in over 50% of use cases by 2022. Companies that properly implement passwordless authentication will not only be more secure, but they subsequently improve the overall user experience by reducing friction in the login process. Read Less

Steve Schlarman

December 10, 2019

RSA Security

Director & Portfolio Strategist

The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.

The API house of cards will start to tumble Many organisations have stitched together a fragile network of legacy systems via API connections to help better serve customers and improve efficiency. A security incident in the New Year will disrupt the patchwork of connections and it will lead to major outages. The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.

Dr. Zulfikar Ramzan

December 10, 2019

CTO

RSA Security

The security of cryptocurrencies rests on safeguarding users’ private keys.

The rise of cyber-attacks in the crypto-sphere The security of cryptocurrencies rests on safeguarding users’ private keys, leaving the ‘keys to kingdom’ accessible to anyone who fails to adequately protect them. Cybercriminals usually follow the money, so expect that cryptocurrencies will be at or near the top of attacker’s wish lists in 2020.

Simon Marchand

December 09, 2019

Chief Fraud Prevention Officer

Nuance

Companies have a responsibility to stop the broader implications of fraud.

Companies will own up to their responsibility for safety. The case for why companies should protect consumer data is clear: companies lose less money and consumer information is safe from predators. But in the event of a data breach, what many people don’t consider is that once their data is stolen, it is often made available for the highest bidder on the dark web. And, in some cases, this personal data is used to fund some of the most heinous of crimes—from terrorist organizations to drug and human trafficking. Companies have a responsibility to stop the broader implications of fraud that go beyond their bottom line and their brand perception. It’s not only about preventing customer information from being stolen, it’s preventing fraudsters from getting in organisations with information stolen elsewhere. Many companies will increasingly allocate more resources to understanding the growing sophistication of fraudsters and the latest fraud attack vectors (SIM swapping, mules, scripting, etc.), the consequences of criminally acquired credentials (emails, zip codes, SSNs, and other highly personal information), and the technology and best practices to protect against fraud. Part of this will be done tactically—for example by tracking the life of a stolen credential (from it being sold on the Dark Web, to being used to acquire credit cards and goods that are then sold for a profit, to the use of these profits to fund organized crime rings and more)—but also as a broader organisational mindset that fraud isn’t just a “cost of doing business” any more. Consumers will take control of their vulnerability to fraud. As consumers react to the growing number of data breaches and demand better protection from the companies with whom they do business, they will also start to take matters into their own hands. While using multi-factor authentication for all accounts (whether a mobile app, website, call center or other customer service channel) for secure authentication has long been a best practice, consumers will begin using a password in conjunction with another authentication technique to help protect their data and devices when available. This means opting for biometrics—such as voice recognition, fingerprint, face scanning, etc.—when it is available. Facial recognition and fingerprint ID on smartphones and other devices have paved the way for making consumers comfortable and accustomed to biometric identification. Biometrics—from voice to behavior and other forms of biometrics technologies—are a natural extension, and convenient for companies to adopt because they don’t have to redesign physical systems or devices. Read Less

Tom Mowatt

December 07, 2019

Managing Director

Tools4ever

50% of enterprises using mobile authentication will adopt it as their primary verification method before the decade closes.

Whelp, it’s almost 2020. Some technology has exceeded expectations and others, well, not so much. Five years ago, we should’ve had widely available hoverboards, self-drying and fitting jackets, and flying cars. Hanna-Barbera promised a cutting-edge, underwater research lab; thankfully, we still have 42 years to chase the Jetsons. Despite many of our wildest technology expectations failing to live up, the last decade of identity and access management development has yet to let us down. Hoping that our 2020 predictions remain accurate in hindsight, we expect the continued proliferation of IAM cloud capability and integrations to keep transforming enterprise technology and the way we do business. SSO protocols will steadily decrease the need for unique accounts and credentials for every resource – as such, Active Directory should watch its back. With the adoption of SAML, OAuth 2.0, OpenID and more protocols, consumers have begun to see a drastic reduction in the amount of unique accounts and credentials they must use to log in to various websites. Need to log in to manage a website or do some online shopping? Just use your Google or Facebook account to verify your identity. This trend will not only continue to dominate throughout B2C efforts, but will take hold of B2B and internal business operations thanks to the SSO developments made by Tools4ever, Okta, and other industry leaders. Because of this and the maturation of cloud platforms, such as GSuite, there will be a point in the not-too-distant future where Microsoft’s market hold with (on-premise) Active Directory is no longer bolted to the crust of the earth. As more and more enterprises transition from on-premise to hybrid infrastructure and from hybrid to full cloud deployments, protocol flexibility means having to rely less on systems and applications that look to AD to authorize users’ access. Devices such as the widely popular Google Chromebooks have shown that the AD divorce is much more possible than many might realize. In an industry that prizes disruption above all, expect to see a few directory Davids challenge Goliath. Downstream resources will benefit from increased integration. Coinciding with the increasing use of protocols to connect IT resources, you can also expect your downstream systems, applications, and other resources to better utilize identity data. The protocols mentioned above safely transfer some amount of identity information to verify users. The next step will be seeing how we can then leverage the information transferred within the protocols. Provisioning will be far more rapid, as transferred identity data will help immediately create accounts and configure access levels. Continually improving integrations will provide administrators and managers far more granular control during initial setup, active management, and deactivation. Increased connectivity will allow much of this management to be centralized at the source of the authoritative identity data and easily pushed out from there. Systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource. Multifactor authentication (MFA) will pervade our login attempts and increase the security of delivery to stay a step ahead. Already popular amongst some enterprise technologies and consumer applications handling sensitive, personal data (e.g. financial, healthcare), MFA will continue to transform our authentication attempts. Much has been made over the years about password complexities and poor safeguarding, but human error and “it’s easy to remember” remain persistent pitfalls. The addition of MFA helps immediately add further security to authentication attempts by having the user enter a temporarily valid pin code or verify by other methods. The area to watch with MFA is the delivery method. SMS notifications were the first stand-out, but forced some organizations to weigh the increased costs messaging might bring on their company’s mobile phone plan. SMS remains common, but all things adapt and hackers’ increased ability to hijack these messages have made their delivery less secure. Universal One-time Password clients (OTP), such as Google Authenticator, have both increased security and made the adoption of MFA policies significantly easier via time-sensitive pin codes. Universal clients also eliminate the need for every unique resource to support its own MFA method. Already evolving, pin codes are beginning to be replaced by “push notifications”, which send a simple, secure “yes/no” verification prompt. After downloading the client app and registering your user account, a single screen tap will be all it takes to add extra security to your logins. Gartner has been extolling push notifications for a couple years now as the future, having predicted that 50% of enterprises using mobile authentication will adopt it as their primary verification method before the decade closes. Read Less

Greg Wendt

January 07, 2020

Executive Director

Appsian

ERP transactions have traditionally been available (only) behind corporate firewalls.

Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020. Since ERP was first designed as an application product, ERP systems cannot evolve alongside an organization's ever growing IT environment and are unable to integrate with advanced security initiatives. It is and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications, enterprises are wary of switching them out entirely. In order to secure ERP systems in 2020, business owners must realize the criticality of their businesses’ usability of ERP apps. It is the business owner who is more familiar with the users, and as Gartner concluded, it is the user – not the provider – who fails to manage the controls used to protect an organization’s data. With the growing number of connected applications running across the company, such as payment and HR apps, business owners need to evolve their ERP systems and go beyond firewalls. This year there will be a shift of CIO’s from systems technology experts to data-centric experts as security increasingly becomes more of a data level issue. As enterprises become more and more aware that the security of sensitive ERP data is a high priority especially with the rise in data privacy regulations such as CCPA, there will be a rise in CDO roles as well as a shift in the roles of CIO’s from focus on systems to a focus on data. This shift will cause many challenges though, as the majority of CIO’s do not specialize in the systems aspect of ERP. Yet, the rise in data-centric compliance initiatives as well as the deployment of fundamental security tools such as multi-factor authentication and SSO within the enterprise, will ease the transition from a systems-centric CIO to a data-centric CIO. Additionally, from an organizational perspective, we can expect more CIO and CISOs at the board level as organizations continue to mature and invest further in security and understand the varying operational budgets. We can expect more enterprises adopting Privileged access management (PAM) as a key IT security project as well as effective access controls due to heightened third-party risk. PAM is the first, fundamental level of data protection, privacy and compliance when logging and auditing are concerned, and with more and more data privacy regulations on the horizon, PAM will become a key IT security project in the coming year. Additionally, given that the majority (83%) of organisations engaging with third parties to provide business services identified risks, organizations must hold all third parties at greater liability and bound them by their contracts as to data protocols if breached in 2020. Users will increasingly demand ERP access beyond their corporate networks. As organizations continue to ask more of their employees, employees will insist that their ERP transactions are available from any location, at any time. In order to maintain high levels of security, ERP transactions have traditionally been available (only) behind corporate firewalls. However, this model immediately causes user push-back, especially as more organizations rely on mobile workforces to scale and keep business running in the coming years. When enterprises insist that employees only execute their ERP transactions when they have access to a corporate network, users will inevitably avoid it which will cause increased strain on an organization across functions. Therefore, in 2020, we can expect more organizations to invest in solutions that focus on enhancing access controls and logging. More and more organizations will begin to understand the importance of expanding access as a table stakes initiative as productivity requirements shift, demanding users to be as mobile as possible. Read Less

Hugo van den Toorn

January 01, 2020

Manager, Offensive Security

Outpost24

Looking at the global political situation, nation-state attackers are also likely to make some headlines next year.

What will be the top five cybersecurity threats to businesses in 2020? Will ransomware and BEC attacks still be the biggest threats or will any new ones come to light?

What will be the top five cybersecurity threats to businesses in 2020? Will ransomware and BEC attacks still be the biggest threats or will any new ones come to light?

Supply chain attacks are a constantly developing threat. Although overall, they seem limited to more advanced and determined adversaries, the risk is evolving. What to do when you struggle to catch the big fish? Poison its bait! Target a supplier that has far less security control in place and from that ‘island’ you can jump straight onto your target. From a defensive perspective this is difficult thing to prevent. The larger the organisation, the harder it is to enforce security and perform business impact assessments for each and every supplier. 2020 might just be the year that gives us more large-scale examples of this threat.

I think ransomware is a prevalent threat and still something that should be taken seriously in 2020. We see that large organisations are well aware of the risk and taking the necessary precautions. Looking at the number of municipalities, hospitals and small businesses fallen prey to ransomware this year, we clearly see a shift towards the public sector and SMEs. As these targets overall have lesser security, chances are that a greater number will fall victim and actually pay the ransom, making ransomware still very profitable for adversaries. Good to note is that ransomware still, more often than not, seems to rely mainly on the human element… Which bring us to the next point: phishing.

Business email compromise and phishing in general is ever evolving and will most likely continue to grow in both volume and sophistication. The past year we have seen an increase in advanced phishing methods targeting applications secured with two-factor authentication (2FA) and almost all reporting phishing website appear to use a secure HTTPS connection. Although it is a good trend that 2FA and use of HTTPS is being adopted, we see that end-users still fall prey to phishing. Hopefully 2020 will also be the year of increased support and adoption for hardware authentication devices.

In line with phishing, SMS phishing (or Smishing) seems to be on the rise. More and more Smishing campaign appear to be executed by adversaries, most of which are going full-circle to where we were ten-or-so years ago with email: The sender can easily be spoofed, and we will rely on the inherent trust users have in this type of messages. Most Smishing campaigns don’t seem to focus that much on the content of the text message, as long as the content puts some pressure on the victim and the company name that is used as sender matches the victim’s profile they will click. The included hyperlinks are often not even masking the fact that it is an illicit webpage: ‘https://resetyouroutpost24password.evilhackerwebsite.com’… right!

What impact will GDPR have in 2020? Will we see larger fines than those against BA and Marriott?

Hopefully we will see the effects of GDPR. We seem to have surpassed the ‘peak of inflated expectations’ (to put it in Gartner terms), where each and every vendor drives on the ‘GDPR fear’. In 2020 we will hopefully see realistic fines and proportioned action on violations of GDPR.

What will be the leading cause of data breaches in 2020?

The human element will most likely remain the leading cause of data breaches.

How will the most successful cybercriminals operate in 2020? State-sponsored hacking attacks? As part of cybercrime rings? Lone warriors?

Cybercrime is constantly growing, with new phishing and ransomware attacks (and associated tools) I expect cyber-criminals to have the biggest impact next year. Looking at the global political situation, nation-state attackers are also likely to make some headlines next year. However, with these actors it might also happen without it ever making the news. Only time will tell!

Read Less

Saryu Nayyar

December 25, 2019

CEO

Gurucul

t's not like you can configure your security solution (firewalls, IPS, DLP etc) to block these transactions.

BEC impacts finance teams more than IT, so there are few, if any, controls in place to identify and stop this fraudulent activity. It's not like you can configure your security solution (firewalls, IPS, DLP etc) to block these transactions. BEC traverses boundaries and becomes part of the fraud team’s work (if there even is a fraud team in the organization). For these reasons, BEC attacks will be on the rise in 2020.

Patrick Lastennet

December 12, 2019

Director of Business Development, Enterprise

Interxion

Traditionally, enterprise infrastructures have been centralized around their own, on premises data centre.

Traditionally, enterprise infrastructures have been centralized around their own, on premises data centre. This has made securing their environments somewhat less complex, as organizations could effectively manage all of their internal workloads in one place. But if you’ve read anything about IT management over the past decade, it’s clear that this traditional network architecture is evolving. It’s transitioning toward a decentralized model where enterprises can tap cloud providers, SaaS platforms and proprietary data centres, which makes for a far more distributed architecture. And, as organisations think about their more decentralized architectures and the requirements for seamless connectivity across platforms and environments, rethinking their security strategy as part of that will be critical. To have a successful distributed architecture, enterprises need a security strategy that combines physical and network security with robust encryption key management to mitigate threats without inhibiting performance. Read Less

Brian Downey

December 12, 2019

Vice President Product Management

Continuum

In 2019 we started to see a significant increase in the number of attacks on managed service providers.

In 2019 we started to see a significant increase in the number of attacks on managed service providers, with 74 percent of MSPs suffering a cyberattack, and 83 percent reporting that their SMB customers suffered one as well. While this pattern will not be new in 2020, the exponential growth in this method of attack, as well as the accountability of the service provider, is something we expect will continue in the next year. As cybercrime continues to evolve and become more complex, it will be more important than ever in 2020 for both sides to work together to take a proactive, collaborative approach in the upcoming years to protect themselves from cyberattacks. This will involve education and increased investment in cybersecurity training programs so that MSPs and SMBs stay in tune with in the IT landscape. Read Less

Peter Goldstein

December 12, 2019

https://www.valimail.com/

Valimail

Defense will soon be requiring all of its domains to enforce DMARC.

DMARC adoption will grow across industries. We’ll see a continued increase in Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using it has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020 - especially healthcare and government. Following the lead of the federal government’s civilian branches, the Department of Defense will soon be requiring all of its domains to enforce DMARC, resulting in an increase in the number of military domains protected. H-ISAC, global nonprofit organization serving the health care sector, has urged health care companies to adopt DMARC as part of best practices for securing email, and as a result we’ve already seen a rise in adoption rates in this vertical. This growth will continue throughout 2020. Read Less

Anurag Kahol

December 10, 2019

CTO

Bitglass

One technique that will continue to gain traction in 2020 is lateral phishing.

Threat actors are always enhancing their current tactics, techniques, and procedures (TTPs) as well as creating new ones in order to infiltrate businesses and steal data, implant ransomware, and more. One technique that will continue to gain traction in 2020 is lateral phishing. This scheme involves a threat actor launching a phishing attack from a corporate email address that was already previously compromised. Even the savviest security-minded folks can be lulled into a false sense of security when they receive an email asking for sensitive information from an internal source – particularly from a C-level executive. As we will continue to see cybercriminals refining their attack methods in 2020, companies must be prepared. Read Less

Piers Wilson

December 10, 2019

Head of Product Management

Huntsman Security

So while boards might perceive cyber security impacts like the loss of data, forensics costs or GDPR fines.

Looking forward to 2020, one of the biggest risks to organisations is that they fail to understand the link between cyber security and reputation. Nowadays, we see a public much less inclined to stand for mistakes and social media channels that can quickly become filled with indignation, vitriol, complaints and dissatisfaction. So while boards might perceive cyber security impacts like the loss of data, forensics costs or GDPR fines - a breach that hits the headlines AND captures the public on a negative wave could well lead to the kind of repetitional damage and consumer activism we have already seen around labour practices boardroom inequality, sexual harassment tax affairs and environmental practices. If people are ready to organise boycotts and on-line protests with hashtags around - say - the treatment of female employees or single use plastics, then we could easily see #boycottpoorsecurity #saynotodatasharing or #nobreachofmydata. Read Less

Bill Holtz

November 27, 2019

CEO

Sectigo

Automation features were ‘nice-to-have’ in the past.

On automation: “Automation will become critical for businesses to secure websites, connected devices, applications, and the digital identities that are critical to preventing crippling and costly attacks. Ransomware attacks, data breaches, and email impersonation continue to increase as cybercriminals become more sophisticated, making it imperative to eliminate the potential for human error in cybersecurity operations. Functions that require human intervention and are laborious and error-prone will be replaced by technologies that automate the protection of security elements at scale. Automation features were ‘nice-to-have’ in the past, but enterprises today understand their essential value in compliance and establishing safe internet practices.” Read Less

Laurence Pitt

December 21, 2019

Global Security Strategy Director

Juniper Networks

The Masad Stealer attack, reported by Juniper Threat Labs in late 2019.

Any threat that costs money, and especially where it affects public money (government and healthcare) will remain newsworthy. We’ll see more attacks using common vectors, such as phishing, download via malvertisiting, etc., but also attacks that use old methods with new vectors. The Masad Stealer attack, reported by Juniper Threat Labs in late 2019, is a good example of this, where data (and money) was stolen via malware injected into a used and respected piece of software.

James McQuiggan

December 21, 2019

Security Awareness Advocate

KnowBe4

As energy facilities continue to be targeted for cyber attacks.

As energy facilities continue to be targeted for cyber attacks, the need for Operation Technology (OT) departments and Information Technology (IT) to collaboratively solve the cybersecurity issues will be an increased importance for organizations. They will need to collaborate with their own corporate Security Operations Center (SOC) or utilize virtual SOCs to continually monitor their SCADA or DCS networks monitoring network activity and assets connecting and disconnecting from the networks.

Roger Grimes

December 21, 2019

Data-driven Defence Evangelist

KnowBe4

Everyone knows they are the top two causes, but most of the world will not treat them like the top threats they are.

Social engineering and unpatched software will remain the top two root causes for successful exploits as they have been for over three decades. Everyone knows they are the top two causes, but most of the world will not treat them like the top threats they are. Instead, they will be mostly ignored or weakly mitigated while most of the world concentrates more resources on things less likely to happen.

Chris Doman

December 12, 2019

Security Researcher and Threat Engineer

AT&T Alien Labs

For example, one-code repository improves the fundamentals around how quickly problems with dependencies are identified.

Supply chain vulnerabilities on the decline thanks to automation: There are several new automation technologies that automatically detect and fix security vulnerabilities in source code. For example, one-code repository improves the fundamentals around how quickly problems with dependencies are identified. Because of these improvements in the way security patches with open source code are automatically identified and remediated, in 2020, we’ll see fewer supply chain issues in code. Less buzz about buzzwords: With the industry already drowning in marketing buzz about artificial intelligence (AI) and machine learning (ML), in 2020 we’ll begin to see these terms used more selectively – both in security solutions themselves and in marketing materials. Read Less

Josh Lemos

December 05, 2019

VP of Research and Intelligence

BlackBerry Cylance

Recent research discovered nation-state based mobile cyber espionage activity across the Big 4.

Uncommon attack techniques will emerge in common software Steganography, the process of hiding files in a different format, will grow in popularity as online blogs make it possible for threat actors to grasp the technique. Recent BlackBerry research found malicious payloads residing in WAV audio files, which have been utilised for decades and categorised as benign. Businesses will begin to recalibrate how legacy software is defined and treated and effectively invest in operational security around them. Companies will look for ways to secure less commonly weaponised file formats, like JPEG, PNG, GIF, etc. without hindering users as they navigate the modern computing platforms. Changing network topologies challenge traditional assumptions, require new security models Network-based threats that can compromise the availability and integrity of 5G networks will push governments and enterprises alike to adopt cybersecurity strategies as they implement 5G spectrum. As cities, towns and government agencies continue to overhaul their networks, sophisticated attackers will begin to tap into software vulnerabilities as expansion of bandwidth that 5G requires creates a larger attack surface. Governments and enterprises will need to retool their network, device and application security, and we will see many lean towards a zero-trust approach for identity and authorisation on a 5G network. Threat detection and threat intelligence will need to be driven by AI/ML to keep up. 2020 will see more cyber/physical convergence As all sectors increasingly rely on smart technology to operate and function, the gap between the cyber and physical will officially converge. This is evident given the recent software bug in an Ohio power plant that impact hospitals, police departments, subway systems and more in both the U.S. and Canada. Attacks on IoT devices will have a domino effect and leaders will be challenged to think of unified cyber-physical security in a hybrid threat landscape. Cybersecurity will begin to be built into advanced technologies by design to keep pace with the speed of IoT convergence and the vulnerabilities that come with it. State and state-sponsored cyber groups are the new proxy for international relations Cyber espionage has been going on since the introduction of the internet, with Russia, China, Iran and North Korea seen as major players. In 2020, we will see a new set of countries using the same tactics, techniques, and procedures (TTPs) as these superpowers against rivals both inside and outside national borders. Mobile cyber espionage will also become a more common threat vector as mobile users are significant attack vector for organisations that allow employees to use personal devices on company networks. We will see threat actors perform cross-platform campaigns that leverage both mobile and traditional desktop malware. Recent research discovered nation-state based mobile cyber espionage activity across the Big 4, as well as in Vietnam and there’s likely going to be more attacks coming in the future. This will create more complexity for governments and enterprises as they try to attribute these attacks, with more actors and more endpoints in play at larger scale. Read Less

Ken Galvin

November 20, 2019

Senior Product Manager

Quest KACE

Customers no longer tolerate downtime, let alone data breaches.

A new role will emerge in the organisation - Ransomware Attack Specialist In 2020, I expect we’ll see the creation of a new role, the Ransomware Attack Specialist, and when something damaging happens, they will be the one in an organisation who is charged with leading teams to remediate the problem. Half the battle in solving a security problem is isolating it, but with overtaxed and stressed IT personnel and the back and forth required to make a plan, get it approved and determine the budget to resolve an issue, there’s always a lag. The C-level is beginning to understand now, more than ever, the importance of protecting against ransomware attacks -- especially with a 118 percent rise in ransomware attacks in the first quarter of 2019 alone. With the creation of this new role, there will now be someone specifically delegated to work with teams to identify security issues, determine how to solve them and ensure that appropriate measures are approved in order to protect against these increasingly sophisticated attacks. Organisations will focus on the fundamentals to help establish a strong security posture as threat vectors become more sophisticated Next year, we’ll continue to see more cyberattacks, with an increase in targeted approaches aimed at businesses, specifically across healthcare and government organisations, with phishing emails emerging as a key threat vector. Combine this with the rise of IoT, it potentially exposes multiple entry points for hackers to infiltrate the organisation, making for an even more challenging job for IT teams to sustain a high level of security. To help maintain security, in 2020 we’ll see security teams take a more proactive approach to ensuring a strong security footprint and focus on the fundamentals such as regular patch management that ensures all endpoints support the latest OS and application version, and take regular inventories of all hardware and software installed across the network. Better collaboration across functional areas will result in a strong security posture Ransomware attacks are becoming more sophisticated and frequent, yet there is still a lack of talent in the industry -- there will be 3.5 million unfilled security jobs globally by 2021 according to the Cybersecurity Jobs Report. Additionally, institutionalised controls and inflexible responsibilities isolate personnel and restrict resources. Add siloed security solutions on top of that and it’s a lot of running around to gather the information needed to remedy any threats. A lack of talent and a fractured infrastructure enables hackers to sneak in between the cracks, which is why we’ll see more teams coming together to collaborate on security in 2020. Collaboration across all areas within an organisation will be critical to ensuring a strong security footprint. Security teams will start to work across teams and within different departments, including IT and HR. This better collaboration will break down silos and better protect and secure data. There will be more communication, improving basic security hygiene and enabling better visibility, because you can’t protect or secure what you don’t know you have. Increased adoption of automation will make it easier to find and fix security issues To develop a proactive approach to security, there are many systems and devices that must work in tandem. Disciplined scanning, consistent patching, least privilege management enforcement, as well as the enforcement of disposable policies (including lifecycle asset management) is the responsibility of IT teams. It’s a tall order. We’ll see automation start to play a key role in managing all these elements. In 2020, we’ll see more IT and security teams invest in – and see the benefits of - automation tools to eliminate manual processes and identify and fix security issues faster. However, I’d caution IT teams to take a thoughtful approach to implementing automation and prioritize which processes will benefit the most through automation in the short term vs. long term, as it is a technical and cultural shift for any company. Increased use of AI and predictive analytics will improve the datacenter over the next few years One of the most significant challenges that IT professionals continue to face is maintaining the environments they are responsible for and ensuring that those environments consistently deliver the business-critical solutions that their organisation requires. Customers no longer tolerate downtime, let alone data breaches. In 2020, we’ll see more organisations using AI and predictive proactive management to better anticipate, safeguard and prevent potential threat vectors ahead of time. Read Less

Chris DeRamus

November 05, 2019

CTO and co-founder

DivvyCloud

Misconfigurations will continue to plague organizations in 2020

Cloud misconfigurations will continue to cause massive data breaches. As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale such as the First American Financial Corporation’s breach of over 885 million mortgage records in May. Companies believe they are faced with a lose-lose choice: either innovate in the cloud and accept the risk of suffering a data breach, or play it safe with existing on-premise infrastructure and lose out to more agile and modern competitors. In reality, companies can accelerate innovation without loss of control in the cloud. They can do this by leveraging automated security tools that give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time. Automation also grants enterprises the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes everyone in the organization should follow—all on a continuous, consistent basis. Companies can innovate while maintaining security, they simply must adopt the proper cloud strategies and solutions. Read Less

Sivan Nir

January 06, 2020

Senior Analyst

Skybox Security Research Lab

Expect to see a continuous arms race take place between cybersecurity teams and cybercriminals.

‘Two can play at that game’ – both security teams and cyber adversaries harness AI and automation It is not just security teams that will deploy AI and automation next year. As cybercriminals continue to become increasingly organised, their use of technology also grows more sophisticated. Some of the same tools used by cybersecurity teams to stave off attacks will also be used by black hat hackers as they attempt to create new attack vectors and tailor social engineering attacks. Expect to see a continuous arms race take place between cybersecurity teams and cybercriminals. As criminal intelligence increases, the protections required to combat attacks need to also improve. Faced with stretched resources, there will be mounting pressure in 2020 for the CISO to make smart investments in cybersecurity and automation that will help them to combat increasingly sophisticated criminal attacks. 5G and growth of IoT will expand the attack surface 5G will bring businesses numerous benefits including speed and connectivity. This will, inevitable, lead to greater investment in internet-connected devices and the growth of IoT across both the business and consumer landscape. However, this will also mean the development of a wider attack surface. Knowing how insecure IoT devices can be, this is something that businesses need to be particularly attuned to. It’s critical that they are able to ensure that the security surrounding any new investment is watertight and they need to have visibility over their expanded, and increasingly fragmented, attack surface. If they don’t, they will be opening themselves up to a greater number of attacks. Phishing attacks will rise in popularity In 2020, we’re likely to see phishing attacks rise in popularity. Right now, we’re seeing an increase of these kinds of attacks on SMS, social media platforms and gaming sites as criminals attempt to widen the diversity of their phishing portfolio. Public sector organisations brace for impact Public sector infrastructure attacks are highly likely to increase in volume and severity in 2020. There are two main reasons for this. First, these are very attractive targets for malicious actors, particularly those acting on behalf of a nation state. And second, they’re an easy target. The technology used within public sector networks is notorious for being outdated, outmoded and difficult, if not impossible, to patch. Another 2019 NCSC report, Active Cyber Defence found that over 318 public sector networks still use Windows XP despite the fact that Microsoft pulled almost all support for it in 2014. As Windows withdraws support for Windows 7 in January 2020, the number of unsupported devices within the public sector will no doubt soar. Read Less

Josh Bohls

December 21, 2019

Founder

Inkscreen

Organizations are better off expecting mobile data and internet traffic to be accessed.

A world leader's mobile phone will be hacked and his or her personal photos and videos will be released to the world, exposing some embarrassing situations and potential risks to national security. Another prediction: When it comes to mobile security and especially images and media security, we can expect the worse. Everything anyone does on a connected device is likely to be tracked, copied, monitored, and stored. Chalk it up to bad actors, lazy developers, insidious business models, lax data privacy standards - it doesn't really matter any more. Organizations are better off expecting mobile data and internet traffic to be accessed and then it's their responsibility to be aware of what their employees and stakeholders do and share online. In 2020, we’ll see enterprise and government customers begin get serious about protecting and media such as photos and videos on employee mobile devices, both to ensure employee privacy for personal data, and for compliance and governance over corporate data. Read Less

Steve Wood

November 28, 2019

Chief Product Officer

Dell Boomi

Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike.

Companies will rely more on metadata than data to provide insights Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike, which in turn has led to even stricter data governance laws. Understandably concerned about making similar mistakes, businesses will begin turning to metadata for insights in 2020, rather than analyzing actual data. By harvesting data’s attributes — including its movement, volume, naming conventions and other properties — companies will give indications of concerns around accessing PII and other sensitive information. Metadata lends itself well to data privacy, and with the correct machine learning and artificial intelligence modeling can still provide critical information to the C-suite such as lead generation changes, third-party data access, potential breaches and more. Read Less

Anthony Chadd

December 04, 2020

Global SVP

Neustar

Comparing the number of attacks by size from January – June 2020 with the number of attacks in the same time period in 2019.

Late last year, we saw a dramatic increase in the number of small-scale DDoS attacks against the enterprise. Often flying under the radar of detection and mitigation tools, these smaller and more carefully targeted incursions marked a change to the treat landscape. In 2021, however, we will see the return of the big attacks – those that are more significant in volume, intensity and scale. While these larger DDoS attacks have been around for decades, they are happening in greater numbers than ever before. Comparing the number of attacks by size from January – June 2020 with the number of attacks in the same time period in 2019, the category that grew the most featured attacks of 100 gigabits per second or more. Average attack size also increased, as did severity with an 81% increase in maximum intensity year-on-year. Next year, we can expect this trend to not only continue, but amplify, with cybercriminals seeking to wreak havoc on organisations by deploying large-scale DDoS attacks to overload networks and cause lasting disruption. Read Less

Rodney Joffe

December 04, 2020

SVP and Fellow

Neustar

The big attacks are back.

Over the last year, we have seen governments around the world re-evaluate the security of the 5G supply chain. This has led to a mismatch of solutions – ranging from a complete ban on the use of Huawei and ZTE equipment in some cases, to government funding for research and development of alternative 5G technology. First mover deployment, however, is proving to have created an almost insurmountable lead which will be difficult to start reversing in 2021. Additionally, with significant subsidies provided by China’s government and pricing pressures as we face the post Covid-19 recession, Huawei is likely to retain a major advantage even in countries where governments are attempting to prohibit its platforms. In the UK, for example, whilst no new Huawei kit is to be added to the network from January 2021, the planned removal of all Huawei technologies by 2027 is unlikely to be fully completed in that timescale. As a result, organisations need to work from the assumption that the 5G infrastructure is ‘compromised by design’ and develop methodologies to establish security and encryption outside of the boundaries of the 5G infrastructure. Put simply, organisations should avoid using 5G equipment to generate secure sessions for the foreseeable future. Read Less

Nilesh Dherange

January 01, 2020

CTO

Gurucul

Expect to see a significant spike in 5G handsets this year, making the attack surface exponentially higher

Expect to see a significant spike in 5G handsets this year, making the attack surface exponentially higher Major 5G network deployments are expected in 2020, and the technology will create opportunities across many industries, but also will create increased threats from the cyber dark side. With the EU5 5G market is anticipated to show a triple-digit growth rate in the forecasted period 2019 – 2025 (ResearchAndMarkets.com), enterprises looking at 5G present security problems with disparate.....Read More

Cyber criminals look for the easiest path to achieve their goals, and sometimes that path runs straight through third party vendors. Attacks via the supply chain are already prevalent. Both the infamous Target data breach of 2013 and the destructive Stuxnet attack uncovered in 2010 were initiated through vulnerable third-party providers.

When many people think about the insider threat, they’re most likely imagining malicious employees or accidental insiders. But third-party vendors are another type of insider threat that sometimes seem to be overlooked. Whether it’s a supplier, an external developer, a service contractor or someone else, third parties have access to critical systems. Many of these third parties have weak cybersecurity programs and processes, making them a rich target for cyber criminals and an avenue into even bigger prizes.

Read Less