We asked some experts for their 2020 cyber security predictions. They told us to look out for ransomware, election security, 5G, IoT, regulations, and more.
Last month, we asked experts about the biggest cyber security threats for 2020. This month we wanted to hear their cyber security predictions for 2020: new trends, new paradigms, and new themes to watch out for as the year progresses.
🤔What will be the biggest cyber #security story in 2020? 🔎
— Synopsys Software Integrity (@SW_Integrity) December 13, 2019
Changing role of the CISO
One of the biggest cybersecurity stories in 2020 will be the changing role of the CISO. The imbalance of their work-life will continue to worsen and the role will need to change to meet the demands of the modern cyberscape; for example becoming more of a strategic resource for the business on mitigating risk and facilitating business transformation safely.
This will be easier said than done as the majority of CISOs feel that while their work is appreciated by senior management teams, it is still yet to be seen as strategically valuable. Given the broader focus of senior business leaders to drive revenues and protect brand, cyber security is still not widely accepted as a strategic function. Only around half of CISOs feel executive teams value the security team from a revenue and brand protection standpoint and unfortunately almost 20% believe their board is indifferent to the security team, or sees them as an inconvenience. This perception will continue to have a tangible impact on the role of the CISO, potentially leading to more churn within the role and creating bigger gaps in security knowledge and coverage across the industry.
—Stuart Reed, VP of cyber security, Nominet
Election security will be the biggest story, but it won’t be the big issue. By far.
— Paul Petersen (@AZPaulPete) December 19, 2019
Broader IT landscape, wider security gaps
Cybersecurity is poised to continue as an even hotter topic in 2020, than it was in 2019. With an election year upon us, election security and protecting the integrity of our electoral systems will be front and center more than ever. However, I fully expect that the massively distributed IT reality we find ourselves in, with its explosion of unsecured exposure points will continue to dominate the daily headlines.
Businesses, government and consumers are all going to dealing with securing the proliferation of IoT devices, apps, the cloud, etc. as their anywhere, anytime needs continue to change the IT landscape. At the same time, this will highlight the cybersecurity business gap that exists—increasing risk, high costs and limited resources—as everyone strives to protect themselves. The search will be on for solutions that make the best use of real-time prevention, economies of scale, automation and machine learning and help better protect them from the unknown.
—Bill Conner, CEO, SonicWall
Ransomware on smartphones?
In 2020 we may see the first major ransomware attacks on smartphones. If there are two things we know about hackers, it’s that they repeat successful attacks, and they’re always on the lookout for new targets. Mobile devices fall into that second group. Historically we’ve seen phishing attempts through text messages, but as people continue to shift from traditional computers to smartphones, these devices will become an irresistible target for ransomware attacks. In the case of local, city and county-level governments, hackers took advantage of vulnerabilities in Windows computers running unsupported, outdated or unpatched software. It’s this same combination of factors—outdated and unpatched systems coupled with pressure to restore service quickly—can apply to smartphones, too.
With Google facing an uphill battle against OS fragmentation (and its stance to only support software updates for three years), many Android smartphones are being left unsupported with older software and less frequent security patches. This is a headache for IT teams simply from an application compatibility perspective, but this is increasingly leaving organizations exposed to vulnerabilities that hackers can and will exploit to deliver ransomware. With so much data on our mobile devices, there is a great likelihood that we will be willing to pay a ransom to recover that data or pay simply to prevent an embarrassing leak. This combination of increased vulnerability and stronger incentive to pay will lead attackers to launch widespread mobile ransomware attacks in 2020.
—Joel Windels, CMO, NetMotion Software
Ransomware. Seems to be an issue in Louisiana the past couple of months.
— Chris Hubbell (@Hubbell629) December 16, 2019
Year of encryption: Compliance, governments, and personal protection
2020 will be the “year of encryption.” In 2020, national and international dialogue about encryption—from a business, policy, and consumer standpoint—will reach a crescendo.
Businesses are stepping up their strategies to ensure compliance with the 2020 California Consumer Privacy Act, and organizations with an international presence have a continued eye on complying with GDPR and determining how Brexit will impact existing rules and regulations governing the storing and sharing of sensitive data.
In the U.S., lawmakers on Capitol Hill have re-energized a push for encryption backdoors, an initiative that is seeing bipartisan support. Internationally, the UK and Australian governments (in addition to the U.S. government) are pressuring Facebook to scrap plans for end-to-end encryption of Facebook Messenger.
Consumers, meanwhile, want more control and privacy over their data yet are often left confused about what that really means—and how to make it a reality. Also factoring into the encryption conversation is the protection of voter information leading up to the U.S election and advancements in facial recognition software.
While encryption may never be a water cooler topic of conversation a la “Game of Thrones,” it will be more readily understood, discussed, and debated in 2020 than ever before.
—Peter Galvin, VP strategy and marketing, nCipher Security
Internet of Things (boosted by 5G)
With the continued developments in IoT and 5G, increasingly more common-use devices will be connected to the Internet, from light bulbs to vehicles. This will give rise to new forms of security intrusions as well as privacy challenges for both organizations and people. Companies need to figure out innovative ways to counter them before the harm is done. 2020 will bring some changes in the way organizations think about and deal with both the privacy policies and with their usually understaffed cybersecurity teams.
—Lucas Roh, CEO, Bigstep
The adoption of 5G will enable a massive increase in connected devices. With this influx of IoT devices like sensors, monitors and data collectors our global data volumes will rapidly increase. With this the need to protect these networks and the sensitive data that resides on them will require a more focused approach to IoT security.
—Jason Albuquerque, CISO/CIO, Carousel Industries
The Internet of Things provided by 5G is the key to the total surveillance State. That’s why they’re in such a hurry to implement it before anyone can really object.
— Cranky Cracker (@Imransgoat) December 16, 2019
More regulation, more fines
As we look to what will change in the year to come, California’s SB-327 IoT bill will take effect on Jan. 1, 2020, requiring manufacturers to build reasonable security into their connected devices. This is a step in the right direction as it will establish minimum standards and improve the security of IoT devices available in the market.
I anticipate there will be more legislative activity in 2020, especially in the U.S. The California Consumer Privacy Act will also take effect on Jan. 1, 2020. I expect more states to follow suit. If done properly, regulations will bring about the accountability needed to improve the overall state of cyber security.
We saw several high-profile GDPR-related lawsuits, fines, and settlements in 2019. I wouldn’t be at all surprised to see more of these hit the headlines in the coming year.
—Asma Zubair, senior manager, IAST product management, Synopsys
Botnets and credential stuffing
This year saw credential stuffing attempts multiply considerably, and 2020 shows absolutely no slowdown in sight. Unfortunately, it’s become easy and cheap for bad actors to quickly rotate the IP addresses used in a credential stuffing attack, causing significant stress on IT resources and potential brand damage.
Getting access to breached passwords is the first step for attackers, and unfortunately, there are billions openly available on the internet for purchase. Breached credentials, in combination with 65% of people reusing passwords across accounts enables hackers to architect botnets—networks of exploited devices—to direct large-scale attacks in a coordinated manner.
2020 will see the proliferation of “botnets-for-hire” where services are traded among hackers, even rented for nominal fees for use in widespread attacks. With the proliferation of subscription-based services, the reward is significant for hackers. If they manage to find 0.1% of the credentials that work, out of the two billion breached passwords out there, there are already a lot of accounts (Netflix, Spotify, many others) they can sell in the black market for half the price of the subscription.
—Matias Woloski, CTO and co-founder, Auth0
Securing APIs against leaks and attacks
Protecting APIs will be top of mind in 2020. The primary reason for this is that they have become one of the top targets for attackers given the amount of sensitive business applications they power and customer data they provide access to. We’ve seen an increasing number of attacks and breaches in recent years be through APIs, with attackers especially focusing on credential stuffing attacks to try to perform account takeovers of customer accounts.
Another style of attack vastly increasing on APIs is attackers attempting to brute force different identifiers to obtain access to sensitive financial, communication, or account data of customer accounts. As we see enterprises continue to shift from legacy style applications to modern mobile apps and services delivered by APIs, the security of those APIs will be top of mind for security professionals.
—Zane Lackey, co-founder and CSO, Signal Sciences