As we charge into the third decade of the 21st century, it’s time to ask: so what will happen next with cybersecurity? We reached out to 100+ cybersecurity experts with diverse backgrounds for their predictions and below are the responses. This is the most comprehensive post predicting the Cybersecurity landscape in 2020.
Experts Comments
Steve Morgan
December 02, 2019
Founder of Cybersecurity Ventures and Editor-in-Chief at Cybercrime Magazine
Cybersecurity Ventures
Cybersecurity Facts, Figures, Predictions and Statistics: The Next 5 Years
Looking ahead... the latest facts, figures, predictions, and statistics from Cybersecurity Ventures. See more at CybersecurityVentures.com -
There will be 3.5 million unfilled cybersecurity jobs by 2021 — enough to fill 50 NFL stadiums — according to Cybersecurity Ventures. This is up from Cisco’s previous estimation of 1 million cybersecurity openings in 2014. The cybersecurity unemployment rate is at zero percent in 2019, where it’s been since 2011.
Cybersecurity Ventures predicts that.....Read More
The Dark Side of 2020
Sadly, what we have encountered thus far in the world of Cyber Insecurity in 2019, I expect 2020 will see as continuance successful Hacks and Security Breaches still happening on a Global Scale, alongside a GDPR vision which is yet to grow real teeth. I am also having expectations that the role of the CISO will remain extant, notwithstanding some organizations are reviewing what this position should represent in 'real' operational terms.
I am also conscious from past visits, that event such .....Read More
IBM has developed an interesting proof of concept strain that researchers are learning from.
There are two major developments I see influencing the cybersecurity landscape in 2020 – one that is already causing headaches for security professionals and even governments, and another that is (at the time of writing at least) purely theoretical.Mozilla and Google have recently implemented DNS over HTTPS (DoH) in their Firefox and Chrome browsers. DoH transfers domain-name queries over secure HTTPS servers to DNS servers, preventing third parties (both malicious and benevolent) from seeing .....Read More
In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management.
The emergence of the “cyber savvy” board:
Accountability for cyber and risk incidents moves up the organizational hierarchy and becomes a central issue for the CISO, C-Suite and Board of Directors. In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management and information security as a way to prepare the business for a digital future. Gradually, this will become a “new normal” for the enterprise as investors pressure leadership for clear.....Read More
Prioritising highly-automated security solutions that cover multiple environments will increase visibility.
Within the Deep and Dark Web, ransomware attacks are expected to continue in 2020. This year, my team and I came across an increasing number of threat actors selling ransomware, ransomware-as-a-service, and ransomware tutorials. Underground products and services like these enable malicious threat actors who are not technically savvy to enter the game.
Threat actors will continue exploring new methods to monetise compromised IoT devices, beyond IoT botnets and IoT-based VPNs, due to the.....Read More
We will see an increase in IoT hacks that target critical infrastructure.
1) MFA strategies will shift to passwordless logins eliminating the misuse of shared secrets
Many of the data breaches occurring today can be directly linked to passwords and the information used to reset them. Hackers are scraping user data for “shared secrets” that will allow them to bypass verification questions. Think: simple and re-used passwords, mother’s maiden name, high school mascot, etc.
Companies who recognize this will transform their systems and protocols to eliminate.....Read More
Healthcare will also be an attractive sector for hackers due to its high potential gains.
More Cyber Damage for Local / State Government Entities, Schools; Less for Healthcare:
2019 was a great year for cyber crooks successfully targeting municipalities, schools and universities worldwide with ransomware and spear phishing attacks. As these organizations have proven easy targets, a rise in campaigns is expected in 2020. Healthcare will also be an attractive sector for hackers due to its high potential gains however many in this sector are now investing substantial work and.....Read More
In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results.
Ransomware Will Evolve from Smash & Grab to Sit & Wait:
Ransomware isn’t the most pervasive or common threat, it’s simply the noisiest. In 2020 attacks will become more targeted and sophisticated. Hackers will pivot from spray-and-pray tactics. They will instead linger on networks and hone in on the most valuable data to encrypt. Imagine an attacker that encrypts investor information before a publicly traded bank announces earnings. This is the type of ransomware attack I expect we’ll.....Read More
People learn differently.
All companies face the challenge of security awareness among employees, contractors, and customers. Without support from all users, technological efforts will be hampered in their effectiveness.
Security awareness isn’t just about teaching employees what to do with phishing emails – there’s so much more, including developing products with security in mind.
Multi-directional communication is extremely important in a security program, meaning working from the top-down, bottom-up, and.....Read More
A potential DDoS attack may be distributed via an innocent-looking app on the Play.
5G to drive Botnet DDoS attacks:
2020 will be the year of 5G, bringing with it not only faster speeds and bandwidth capabilities to our mobile devices, but also making them highly coveted targets by DDoS attackers. While mobile devices have always been targeted by financial or personal data thieves, 5G's increased bandwidth allows attackers to take control over a relatively small number of mobile handsets and unleash a tremendous amount of damage. A potential DDoS attack may be distributed.....Read More
Leaders will shift their focus in 2020
In light of the ever growing cybersecurity skills gap, and an exploding attack surface, infosec leaders will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk, solving the most impactful issues first, CISOs can ensure that even a small team can have maximum possible impact.
Organizations need to test their applications throughout the development process.
In 2020, we know that attackers will continue to exploit all applications, end-points, and networks they possibly can. This includes, but isn’t limited to, web and mobile apps (internal or external), IoT devices in smart homes, and even the 5G network as it is being rolled out. Attackers will also continue to use the latest and greatest technologies (be it in machine learning, AI, or open source components that are freely available) to carry out ever-more sophisticated attacks at even greater .....Read More
Continuously monitoring of your third-party risk may be one of the few ways to mitigate the financial impact of those breaches.
1. Forecasting cloudy days
Organisations seeking to retain their competitive edge will be accelerating their digital transformation strategies from “cloud first” to “cloud only” over the next few years. According to Gartner, the worldwide Infrastructure-as-a-Service (IaaS) public cloud market grew 31.3% in 2018 while the overarching cloud services industry grew 17.5%. More than a third of polled organisations listed cloud services as one of their top three technology investment.....Read More
Because of the amount of major credential breaches being reported on in the mainstream press.
In 2020, there’s no doubt that phishing and ransomware will continue to evolve and be the number one threat to businesses, as attackers are always looking for – and exploiting – new attack vectors. Whilst there may be headline grabbing attacks on connected vehicles, TVs etc, phishing and ransomware are still the primary revenues for cyber-criminal gangs, and users will still be blasé about security.
Because of the amount of major credential breaches being reported on in the mainstream.....Read More
Unfortunately, any technology used for better cyber defense can also be applied by cyber attackers.
Businesses will take steps to protect themselves against the inevitable
Over the past few years, businesses have started to take a more proactive approach when it comes to cybersecurity. However, there is still more that can be done and 2020 will be a key year for this adjustment.
In 2020, the majority of businesses will accept an uncomfortable reality – a security breach is inevitable. This is not security fatalism, but security realism. The perimeter is gone. CEOs, CIOs and CISOs must .....Read More
The media is replete with stories regarding insider threats posed by our acknowledged adversaries and some “uneasy” allies.
Governments such as China, Russia – and as seen more recently with Saudi Arabia’s recruitment of a Twitter employee – will continue to pose counterintelligence (i.e., insider) threats to corporate America and our allies. The media is replete with stories regarding insider threats posed by our acknowledged adversaries and some “uneasy” allies. There is no return on investment to spend millions of dollars in time, money and effort to cyber access to a network when an intelligence.....Read More
Microtargeting of companies using industry-specific tools to rise in 2020
Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores.....Read More
Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics.
As new technology emerges and in the face of the ever-widening skills gap, organisations will need to adapt security processes…
“As 5G technologies begin to roll out, the pace in which we see breaches occur will accelerate. To combat this, organisations will need to refocus on driving security integrations across the business, moving to a centralised environment. Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics which.....Read More
In 2020 may we expect to see off the 'password-less' hype.
In 2020 may we expect to see off the 'password-less' hype.
Assume that the password is removed from cyber security Then digital identity platforms would have only two authenticators - physical tokens and biometrics.
Biometrics by its nature requires a fallback measure against false rejection/non-match, and only the physical token could be the fallback measure for biometrics in this 'password-less' situation. Here we have only two scenarios.
(1) authentication by a physical token,.....Read More
2FA is dead. Long live MFA.
Companies are subject to various data security and data privacy regulations.
New terminology coming:
One term many technology professionals in the U.S. will all be hearing a lot is “DSAR.” What is a DSAR? A DSAR is a “Data Subject Access Request.” It is the act, from a consumer to an organization, requesting the details of how their personal data is being used within that organization. Additional requests from DSARs could be made to delete their data, or to disallow the sale of their data. Technology professionals can look within their organization today.....Read More
A combination of training, assessments and a structured process is being implemented to manage the human factors.
In 2020, the use of the term security culture will continue to increase as more organizations understand what it takes to reduce risk and manage security in their workforce. A combination of training, assessments and a structured process is being implemented to manage the human factors that influence security.
2020 Will be the Beginning of the End of Passwords.
Consumers already log in to dozens of protected resources everyday: from email, banking and financial accounts, social media, healthcare, government accounts, and beyond. Even when tools like TouchID are leveraged each of these resources currently still have an associated username and password that can be attacked. To save time and remember their credentials for all these sites, consumers reuse the same username and password across several sites. As a result, the user’s exposure from any one.....Read More
The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.
The API house of cards will start to tumble
Many organisations have stitched together a fragile network of legacy systems via API connections to help better serve customers and improve efficiency. A security incident in the New Year will disrupt the patchwork of connections and it will lead to major outages. The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.
The security of cryptocurrencies rests on safeguarding users’ private keys.
The rise of cyber-attacks in the crypto-sphere
The security of cryptocurrencies rests on safeguarding users’ private keys, leaving the ‘keys to kingdom’ accessible to anyone who fails to adequately protect them. Cybercriminals usually follow the money, so expect that cryptocurrencies will be at or near the top of attacker’s wish lists in 2020.
Companies have a responsibility to stop the broader implications of fraud.
Companies will own up to their responsibility for safety.
The case for why companies should protect consumer data is clear: companies lose less money and consumer information is safe from predators. But in the event of a data breach, what many people don’t consider is that once their data is stolen, it is often made available for the highest bidder on the dark web. And, in some cases, this personal data is used to fund some of the most heinous of crimes—from terrorist organizations to drug .....Read More
50% of enterprises using mobile authentication will adopt it as their primary verification method before the decade closes.
Whelp, it’s almost 2020. Some technology has exceeded expectations and others, well, not so much.
Five years ago, we should’ve had widely available hoverboards, self-drying and fitting jackets, and flying cars. Hanna-Barbera promised a cutting-edge, underwater research lab; thankfully, we still have 42 years to chase the Jetsons. Despite many of our wildest technology expectations failing to live up, the last decade of identity and access management development has yet to let us down......Read More
ERP transactions have traditionally been available (only) behind corporate firewalls.
Enterprises can expect the trend of increased data breaches in ERP systems to continue to rise in 2020. Since ERP was first designed as an application product, ERP systems cannot evolve alongside an organization's ever growing IT environment and are unable to integrate with advanced security initiatives. It is and will remain very challenging to keep ERP systems up-to-date and due to the business criticality of these applications, enterprises are wary of switching them out entirely. In order.....Read More
Looking at the global political situation, nation-state attackers are also likely to make some headlines next year.
What will be the top five cybersecurity threats to businesses in 2020? Will ransomware and BEC attacks still be the biggest threats or will any new ones come to light?
Supply chain attacks are a constantly developing threat. Although overall, they seem limited to more advanced and determined adversaries, the risk is evolving. What to do when you struggle to catch the big fish? Poison its bait! Target a supplier that has far less security control in place and from that ‘island’ you can jump .....Read More
t's not like you can configure your security solution (firewalls, IPS, DLP etc) to block these transactions.
BEC impacts finance teams more than IT, so there are few, if any, controls in place to identify and stop this fraudulent activity. It's not like you can configure your security solution (firewalls, IPS, DLP etc) to block these transactions. BEC traverses boundaries and becomes part of the fraud team’s work (if there even is a fraud team in the organization). For these reasons, BEC attacks will be on the rise in 2020.
Traditionally, enterprise infrastructures have been centralized around their own, on premises data centre.
Traditionally, enterprise infrastructures have been centralized around their own, on premises data centre. This has made securing their environments somewhat less complex, as organizations could effectively manage all of their internal workloads in one place.
But if you’ve read anything about IT management over the past decade, it’s clear that this traditional network architecture is evolving. It’s transitioning toward a decentralized model where enterprises can tap cloud providers, SaaS .....Read More
In 2019 we started to see a significant increase in the number of attacks on managed service providers.
In 2019 we started to see a significant increase in the number of attacks on managed service providers, with 74 percent of MSPs suffering a cyberattack, and 83 percent reporting that their SMB customers suffered one as well. While this pattern will not be new in 2020, the exponential growth in this method of attack, as well as the accountability of the service provider, is something we expect will continue in the next year. As cybercrime continues to evolve and become more complex, it will be.....Read More
Defense will soon be requiring all of its domains to enforce DMARC.
DMARC adoption will grow across industries.
We’ll see a continued increase in Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption. DMARC is a vendor-neutral authentication protocol that allows email domain owners to protect their domain from spoofing, and the number of domains using it has grown 5x in the last 3 years. We’ll see increased growth across several verticals in 2020 - especially healthcare and government. Following the lead of the federal.....Read More
One technique that will continue to gain traction in 2020 is lateral phishing.
Threat actors are always enhancing their current tactics, techniques, and procedures (TTPs) as well as creating new ones in order to infiltrate businesses and steal data, implant ransomware, and more. One technique that will continue to gain traction in 2020 is lateral phishing. This scheme involves a threat actor launching a phishing attack from a corporate email address that was already previously compromised. Even the savviest security-minded folks can be lulled into a false sense of.....Read More
So while boards might perceive cyber security impacts like the loss of data, forensics costs or GDPR fines.
Looking forward to 2020, one of the biggest risks to organisations is that they fail to understand the link between cyber security and reputation. Nowadays, we see a public much less inclined to stand for mistakes and social media channels that can quickly become filled with indignation, vitriol, complaints and dissatisfaction. So while boards might perceive cyber security impacts like the loss of data, forensics costs or GDPR fines - a breach that hits the headlines AND captures the public on .....Read More
Automation features were ‘nice-to-have’ in the past.
On automation:
“Automation will become critical for businesses to secure websites, connected devices, applications, and the digital identities that are critical to preventing crippling and costly attacks. Ransomware attacks, data breaches, and email impersonation continue to increase as cybercriminals become more sophisticated, making it imperative to eliminate the potential for human error in cybersecurity operations. Functions that require human intervention and are laborious and.....Read More
The Masad Stealer attack, reported by Juniper Threat Labs in late 2019.
Any threat that costs money, and especially where it affects public money (government and healthcare) will remain newsworthy. We’ll see more attacks using common vectors, such as phishing, download via malvertisiting, etc., but also attacks that use old methods with new vectors. The Masad Stealer attack, reported by Juniper Threat Labs in late 2019, is a good example of this, where data (and money) was stolen via malware injected into a used and respected piece of software.
As energy facilities continue to be targeted for cyber attacks.
As energy facilities continue to be targeted for cyber attacks, the need for Operation Technology (OT) departments and Information Technology (IT) to collaboratively solve the cybersecurity issues will be an increased importance for organizations. They will need to collaborate with their own corporate Security Operations Center (SOC) or utilize virtual SOCs to continually monitor their SCADA or DCS networks monitoring network activity and assets connecting and disconnecting from the networks.
Everyone knows they are the top two causes, but most of the world will not treat them like the top threats they are.
Social engineering and unpatched software will remain the top two root causes for successful exploits as they have been for over three decades. Everyone knows they are the top two causes, but most of the world will not treat them like the top threats they are. Instead, they will be mostly ignored or weakly mitigated while most of the world concentrates more resources on things less likely to happen.
For example, one-code repository improves the fundamentals around how quickly problems with dependencies are identified.
Supply chain vulnerabilities on the decline thanks to automation: There are several new automation technologies that automatically detect and fix security vulnerabilities in source code. For example, one-code repository improves the fundamentals around how quickly problems with dependencies are identified. Because of these improvements in the way security patches with open source code are automatically identified and remediated, in 2020, we’ll see fewer supply chain issues in code.
Less.....Read More
Recent research discovered nation-state based mobile cyber espionage activity across the Big 4.
Uncommon attack techniques will emerge in common software
Steganography, the process of hiding files in a different format, will grow in popularity as online blogs make it possible for threat actors to grasp the technique. Recent BlackBerry research found malicious payloads residing in WAV audio files, which have been utilised for decades and categorised as benign. Businesses will begin to recalibrate how legacy software is defined and treated and effectively invest in operational security.....Read More
Customers no longer tolerate downtime, let alone data breaches.
A new role will emerge in the organisation - Ransomware Attack Specialist
In 2020, I expect we’ll see the creation of a new role, the Ransomware Attack Specialist, and when something damaging happens, they will be the one in an organisation who is charged with leading teams to remediate the problem. Half the battle in solving a security problem is isolating it, but with overtaxed and stressed IT personnel and the back and forth required to make a plan, get it approved and determine the.....Read More
Misconfigurations will continue to plague organizations in 2020
Cloud misconfigurations will continue to cause massive data breaches. As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale such as the First American Financial Corporation’s breach of over 885 million mortgage records in.....Read More
Expect to see a continuous arms race take place between cybersecurity teams and cybercriminals.
‘Two can play at that game’ – both security teams and cyber adversaries harness AI and automation
It is not just security teams that will deploy AI and automation next year. As cybercriminals continue to become increasingly organised, their use of technology also grows more sophisticated. Some of the same tools used by cybersecurity teams to stave off attacks will also be used by black hat hackers as they attempt to create new attack vectors and tailor social engineering attacks.
Expect.....Read More
Organizations are better off expecting mobile data and internet traffic to be accessed.
A world leader's mobile phone will be hacked and his or her personal photos and videos will be released to the world, exposing some embarrassing situations and potential risks to national security.
Another prediction: When it comes to mobile security and especially images and media security, we can expect the worse. Everything anyone does on a connected device is likely to be tracked, copied, monitored, and stored. Chalk it up to bad actors, lazy developers, insidious business models, lax.....Read More
Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike.
Companies will rely more on metadata than data to provide insights
Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike, which in turn has led to even stricter data governance laws. Understandably concerned about making similar mistakes, businesses will begin turning to metadata for insights in 2020, rather than analyzing actual data.
By harvesting data’s attributes — including its movement, volume, naming.....Read More
Comparing the number of attacks by size from January – June 2020 with the number of attacks in the same time period in 2019.
Late last year, we saw a dramatic increase in the number of small-scale DDoS attacks against the enterprise. Often flying under the radar of detection and mitigation tools, these smaller and more carefully targeted incursions marked a change to the treat landscape. In 2021, however, we will see the return of the big attacks – those that are more significant in volume, intensity and scale.
While these larger DDoS attacks have been around for decades, they are happening in greater numbers.....Read More
The big attacks are back.
Over the last year, we have seen governments around the world re-evaluate the security of the 5G supply chain. This has led to a mismatch of solutions – ranging from a complete ban on the use of Huawei and ZTE equipment in some cases, to government funding for research and development of alternative 5G technology.
First mover deployment, however, is proving to have created an almost insurmountable lead which will be difficult to start reversing in 2021. Additionally, with significant.....Read More
Expect to see a significant spike in 5G handsets this year, making the attack surface exponentially higher
Expect to see a significant spike in 5G handsets this year, making the attack surface exponentially higher
Major 5G network deployments are expected in 2020, and the technology will create opportunities across many industries, but also will create increased threats from the cyber dark side. With the EU5 5G market is anticipated to show a triple-digit growth rate in the forecasted period 2019 – 2025 (ResearchAndMarkets.com), enterprises looking at 5G present security problems with disparate.....Read More
Dot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
Linkedin Message
@Raveed Laeb, Product Manager, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"2019 saw a major increase in the trend of cybercrime “service-ization”...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/2020-cybersecurity-predictions-experts-comments
Facebook Message
@Raveed Laeb, Product Manager, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"2019 saw a major increase in the trend of cybercrime “service-ization”...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/2020-cybersecurity-predictions-experts-comments