2020 Cybersecurity Predictions by 50+ Industry Leaders

As part of our expert comments series, experts with a diverse background commented below on 2020 Cybersecurity predictions. This is a live post and will be updated as we received comments from the experts. Please subscribe below to alert when a new comment is published.


EXPERTS COMMENTS
Steve Morgan, Editor-in-Chief,  Cybersecurity Ventures
December 02, 2019
Cybersecurity Facts, Figures, Predictions and Statistics: The Next 5 Years
Looking ahead... the latest facts, figures, predictions, and statistics from Cybersecurity Ventures. See more at CybersecurityVentures.com - There will be 3.5 million unfilled cybersecurity jobs by 2021 — enough to fill 50 NFL stadiums — according to Cybersecurity Ventures. This is up from Cisco’s previous estimation of 1 million cybersecurity openings in 2014. The cybersecurity unemployment rate is at zero percent in 2019, where it’s been since 2011. Cybersecurity Ventures predicts that cybercrime damages will cost the world $6 trillion annually by 2021 – exponentially more than the damage inflicted from natural disasters in a year, and more profitable than the global trade of all major illegal drugs combined. Ransomware damage costs are predicted to be 57X more in 2021 than they were in 2015. This makes ransomware the fastest growing type of cybercrime. Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017, and just $325 million in 2015, according to Cybersecurity Ventures. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016. Global spending on security awareness training for employees — one of the fastest growing categories in the cybersecurity industry — is predicted to reach $10 billion by 2027, according to Cybersecurity Ventures (up from around $1 billion in 2014.) Cybersecurity Ventures predicts that the total amount of data stored in the cloud — which includes public clouds operated by vendors and social media companies (think AWS, Twitter, Facebook, etc.), government-owned clouds that are accessible to citizens and businesses, and private clouds owned by mid-to-large-sized corporations — will be 100X greater in 2022 than it is today. Despite promises from biometrics and facial recognition developers of a future with no more passwords — which may, in fact, come to pass at one point in the far-out future — a report from Cybersecurity Ventures finds that the world will need to cyber protect 300 billion passwords globally by 2020. There were nearly 4 billion Internet users in 2018 (nearly half of the world’s population of 7.7 billion), up from 2 billion in 2015. Cybersecurity Ventures predicts that there will be 6 billion Internet users by 2022 (75 percent of the projected world population of 8 billion) — and more than 7.5 billion Internet users by 2030 (90 percent of the projected world population of 8.5 billion, 6 years of age and older). Ransomware attacks on healthcare organizations are predicted to quadruple between 2017 and 2020, and will grow to 5X by 2021, according to Cybersecurity Ventures. Cybersecurity Ventures predicts that the healthcare industry will spend more than $65 billion cumulatively on cybersecurity products and services from 2017 to 2021. Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021 — and the cybersecurity market will continue growing by 12-15 percent year-over-year through 2021. Cybersecurity Ventures predicts that the global blockchain market will exceed $40 billion by 2025. In 2019, Cybersecurity Ventures expects that Fortune 500 and Global 2000 chief information security officers (CISOs) will reduce the number of point security products/solutions in use at their corporations by 15-18 percent. That trend is expected to continue over the next 5 years. Cybersecurity Ventures predicts that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021 (up from 70 percent in 2018), although many of them will be unfilled due to a lack of experienced candidates. Cybersecurity Ventures predicts that women will represent 20 percent of the global cybersecurity workforce by the end of 2019. This recalculates a 6-year old figure based on a limited survey that concluded women held just 11 percent of cybersecurity positions.
Prof John Walker, Visiting Prof,  NTU
November 20, 2019
The Dark Side of 2020
Sadly, what we have encountered thus far in the world of Cyber Insecurity in 2019, I expect 2020 will see as continuance successful Hacks and Security Breaches still happening on a Global Scale, alongside a GDPR vision which is yet to grow real teeth. I am also having expectations that the role of the CISO will remain extant, notwithstanding some organizations are reviewing what this position should represent in 'real' operational terms. I am also conscious from past visits, that event such as Infosecurity will continue to look back at what has been, rather than embracing the predictability of that is awaiting us around the bend – the dangers of what I call the ‘Rear View Mirror Effect’. In 2019 I have seen the employment of OSINT in its adverse profile utilized by Hackers and Criminal Organization to Target and Footprint to gather the Dark Digital Footprint of their intended victim/victims to assure a higher than average hit rate of their criminal missions – whilst at the same time, I anticipate that the corporate world will still be devoid of understanding the real threat posed by OSINT to their Business and Enterprises - I see thus carrying on well into 2020. . My last prediction is almost obvious – with the advent of the Greatest Show on Earth taking place on 20 October 2020 in Dubai, it makes an obvious target in both Hacking and Geopolitical Profiles, and I have very high anticipation that such a golden, diamond laden target will receive much adverse attention on the lead up, and during the event!
Dave Weinstein, CSO,  Claroty
December 07, 2019
Looking back at 2018, there were more high-profile attacks that year than 2019.
From a threat perspective, I expect to see a continuum from 2019 into 2020, as it is getting easier for hackers to attack these systems because they’re more exposed to the public internet. Not just nation state hackers, but criminal hackers who are financially motivated. Looking back at 2018, there were more high-profile attacks that year than 2019. We saw no more than 12 high profile attacks in 2019. The number of attacks is declining compared to the Stuxnet worm in 2010, and the 2015 cyber attack on the Ukraine power grid. Security is improving and hackers have better things to do than target power grids. Nation states are being more selective and becoming better at covering their tracks. What we see reported in media is the tip of iceberg and isn’t indicative of current trends because it’s a small sample size. Governments can only see so much because organisations are privately monitored, and the companies monitoring them are not at liberty to discuss what they observe on their networks. As end users start to adopt basic monitoring solutions for OT networks, there’s going to be more malicious activity. The greatest threats are likely to be already operating undetected on enterprise and critical infrastructure networks at the moment. Nation states will only make their presence known on a network depending on geopolitical tensions/when they want to. Geopolitical. I expect to see Iran increasing in their aggression in cyber space and hold more US critical infrastructure at risk in the event of geopolitical tensions. Nations of inferior conventional arsenals will turn to asymmetric cyber capabilities as a way of responding to physical force. We saw an example of this earlier this year when the US allegedly carried out a cyber attack on Iran in retaliation to them bringing down a US drone. The ‘I’ in CISO will start to disappear for companies with big industrial footprints. As IT and OT begin to be viewed as one, enterprises need to govern and secure them accordingly. Unless you’re a bank, the idea of being a CISO is going to become a thing of the past. The CISO is gaining responsibility for OT and as a result the role will be more than taking responsibility for securing information, they will have all the OT security responsibility too. Wherever there’s technology, it needs to be secured. No downtime. Last year I predicted that there would be no hours of electrical downtime as a result of a cyber attack worldwide. As far as I know that is true and I would predict that the same will be true again for 2020. The electric sector is at enormous risk due to its vulnerable nature, and I expect it will continue to be targeted throughout 2020, however I would predict that no customers will lose power for any period of time as a result of a cyber attack. As an example, a utility in Salt Lake City suffered a cyber attack earlier this year – the first official attack on a utility, and nobody lost power. OT targeted ransomware. It’s a fair prediction to make for 2020 that we will see an increase in ransomware spilling over from the IT network into the OT environment. If I was a CISO at a manufacturing facility, I’d be worried about that. If IT and OT networks are unsegmented, then an attack on IT could easily spill into the OT environment too. Implications could be worse for OT than IT as the OT network cannot restore a production line in the same way as IT can restore to the last backup. Businesses need to consider how much downtime they are willing to take to avoid paying a ransom. 5G. More things will be connected, which equals a greater attack surface, for example, smart cities and buildings are increasing in number. 5G connectivity will expose legacy systems in cities, enabling connections to new threats as well as an increase in new connected buildings and factories running off the same infrastructure. 5G is going to expand the scope of OT security in the same way as IT/OT convergence exposed manufacturing plants and factories to threats. 5G opens the aperture to common everyday use cases that affect the public at large. Cloud. With the rush to the cloud, I’d expect to see an increase in the ability to pool customer OT data and identify emerging threats more quickly, and not being reliant on manual updates to be protected against known threats.
Tom Mowatt, Managing Director,  Tools4ever
December 07, 2019
50% of enterprises using mobile authentication will adopt it as their primary verification method before the decade closes.
Whelp, it’s almost 2020. Some technology has exceeded expectations and others, well, not so much. Five years ago, we should’ve had widely available hoverboards, self-drying and fitting jackets, and flying cars. Hanna-Barbera promised a cutting-edge, underwater research lab; thankfully, we still have 42 years to chase the Jetsons. Despite many of our wildest technology expectations failing to live up, the last decade of identity and access management development has yet to let us down. Hoping that our 2020 predictions remain accurate in hindsight, we expect the continued proliferation of IAM cloud capability and integrations to keep transforming enterprise technology and the way we do business. SSO protocols will steadily decrease the need for unique accounts and credentials for every resource – as such, Active Directory should watch its back. With the adoption of SAML, OAuth 2.0, OpenID and more protocols, consumers have begun to see a drastic reduction in the amount of unique accounts and credentials they must use to log in to various websites. Need to log in to manage a website or do some online shopping? Just use your Google or Facebook account to verify your identity. This trend will not only continue to dominate throughout B2C efforts, but will take hold of B2B and internal business operations thanks to the SSO developments made by Tools4ever, Okta, and other industry leaders. Because of this and the maturation of cloud platforms, such as GSuite, there will be a point in the not-too-distant future where Microsoft’s market hold with (on-premise) Active Directory is no longer bolted to the crust of the earth. As more and more enterprises transition from on-premise to hybrid infrastructure and from hybrid to full cloud deployments, protocol flexibility means having to rely less on systems and applications that look to AD to authorize users’ access. Devices such as the widely popular Google Chromebooks have shown that the AD divorce is much more possible than many might realize. In an industry that prizes disruption above all, expect to see a few directory Davids challenge Goliath. Downstream resources will benefit from increased integration. Coinciding with the increasing use of protocols to connect IT resources, you can also expect your downstream systems, applications, and other resources to better utilize identity data. The protocols mentioned above safely transfer some amount of identity information to verify users. The next step will be seeing how we can then leverage the information transferred within the protocols. Provisioning will be far more rapid, as transferred identity data will help immediately create accounts and configure access levels. Continually improving integrations will provide administrators and managers far more granular control during initial setup, active management, and deactivation. Increased connectivity will allow much of this management to be centralized at the source of the authoritative identity data and easily pushed out from there. Systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource. Multifactor authentication (MFA) will pervade our login attempts and increase the security of delivery to stay a step ahead. Already popular amongst some enterprise technologies and consumer applications handling sensitive, personal data (e.g. financial, healthcare), MFA will continue to transform our authentication attempts. Much has been made over the years about password complexities and poor safeguarding, but human error and “it’s easy to remember” remain persistent pitfalls. The addition of MFA helps immediately add further security to authentication attempts by having the user enter a temporarily valid pin code or verify by other methods. The area to watch with MFA is the delivery method. SMS notifications were the first stand-out, but forced some organizations to weigh the increased costs messaging might bring on their company’s mobile phone plan. SMS remains common, but all things adapt and hackers’ increased ability to hijack these messages have made their delivery less secure. Universal One-time Password clients (OTP), such as Google Authenticator, have both increased security and made the adoption of MFA policies significantly easier via time-sensitive pin codes. Universal clients also eliminate the need for every unique resource to support its own MFA method. Already evolving, pin codes are beginning to be replaced by “push notifications”, which send a simple, secure “yes/no” verification prompt. After downloading the client app and registering your user account, a single screen tap will be all it takes to add extra security to your logins. Gartner has been extolling push notifications for a couple years now as the future, having predicted that 50% of enterprises using mobile authentication will adopt it as their primary verification method before the decade closes.
Mark Sangster, Vice President and Industry Security Strategist,  eSentire
December 05, 2019
Microtargeting of companies using industry-specific tools to rise in 2020
Throughout 2019, eSentire has observed numerous instances of mid-sized organizations being targeted using tools specific to their industry, and this approach will continue into 2020. Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe, to access to stores of sensitive information, and credit vendors, like American Express, to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees.
Josh Lemos, VP of Research and Intelligence,  BlackBerry Cylance
December 05, 2019
Recent research discovered nation-state based mobile cyber espionage activity across the Big 4.
Uncommon attack techniques will emerge in common software Steganography, the process of hiding files in a different format, will grow in popularity as online blogs make it possible for threat actors to grasp the technique. Recent BlackBerry research found malicious payloads residing in WAV audio files, which have been utilised for decades and categorised as benign. Businesses will begin to recalibrate how legacy software is defined and treated and effectively invest in operational security around them. Companies will look for ways to secure less commonly weaponised file formats, like JPEG, PNG, GIF, etc. without hindering users as they navigate the modern computing platforms. Changing network topologies challenge traditional assumptions, require new security models Network-based threats that can compromise the availability and integrity of 5G networks will push governments and enterprises alike to adopt cybersecurity strategies as they implement 5G spectrum. As cities, towns and government agencies continue to overhaul their networks, sophisticated attackers will begin to tap into software vulnerabilities as expansion of bandwidth that 5G requires creates a larger attack surface. Governments and enterprises will need to retool their network, device and application security, and we will see many lean towards a zero-trust approach for identity and authorisation on a 5G network. Threat detection and threat intelligence will need to be driven by AI/ML to keep up. 2020 will see more cyber/physical convergence As all sectors increasingly rely on smart technology to operate and function, the gap between the cyber and physical will officially converge. This is evident given the recent software bug in an Ohio power plant that impact hospitals, police departments, subway systems and more in both the U.S. and Canada. Attacks on IoT devices will have a domino effect and leaders will be challenged to think of unified cyber-physical security in a hybrid threat landscape. Cybersecurity will begin to be built into advanced technologies by design to keep pace with the speed of IoT convergence and the vulnerabilities that come with it. State and state-sponsored cyber groups are the new proxy for international relations Cyber espionage has been going on since the introduction of the internet, with Russia, China, Iran and North Korea seen as major players. In 2020, we will see a new set of countries using the same tactics, techniques, and procedures (TTPs) as these superpowers against rivals both inside and outside national borders. Mobile cyber espionage will also become a more common threat vector as mobile users are significant attack vector for organisations that allow employees to use personal devices on company networks. We will see threat actors perform cross-platform campaigns that leverage both mobile and traditional desktop malware. Recent research discovered nation-state based mobile cyber espionage activity across the Big 4, as well as in Vietnam and there’s likely going to be more attacks coming in the future. This will create more complexity for governments and enterprises as they try to attribute these attacks, with more actors and more endpoints in play at larger scale.
Rob MacDonald, Director of Security Solution Strategy,  Micro Focus
December 05, 2019
Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics.
As new technology emerges and in the face of the ever-widening skills gap, organisations will need to adapt security processes… “As 5G technologies begin to roll out, the pace in which we see breaches occur will accelerate. To combat this, organisations will need to refocus on driving security integrations across the business, moving to a centralised environment. Due to the continued skill gap present in the industry, organisations will move to adopt AI and behavioural analytics which will drive automation to augment and fill security gaps and drastically improve response times and accuracy of threat identification.”
Professor Yehuda Lindell, CEO and Co-founder ,  Unbound Tech
December 05, 2019
Crypto agility is essential in any area where cryptography is used.
New Methods of Protection Will Continue to Grow as Blockchain / Cryptocurrency Becomes an Increasingly Attractive Crime Target: We are seeing more institutional interest and investment in the Blockchain world, and the hype is falling away. This is good news for the space in general, and means that real work can get done. The other side of this is that there are more real solutions that utilize blockchain, and as cryptocurrencies continue to thrive, they will become more and more of a crime target. Fortunately, since the organizations in this space are typically young and agile, and the threat is real and immediate, they will respond quickly. As such, I believe that attacks and crime in the space will continue to rise, together with a tightening of security and deployment of new methods. Secure multiparty computation as a solution to protect the signing keys used to authorise transactions on blockchains will grow quickly, as this provides the best tradeoff between security and functionality, in my opinion. Other solutions will continue to be used as well (cold wallets, multi-sig, etc.) and the use of multiple technologies together for different use cases will grow. Hype Around Quantum Computing Continues: Rise of Post-Quantum Security: This year Google's scientists hailed what they believe is the first demonstration of quantum supremacy but this needs to be understood in context. Quantum supremacy is a technical term used by the academic community to mean when a quantum computer can do just one thing faster than a classical computer. However, this is really not what we think about when we hear supremacy, nor is it really relevant to cryptography and other application domains. In particular, what we are really interested in knowing is when quantum computers will be able to solve hard important problems faster than classical computers, and when quantum computers will be able to break cryptography. Whether or not quantum supremacy was even demonstrated is not absolutely clear (see IBMs response). However, this quantum computation has no effect whatsoever on cryptography, blockchain, and cryptocurrencies. Will quantum computers at some stage threaten the public-key cryptography used today to protect our systems? Maybe. I personally believe that this is many years away (I will say at least a decade, but I think it will be more like two decades at least). I also want to stress that this is still an “if” and not a “when”. The fact that small quantum computers have been built does not mean that quantum computers at the scale and accuracy needed to break cryptography will ever be built. The problems that need to be overcome is considerable. I am not saying that I don’t think they will succeed; I’m just saying that it’s not a certainty. If it does get close, then we already have good candidates for post-quantum secure public-key encryption and digital signature schemes, and NIST is working on standardisation now. As such, we shouldn’t change anything yet (except for becoming more crypto-agile, see the next point). Companies Can No Longer Ignore Crypto-Agility: The threat of quantum computing to modern cryptography (including Elliptic curve cryptography used in almost all cryptocurrencies) is now a hot topic of discussion. Although we may still be far away from quantum computing being a concrete threat, we have to be ready for any eventuality; the cost of not being ready is just way too high! However, this is not the only reason that cryptography is going to be changing over the coming years. New standards continue to be adopted (EdDSA is just one example), and existing standards or key-lengths become outdated. The question we must all ask ourselves is how long will it take us to respond to changes, and will we be ahead of the curve or lagging far behind? If we are not crypto-agile, and our platforms are tightly bound to the way a specific cryptographic scheme works, then making changes to add new standards and replace outdated ones will be painful and slow. Crypto agility is essential in any area where cryptography is used.
Stuart Reed, VP ,  Nominet
December 04, 2019
We’ll also see the role of the CISO redesigned in 2020.
In 2020, we will see the cyber industry redesigned in some key areas. Malware will undoubtedly evolve, and ransomware will become more sophisticated, potentially even teaching businesses new ways to take payments and create customer service that encourages the victim to part with their money. That said, it will still be the simple attacks that cause the most damage, because organisations have a lot of work to do on ensuring they are utilising every layer of defence within their reach. We’ll also see the role of the CISO redesigned in 2020, as the imbalance of their work-life worsens and the role needs to change to meet the demands of the modern cyberscape; for example becoming more of a strategic resource for the business on mitigating risk and facilitating business transformation safely.
Andy Dunbar, Technology Services Lead,  SoftwareONE
December 04, 2019
Microsoft 365 – research shows 44 per cent of users aren’t using Intune.
Organisations need to start exploring the security features they are already paying for, but not using, to mitigate risk while increasing ROI. Most organisations use traditional third-party security providers while overlooking the consolidated security capabilities of widely-used platforms. For example, Microsoft 365 – research shows 44 per cent of users aren’t using Intune (device and application management), 37 percent are not using Azure Advanced Threat Protection (identifies, detects and investigates advanced threats), and 36 percent are not using Azure Information Protection (document protection). In practice, this means organisations using third party tools are essentially paying twice for the same outcome. However, we expect to see adoption of integrated features rise in 2020 as users start to realise they a strong, cost-effective option.
Mark Hughes, Senior Vice President and General Manager of Security ,  DXC Technology
December 04, 2019
Organisations should also be looking to under-hired groups, such as neurodiverse candidates.
In 2020, many more organisations are going to feel the effects of the cyber skills gap, and will need to rethink their cybersecurity strategies as a result. Businesses should consider using more AI and machine learning technologies to automate as many security processes as possible, taking pressure off overstretched cybersecurity teams and allowing them to focus on the biggest threats. Organisations should also be looking to under-hired groups, such as neurodiverse candidates, who are perfectly suited for cyber roles and could help to fill open positions.
Amanda Finch, CEO,  Chartered Institute of Information Security (CIISec)
December 04, 2019
At the same time, smarter organisations will also be looking to promote internally, spotting individuals with the right aptitude for security.
Doing more with less will be as true for attackers as for organisations “Whether due to budget constraints, time pressure or simply recognising who provides the best service, more and more organisations are relying on upstream service providers to give their business essential capabilities. Similarly, automation is becoming a significant tool for organisations that want to maximise the efficiency and effectiveness of their business processes. Yet any technology that makes things easier for the business can also make things easier for others with hostile intentions.” “For instance, sophisticated nation-state attackers will target service providers that serve hostile governments, then use this entry spot to work their way down into more heavily-protected systems. Likewise, any automated systems are a prime target for attackers who understand their capacity to wreak havoc. The opportunity to affect multiple targets with a single attack can make these services a one-stop-shop for dedicated attackers. Businesses have to understand the threats they are potentially opening themselves up to when they adopt new technology or services, and work to close any potential points of attack. Otherwise, if the worst does happen, organisations will quickly find out that they may be able to outsource IT services, but they cannot outsource ultimate responsibility.” To deal with a growing age and skills gap, IT security professionalisation will gather pace in 2020 “IT security recognises that it faces a worrying age gap. The average age of security personnel is creeping upwards as the industry continues to struggle to attract new talent. It’s entirely possible that more youthful talent, and fresh thinking, is concentrated on the side of the attackers. Left unchecked, this trend will result in a security industry that struggles to fill skills gaps and is increasingly stretched as it fights attackers. There is already a challenge – according to the UK Government’s 2018 audit into the state of the nation’s cyber security workforce, more than half of all UK businesses had a “basic technical cyber security skills gap”.” “To avoid this, professionalism will be crucial. In order to attract more applicants, and especially those from more diverse backgrounds, the industry needs to have education in place to give individuals the skills they need. It also needs to prove that security is an attractive career, through clear opportunities for progression; evidence of the importance of the role; and demonstrating how a huge range of skills can prepare individuals for a career in security. At the same time, smarter organisations will also be looking to promote internally, spotting individuals with the right aptitude for security. Without this, the industry will continue to see promising applicants lost to other careers – or even to the dark side.”
Jasmit Sagoo, Senior Director, Head of Technology UK&I ,  Veritas Technologies
December 04, 2019
Many of tomorrow’s most exciting solutions depend on data that has already been centralised, cleaned up and correctly labelled.
IT will run itself while data acquires its own DNA. Organisations are already drowning in data, but the flood gates are about to open even wider. IDC predicts that the world’s data will grow to 175 zettabytes over the next five years. With this explosive growth comes increased complexity, making data harder than ever to manage. For many organisations already struggling, the pressure is on. Yet the market will adjust. Over the next few years, organisations will exploit machine learning and greater automation to tackle the data deluge. Attention will turn to innovating and securing the edge of the network. 5G is just the beginning, opening us up to a whole new wave of instant, rich and interactive on-demand services processed at the edge of the network, narrowing the gap between data and user, and powered by the Internet of Things (IoT). However, will the edge be able to keep up with the explosive growth of the IoT? Gartner predicts that by the end of next year there will be 5.8 billion connected devices on the market – a 21% increase on 2019, which saw 21.5% growth from 2018. If this rate of growth continues, there will be more data on the edge of the network than at the heart of it. The micro data centres being built now to process all this data will soon become macro data processors. Crucial decisions will increasingly be made off the back of this temporary data. That’s enough to make it a tantalising target for cybercriminals interested in causing trouble or holding businesses to ransom. Tampering with autonomous transport systems, for example, could cause severe traffic build-up or even dangerous accidents. It also magnifies the disruption caused by any downtime on the edge network. We’re very focused at the moment on moving our data to the edge, but our attention will turn very quickly to ensuring its resilience. Operators will respond either by building a large number of secondary edge sites to keep their critical services and applications available, or by using the centralised network as a backup.” The emergence of global data standards and data-centric roles. Data bloat is only one of the challenges facing organisations in 2020. The next most pressing will be data quality and efficiency of managing it. Not all companies take the same pains to optimise their data, resulting in repositories of unstructured data that are larger and less efficiently managed than they should be. While standards such as GDPR have started to make a positive impact on helping companies prioritise data hygiene and protection, there is no single, global framework that tells businesses how they should store, manage, classify, protect and secure their data. The question is, who in the organisation will be charged with enforcing these new data standards? Many businesses already employ chief data officers (CDOs) and data protection officers (DPOs) to ensure their digital estate is secure and protected. However, the sheer amount of data they are responsible for, coupled with the growing awareness of data’s importance across the entire business, means we are going to see data responsibility filter out rather than become more centralised. Rather than having a single CDO or DPO, different departments will begin to employ personnel with multiple competencies, including data expertise. Candidates with data experience in addition to the skillset traditionally expected for their role will only become more sought after as organisations hire for new hybrid roles. Other departments may take the alternate approach of hiring their own data specialist. Regardless, the time when data responsibility was passed off to IT or laid solely at the feet of the CDO will come to an end.” Insight is power. A combination of technology and automation will transform how organisations protect and utilise their most critical data in the future. However, companies can’t afford to neglect the basics of sound data management in the present. Many of tomorrow’s most exciting solutions depend on data that has already been centralised, cleaned up and correctly labelled. Automation may take over many of the day-to-day requirements of data management, but employees will still have to know where their company’s data is to make the most of it. In the data deluge, will organisations sink or swim? The answer depends on what they do now to deliver data protection, performance, accessibility and intelligence.”
Carolyn Crandall, Chief Deception Officer,  Attivo Networks
December 01, 2019
Significant issues will surface around the lack of adequate detection of threats that have bypassed prevention defences.
2020 will be the year of API connectivity. Driven by the need for on-demand services and automation, there will be a surge in requirements for the use of technology that interconnects through APIs. Vendors that don’t interconnect may find themselves passed over for selection in favour of others with API access that add value to existing solutions. DevOps capabilities will continue to increase their significance in moving projects to products, with only 9% of technology professionals responsible for the development and quality of web and mobile applications stating that they had not adopted DevOps and had no plans to do so. This will drive an increased focus on DevSecOps and how opensource software is managed within projects. We will begin to see more examples of the theft of encrypted data as cybercriminals begin to stockpile information in preparation for the benefits of quantum-computing where traditional encryption will become easy to crack. The advances in quantum computing that Google has recently published bring this possibility closer to becoming reality. Significant issues will surface around the lack of adequate detection of threats that have bypassed prevention defences. To combat this, in 2020, we will see the addition of deception technology into security framework guidelines, compliance requirements, and as a factor in cyber insurance premiums and coverage.
Jeremy Hendy, CEO,  Skurio
November 28, 2019
In 2020, as we see the second wave of fines, regulators will also face the challenge of how to deal with ‘repeat offenders’.
The imitation game: spear-phishing swindles will persist Threat actors are shifting away from the scatter-gun phishing approach to well-researched, bespoke emails, cleverly personalised to appear as convincing as possible. In fact, according to Europol, spear phishing is now the number one cyber threat to organisations. Throughout 2020 we’ll continue to see a rise in this form of attack and it’s not only the largest enterprises that will be preyed upon. In fact, all businesses will need to be prepared for more CEO fraud attacks – a well-crafted email, imitating communications from a trusted executive, usually convincing someone to make an urgent money transfer. It’s made to look like the ‘real deal’ and it works. These usually happen as a result of leaked email credentials finding their way on to dark web marketplaces, which can be used for account takeovers (ATO’s) for even more specific and credible phishing emails. SMEs hit hardest by cyber skills shortage - more attacks and breaches for everyone, but more focus on small and medium businesses There’s a real dearth of cyber security talent and smaller businesses will be hardest hit through next year. Skilled professionals will be increasingly hard to find and difficult to retain. Market forces will put the option of full time, in-house security specialists, commanding high salaries, out of reach for many smaller businesses. Instead, they’ll need to think creatively and look at how they can plug the gap through outsourcing and affordable service-based solutions. This is imperative as under-resourcing can cause real security risks. Bad actors are aware of the lack of defences in smaller businesses and they are an easier target to break into. Cybercriminals increasingly target SMEs, who are less likely to have the technology, people and processes in place to block or defend against those attacks. GDPR: be prepared for second wave of fines and repeat offenders In 2019 the regulators bared their teeth and showed that sky-high penalties were more than a hollow threat. Precedents were set with the first wave of multi-million pound GDPR fines, reflecting the sheer amount of data that was compromised. In 2020 we’ll see the wider impact on consumer behaviour. GDPR is all about putting the safety of customers’ data front and centre; those companies that have been breached are likely to see frustrated customers voting with their feet and taking their business elsewhere. In 2020, as we see the second wave of fines, regulators will also face the challenge of how to deal with ‘repeat offenders’. It’s reinforced the importance of early breach detection for compromised credentials. Companies can also get proactive about planned attacks, which can be identified through chatter on Dark Web forums by threat actors. Risky connections Organisations will be managing an increasingly complex web of third party and supplier connections. More connections mean more risk, exposing them to threats beyond their control. Due diligence when working with new partners or suppliers is critical but the reality is that they simply can’t control every aspect of their third party’s security. What they can do is manage this risk by availing themselves of technology that provides visibility of data outside of the corporate network. Cloud adoption will continue to gather pace, which is brilliant for productivity and digital transformation, but is often happening without the consent of the IT organisation. Shadow IT and the culture of Bring Your Own App will continue, with many organisations using more apps than they have employees. All of these trends together will create a perfect storm of vulnerability for organisations. Digital Trust – the new customer metric for business success The flipside of cybersecurity is Digital Trust. Consumers will lose confidence in repeat offenders who do not take care of their personal data. We’ve seen the first wave of GDPR fines but, more importantly, huge publicity and bad press for companies who have had breaches which weren’t well managed. The public are becoming more and more aware of the value and currency of their personal data and will punish companies who don’t look after this responsibly.”
Anthony Chadd, Global SVP,  Neustar
November 28, 2019
In the last year alone, 48 percent of organisations experienced a cyberattack against their IoT or connected devices.
The rise of the small and mighty DDoS attack This year, we’ve seen overwhelming threats and traditionally large-scale DDoS attacks decrease. While this would normally be cause for celebration, such attacks have been overshadowed by the rise of smaller, more carefully targeted incursions. In 2020, we’ll see this upward trend continue, with intensity and duration replacing brute force and size as key concerns for cybersecurity professionals. Such attacks do not seek to saturate the network link, but instead to degrade or disable specific infrastructures within the target. In a bid to understand, identify and diminish these small-scale threats, organisations must reassess the detect and protect measures they already have in place, ensuring that an ‘always on’ DDoS mitigation strategy is deployed. When asked how likely they would be to notice today’s most prevalent smaller attacks, just 28 percent of security leaders answered very likely, with the remaining 72 percent lacking the same confidence. “With smaller attacks frequently flying under the radar, cybersecurity professionals need to change their approach to security next year, constantly monitoring traffic to ensure threats of all sizes are spotted, managed and fought against. Organisations also need to establish a greater level of understanding as to what exactly they have at risk and therefore where they need to deploy the most protection. We know DDoS attacks are getting smaller, but we also know size does not always go hand-in-hand with impact – it’s now the attacks we fail to see that have the potential to cause the most damage. Getting to grips with IoT Despite 2019 seeing huge growth in the IoT market, with Fitbit and Alexa sales booming, security protocols for these connected devices have yet to become as mainstream. In fact, fewer than half (47%) of security professionals recently admitted to having a plan in place to deal with attacks on their IoT equipment, even though nine in ten are concerned about future threats. In most cases, IoT equipment is still being manufactured with only basic security in mind. While this may not have been such an issue a few years ago, malicious actors are now all too aware of the various entry points they can tap into to infiltrate wider networks. In the last year alone, 48 percent of organisations experienced a cyberattack against their IoT or connected devices. It is crucial, therefore, that businesses understand and identify exactly what is at stake when it comes to the IoT, and build a cohesive security strategy around this. “Next year, as IoT capabilities continue to expand and use-cases span further into our homes and offices, professionals will place a greater focus on deploying more than ‘out-of-the-box’ security for these devices. In fact, recently, 38 per cent of CTOs, CIOs and security execs claimed they are in the process of developing a plan for their IoT security, pointing at a fundamental need to ensure the appropriate controls are in place.
Steve Wood, Chief Product Officer,  Dell Boomi
November 28, 2019
Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike.
Companies will rely more on metadata than data to provide insights Overzealous data analyses have brought many companies face to face with privacy lawsuits from consumers and governments alike, which in turn has led to even stricter data governance laws. Understandably concerned about making similar mistakes, businesses will begin turning to metadata for insights in 2020, rather than analyzing actual data. By harvesting data’s attributes — including its movement, volume, naming conventions and other properties — companies will give indications of concerns around accessing PII and other sensitive information. Metadata lends itself well to data privacy, and with the correct machine learning and artificial intelligence modeling can still provide critical information to the C-suite such as lead generation changes, third-party data access, potential breaches and more.
Andrew Filev, Founder and CEO,  Wrike
November 27, 2019
Candidates, especially those of Generation-Z are most likely to seek positions.
Flexible and remote working practices will increase in popularity:
  • “Driven by the saturation of the workforce by millennial and Generation-Z workers, more offices will adopt university-campus-like flexibility, where seating isn’t assigned, teams can self-organise, and you’re just as likely to find a worker sprawled across a sofa as you are at a desk. Employers should embrace this flexibility, which combined with an increase in mobile working - will save enterprises up to 25% on commercial real estate and energy costs.”
  • “Businesses will experience a productivity bump as the digital-native generation grows in the workforce. Generation Z will make 20% of the workforce in 2020 and this number will increase steadily throughout the decade. This generation is natively comfortable with virtual collaboration and are masters of the social marketing tactics they’ve used their whole lives. Digital transformation was accelerated by millennials - but Generation Z will own the post-digital era.”
  • Desired skillsets will change:
  • Automation will continue to eat away at routine tasks next year. As the nature of work transforms, jobs will become more cognitively challenging, boosting the need for creative, empathetic, and strategic career skills. Humanities and arts degrees will see 10% growth as storytelling, content, and design become increasingly important to brands. STEM will also continue its growth trajectory.”
  • E-learning will become mainstream and even mandatory in some rapidly evolving fields. By 2025, 45% of white-collar employees will have used an e-learning platform to improve their job skills or explore new careers.
  • As will desired employer traits:
  • Enterprise software platforms will become a factor in the decision-making process for job candidates when accepting positions at new companies. Candidates, especially those of Generation-Z are most likely to seek positions that add to their long-term career growth through the mastery of market standard CRM, CWM, analysis, and automation platforms.
  • Bill Holtz, CEO,  Sectigo
    November 27, 2019
    Automation features were ‘nice-to-have’ in the past.
    On automation: “Automation will become critical for businesses to secure websites, connected devices, applications, and the digital identities that are critical to preventing crippling and costly attacks. Ransomware attacks, data breaches, and email impersonation continue to increase as cybercriminals become more sophisticated, making it imperative to eliminate the potential for human error in cybersecurity operations. Functions that require human intervention and are laborious and error-prone will be replaced by technologies that automate the protection of security elements at scale. Automation features were ‘nice-to-have’ in the past, but enterprises today understand their essential value in compliance and establishing safe internet practices.”
    Tim Callan, Senior Fellow,  Sectigo
    November 27, 2019
    CCPA gives California residents the right to know what data is being collected.
    On quantum computing: “As quantum computers continue to improve, enterprises and the general public will become increasingly aware of the threat they pose to the cryptographic systems that underpin all digital security globally. With this knowledge, we will see a greater focus on crypto agility, or the ability to update cryptographic algorithms, keys and certificates quickly in response to advances in cracking techniques and processing speed. To prepare for these inevitable cryptographic updates, more enterprises than ever will explore automation as a critical component for ensuring future-proofed security.” Consumer data privacy: “While the California Consumer Privacy Act (CCPA) only applies to California consumers, this law will have a much bigger geographical footprint. CCPA gives California residents the right to know what data is being collected, view it and have it deleted. As with California’s new IoT security legislation, we expect that most companies conducting business in the United States will decide it is easier to honor the legislation for all than to identify which consumers live in California and which do not – making the CCPA protections into a de facto standard for most US residents.”
    Ed Giaquinto, CIO,  Sectigo
    November 27, 2019
    Digital certificate solutions are available today to verify the true identity of an email sender.
    On email security: In 2019 Business Email Compromise (BEC) attacks grew to be even more popular. For instance, a Nikkei employee was recently tricked into handing over £23M. This type of social engineering attack takes advantage of humans’ good faith, with attackers posing as senior figures in an organization in order to trick employees through email into transferring money to their accounts. It’s an unfortunate fact that BEC makes money for criminals, and until measures are in place to combat such attacks, we should expect them to increase both in volume and ingenuity. Digital certificate solutions are available today to verify the true identity of an email sender. To combat BEC and related email social engineering scams, enterprises will increasingly adopt these certificates – called Secure/Multipurpose Internet Mail Extensions, or S/MIME, certificates. At the same time, companies will educate their employees to look in their email application for the blue ribbon icon that indicates authenticated identity.
    Josh Lemos, VP of Research and Intelligence,  BlackBerry Cylance
    November 26, 2019
    Recent research discovered nation-state based mobile cyber espionage activity across the Big 4.
    Uncommon attack techniques will emerge in common software Steganography, the process of hiding files in a different format, will grow in popularity as online blogs make it possible for threat actors to grasp the technique. Recent BlackBerry research found malicious payloads residing in WAV audio files, which have been utilized for decades and categorized as benign. Businesses will begin to recalibrate how legacy software is defined and treated and effectively invest in operational security around them. Companies will look for ways to secure less commonly weaponized file formats, like JPEG, PNG, GIF, etc. without hindering users as they navigate the modern computing platforms. Changing network topologies challenge traditional assumptions, require new security models Network-based threats that can compromise the availability and integrity of 5G networks will push governments and enterprises alike to adopt cybersecurity strategies as they implement 5G spectrum. As cities, towns and government agencies continue to overhaul their networks, sophisticated attackers will begin to tap into software vulnerabilities as expansion of bandwidth that 5G requires creates a larger attack surface. Governments and enterprises will need to retool their network, device and application security, and we will see many lean towards a zero-trust approach for identity and authorization on a 5G network. Threat detection and threat intelligence will need to be driven by AI/ML to keep up. 2020 will see more cyber/physical convergence As all sectors increasingly rely on smart technology to operate and function, the gap between the cyber and physical will officially converge. This is evident given the recent software bug in an Ohio power plant that impact hospitals, police departments, subway systems and more in both the U.S. and Canada. Attacks on IoT devices will have a domino effect and leaders will be challenged to think of unified cyber-physical security in a hybrid threat landscape. Cybersecurity will begin to be built into advanced technologies by design to keep pace with the speed of IoT convergence and the vulnerabilities that come with it. State and state-sponsored cyber groups are the new proxy for international relations Cyber espionage has been going on since the introduction of the internet, with Russia, China, Iran and North Korea seen as major players. In 2020, we will see a new set of countries using the same tactics, techniques, and procedures (TTPs) as these superpowers against rivals both inside and outside national borders. Mobile cyber espionage will also become a more common threat vector as mobile users are significant attack vector for organizations that allow employees to use personal devices on company networks. We will see threat actors perform cross-platform campaigns that leverage both mobile and traditional desktop malware. Recent research discovered nation-state based mobile cyber espionage activity across the Big 4, as well as in Vietnam and there’s likely going to be more attacks coming in the future. This will create more complexity for governments and enterprises as they try to attribute these attacks, with more actors and more endpoints in play at larger scale.
    Joseph Carson, Thycotic,  Chief Security Scientist
    November 26, 2019
    Cyber awareness is evolving to become more human friendly.
    Identity theft will take a new direction with the increased use of deep fakes What has been concerning in 2019 is the increase in identity and credential theft, and I see this becoming much more problematic in 2020. The rapid advancement of Deep Fake technology is taking identity fraud to a whole new level of online challenges and risks, not only are they stealing your digital online identity, but also your digital voice and digital face. This means that cybercriminals can take digital identity theft to a new level and could have the ability to create an entire digital clone of you. I see this becoming a major problem area in the cyber space and even more so in political campaigns as the general public will not have the awareness to distinguish what is real from fake. In today’s internet data without context is dangerous Government Use of machine intelligence (typically referred to as Artificial Intelligence) to be put to the TEST In 2020 AI will become an important strategy with many governments around the world using AI to improve and automate many citizen services however acceptable use and limitations of the scope will also be applied. This will help determine the full scope on how much data should be collected, for how long and for exactly what usage to limit abuse of such sensitive data. For government to be successful with AI they must be transparent with their citizens. We must embrace AI moving forward but with responsibility and caution. IoT Security This year, the use and abuse of IoT devices has risen and doesn’t look to be slowing down as we go into next year. IoT differs from computers as they have a specific purpose and cannot be re-programmed, therefore organisations need to view and assess the risks specific to the function or task of the device in order to increase the security. Organisations, in particular the manufacturers of IoT devices, will need to adapt their security approach to ensure that these fast-growing endpoints are secure. The new Californian and Oregon IoT legislation coming into effect in January is a step in the right direction, but more must be done. IoT security is about focusing on the risks not the device. Human Factor Cyber awareness is evolving to become more human friendly. We are now seeing a difference in approach to security evolving into company culture. Boards and top-level executives are now learning how to communicate accordingly on cyber security topics, meaning that security teams and their goals are becoming a lot more aligned with the business’ goals.”
    Grant McCracken, Director, Solutions Architecture,  Bugcrowd
    November 25, 2019
    The important caveat to all of this is that IoT in the future won’t resemble the IoT.
    The “unknown” is the biggest cyber threat businesses will face in 2020 When protecting against elements such as WannaCry or other known threats, organizations have a clear picture of what the enemy looks like and can thereby adapt a successful defensive techniques against such known threats. However, the biggest threats today are the ones we won’t know about till tomorrow - or even later. The next big breach is happening now, and we’ll only learn about it months down the road. Exposed but unknown attack surface is what’s much more likely to sink an organization than an old (but known) flaw (such as Apache Struts) that’s been patched. And while you fundamentally can’t expect the unexpected, organizations can take steps to ensure there are fewer unknowns. In doing so, reduce their available footprint for being surprised, as well as get ahead of potential back doors to the organization. IoT device testing will get easier, but it may not feel any more secure As with any technology, as it gains more growth in the market, it’s also simultaneously going to become easier to test through the proliferation and creation of tooling and other resources that will enable hackers to find issues more quickly. Over the next few years, I’d expect there to be an explosion in findings and news stories around IoT security and vulnerabilities as more and more whitehat hackers get involved. Through this same time period, organizations will have to take notice if they want to win the business of consumers, and will in turn start building more secure devices. The important caveat to all of this is that IoT in the future won’t resemble the IoT we know and are using right now — it’ll expand in ways we may not even be imagined at present, and ultimately integrate even more tightly with our lives (think for example: VR, AR, wearables, clothing, or even implants). So, while individual segments of IoT may become more secure over time, there will always be another frontier where the speed to market takes precedence over security, which will inevitably result in vulnerabilities.
    Casey Ellis, CTO and Founder,  Bugcrowd
    November 25, 2019
    Much of the voter narrative on election security focuses on the cybersecurity elements.
    Elections: Cybersecurity is a Citizen Problem New media and western democratic processes will collide on the cybersecurity battleground. The combination of a higher percentage of digitally-native, first-time voters; an increased reliance on connected systems for registration, tallying, and voting itself; and the wide knowledge and sharing of Russia’s disinformation playbook from 2016 indicates to me that we’re in for a wild ride through the 2020 elections — not just in the U.S., and not just with Russia as a potential aggressor. Much of the voter narrative on election security focuses on the cybersecurity elements. In 2020, this will drive a rapid increase in the consumer demand for vendors and governments of all types to demonstrate accountability for the measures they’re taking to keep the data and processes of their customers confidential, integrated, and available. The good news is, we’re already seeing a move in the right direction with the call for vulnerability disclosure programs across agencies, which would allow whitehat hackers to help surface flaws in election websites and applications in lead up to and through the elections. Containers: Make Bad Security Decisions Faster, and with More Energy! I started life in penetration testing (breaking into computers to help organizations understand how they could be made safer) around the year 2000. Back at that time, hacking the internet was a little bit like shooting fish in a barrel. After the Summer of Worms in 2003 and Microsoft’s legendary Trustworthy Computing Memo, a lot of things started to improve rapidly when it came to securing the perimeter — keeping the important stuff in, and the bad guys out. Then came the cloud and, more specifically, the ability and expectation for a new generation of developers to deploy infrastructure and data as code in a DevOps model, despite not having an understanding of how things like the OSI Model work. We’ve seen this risk manifest in the past couple years with the rash of breaches tied to data storage misconfiguration and poorly stored secrets. In 2020, my prediction is that container misconfiguration, network hygiene, and breakouts on containers themselves will be heavily targeted. Know your entire attack surface, prioritize assets, and get ahead of potential back doors to your organization. Unknown assets have long been the cause of headline-drawing security incidents.
    Gerald Beuchelt, Chief Information Security Officer,  LogMeIn
    November 24, 2019
    People learn differently.
    All companies face the challenge of security awareness among employees, contractors, and customers. Without support from all users, technological efforts will be hampered in their effectiveness. Security awareness isn’t just about teaching employees what to do with phishing emails – there’s so much more, including developing products with security in mind. Multi-directional communication is extremely important in a security program, meaning working from the top-down, bottom-up, and side-to-side to get your message across. And yes, it’s true. Security is everyone’s responsibility. People learn differently – some are more receptive to visual, listening, or the ‘hands-on’ approach and some people are attracted to different types of content – funny, serious, the historical background or whatever it may be. And at the same time, providing consistent communication is the key to a strong awareness program. A major challenge for larger companies is maintaining control over the employee/worker identity lifecycle. In terms of culture, it’s a journey to influence behavior change for thousands of employees. Organizations need support from everyone from interns to the C-suite and Board to drive adoption and create a culture of security. At the end of the day, employees want to do the right thing – it’s just a matter of constant education and communication. When it comes to high-tech industries like those in finance or healthcare, the key is to establish and maintain control over BYOD and Bring-Your-Own-App policies and mentality without impacting employee productivity.
    Eyal Aharoni, VP Customer Success & Sales Operations,  Cymulate
    November 22, 2019
    Healthcare will also be an attractive sector for hackers due to its high potential gains.
    More Cyber Damage for Local / State Government Entities, Schools; Less for Healthcare: 2019 was a great year for cyber crooks successfully targeting municipalities, schools and universities worldwide with ransomware and spear phishing attacks. As these organizations have proven easy targets, a rise in campaigns is expected in 2020. Healthcare will also be an attractive sector for hackers due to its high potential gains however many in this sector are now investing substantial work and resources to improve their security posture so while attacks will occur, they won't be as successful.
    Hagai Shapira, Research Team Lead,  SAM
    November 22, 2019
    A potential DDoS attack may be distributed via an innocent-looking app on the Play.
    5G to drive Botnet DDoS attacks: 2020 will be the year of 5G, bringing with it not only faster speeds and bandwidth capabilities to our mobile devices, but also making them highly coveted targets by DDoS attackers. While mobile devices have always been targeted by financial or personal data thieves, 5G's increased bandwidth allows attackers to take control over a relatively small number of mobile handsets and unleash a tremendous amount of damage. A potential DDoS attack may be distributed via an innocent-looking app on the Play or App store and an attacker just needs a few hundred installs to create a massive outbreak.
    Raveed Laeb, Product Manager,  KELA
    November 22, 2019
    2019 saw a major increase in the trend of cybercrime “service-ization”.
    Scope of Threats Expands with the Rise of the Darknet “Service-ization” Trend: 2019 saw a major increase in the trend of cybercrime “service-ization”– i.e. cybercriminals buying and selling services rather than goods in the cybercrime financial ecosystem. This ongoing trend will continue to rise in 2020, as more cybercriminals are actively interested in accessing sensitive organizational networks by using commodity malware and services being offered in the Dark Net, as well as via inter-group relations (such as the Emotet-Trickbot-Ryuk ecosystem). While this serviceization trend is on the rise, the level of skills one needs to leverage is declining, thus expanding the scope of threats to enterprises.
    Rohit Ghai, President,  RSA
    November 20, 2019
    In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management.
    The emergence of the “cyber savvy” board: Accountability for cyber and risk incidents moves up the organizational hierarchy and becomes a central issue for the CISO, C-Suite and Board of Directors. In 2020, expect mindful organizations to begin hiring Board members that bring experience in risk management and information security as a way to prepare the business for a digital future. Gradually, this will become a “new normal” for the enterprise as investors pressure leadership for clear strategies on how they are managing digital risk.
    Aaron Zander, Head of IT,  HackerOne
    November 20, 2019
    Personally, I'm keeping my eye on DNA databases; we have no idea what the value of DNA data will be.
    Government, Healthcare, and finance are still very attractive targets for cybercriminals. This isn't going to stop any time soon. 2019 felt like a good year to see more companies really start investing in security, but it still seems like a small inflection, and not the tipping point. Personally, I'm keeping my eye on DNA databases; we have no idea what the value of DNA data will be, but I know that in our lifetime it will probably become one of our most valuable identifiers, and right now we pay other people to tell us trivial things about our history and give it away for free with no real protections.
    Simon Jelley, VP of Product Management,  Veritas
    November 20, 2019
    Any gap in your defences is a weakness cybercriminals will exploit.
    Public sector, healthcare providers and manufacturers to be singled out by ransomware attackers: The public sector, healthcare and manufacturing industries are all emerging as some of the most likely targets. It’s not necessarily because these sectors have a traditionally soft security posture or are particularly cash-rich, it’s because they rely so heavily on mission-critical information for their day-to-day operations. Cybercriminals know that if their attacks halt essential services, organisations will have less time to make a decision and will be more willing to pay the ransom. The stakes of a successful attack are much higher, so the chances of a victim paying up are so much greater. Ransomware attackers to target intellectual property: In 2020, ransomware variants will emerge that combine the usual data lock-out with data exfiltration capabilities. What makes this type of attack so devastating is that it is aimed at the most lucrative data - intellectual property (IP). Social engineering attack methods will evolve to target the wider supply chain: Cybercriminals have long relied on social engineering as one of their most successful modes of attack. By fooling employees to share information or download their malware, ransomware attackers acquire the credentials they need to capture a company’s most important digital assets. However, in response to improved, more rigorous company policies, their techniques will evolve. Always have a backup plan: To defend your organization from ransomware in 2020, it’s crucial to take a proactive approach to prevention, supported by a system of layered data protection solutions and policies. This must include ransomware resiliency solutions that offer enhanced protection of business-critical data against ransomware attacks, coupled with a data protection education program for employees at all levels of the business. Any gap in your defences is a weakness cybercriminals will exploit, so comprehensive protection is a must.
    Ken Galvin, Senior Product Manager,  Quest KACE
    November 20, 2019
    Customers no longer tolerate downtime, let alone data breaches.
    A new role will emerge in the organisation - Ransomware Attack Specialist In 2020, I expect we’ll see the creation of a new role, the Ransomware Attack Specialist, and when something damaging happens, they will be the one in an organisation who is charged with leading teams to remediate the problem. Half the battle in solving a security problem is isolating it, but with overtaxed and stressed IT personnel and the back and forth required to make a plan, get it approved and determine the budget to resolve an issue, there’s always a lag. The C-level is beginning to understand now, more than ever, the importance of protecting against ransomware attacks -- especially with a 118 percent rise in ransomware attacks in the first quarter of 2019 alone. With the creation of this new role, there will now be someone specifically delegated to work with teams to identify security issues, determine how to solve them and ensure that appropriate measures are approved in order to protect against these increasingly sophisticated attacks. Organisations will focus on the fundamentals to help establish a strong security posture as threat vectors become more sophisticated Next year, we’ll continue to see more cyberattacks, with an increase in targeted approaches aimed at businesses, specifically across healthcare and government organisations, with phishing emails emerging as a key threat vector. Combine this with the rise of IoT, it potentially exposes multiple entry points for hackers to infiltrate the organisation, making for an even more challenging job for IT teams to sustain a high level of security. To help maintain security, in 2020 we’ll see security teams take a more proactive approach to ensuring a strong security footprint and focus on the fundamentals such as regular patch management that ensures all endpoints support the latest OS and application version, and take regular inventories of all hardware and software installed across the network. Better collaboration across functional areas will result in a strong security posture Ransomware attacks are becoming more sophisticated and frequent, yet there is still a lack of talent in the industry -- there will be 3.5 million unfilled security jobs globally by 2021 according to the Cybersecurity Jobs Report. Additionally, institutionalised controls and inflexible responsibilities isolate personnel and restrict resources. Add siloed security solutions on top of that and it’s a lot of running around to gather the information needed to remedy any threats. A lack of talent and a fractured infrastructure enables hackers to sneak in between the cracks, which is why we’ll see more teams coming together to collaborate on security in 2020. Collaboration across all areas within an organisation will be critical to ensuring a strong security footprint. Security teams will start to work across teams and within different departments, including IT and HR. This better collaboration will break down silos and better protect and secure data. There will be more communication, improving basic security hygiene and enabling better visibility, because you can’t protect or secure what you don’t know you have. Increased adoption of automation will make it easier to find and fix security issues To develop a proactive approach to security, there are many systems and devices that must work in tandem. Disciplined scanning, consistent patching, least privilege management enforcement, as well as the enforcement of disposable policies (including lifecycle asset management) is the responsibility of IT teams. It’s a tall order. We’ll see automation start to play a key role in managing all these elements. In 2020, we’ll see more IT and security teams invest in – and see the benefits of - automation tools to eliminate manual processes and identify and fix security issues faster. However, I’d caution IT teams to take a thoughtful approach to implementing automation and prioritize which processes will benefit the most through automation in the short term vs. long term, as it is a technical and cultural shift for any company. Increased use of AI and predictive analytics will improve the datacenter over the next few years One of the most significant challenges that IT professionals continue to face is maintaining the environments they are responsible for and ensuring that those environments consistently deliver the business-critical solutions that their organisation requires. Customers no longer tolerate downtime, let alone data breaches. In 2020, we’ll see more organisations using AI and predictive proactive management to better anticipate, safeguard and prevent potential threat vectors ahead of time.
    Chris DeRamus, CTO and co-founder,  DivvyCloud
    November 05, 2019
    Misconfigurations will continue to plague organizations in 2020
    Cloud misconfigurations will continue to cause massive data breaches. As enterprises continue to adopt cloud services across multiple cloud service providers in 2020, we will see a slew of data breaches caused by misconfigurations. Due to the pressure to go big and go fast, developers often bypass security in the name of innovation. All too often this leads to data exposure on a massive scale such as the First American Financial Corporation’s breach of over 885 million mortgage records in May. Companies believe they are faced with a lose-lose choice: either innovate in the cloud and accept the risk of suffering a data breach, or play it safe with existing on-premise infrastructure and lose out to more agile and modern competitors. In reality, companies can accelerate innovation without loss of control in the cloud. They can do this by leveraging automated security tools that give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time. Automation also grants enterprises the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes everyone in the organization should follow—all on a continuous, consistent basis. Companies can innovate while maintaining security, they simply must adopt the proper cloud strategies and solutions.
    Brian Vecci, Field CTO ,  Varonis
    November 01, 2019
    In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results.
    Ransomware Will Evolve from Smash & Grab to Sit & Wait: Ransomware isn’t the most pervasive or common threat, it’s simply the noisiest. In 2020 attacks will become more targeted and sophisticated. Hackers will pivot from spray-and-pray tactics. They will instead linger on networks and hone in on the most valuable data to encrypt. Imagine an attacker that encrypts investor information before a publicly traded bank announces earnings. This is the type of ransomware attack I expect we’ll see more of in the coming year, and organizations that can’t keep up will continue to get hit. Fake News Will Become Fake Facetime: Forget fake news: 2020 will be the year of the deepfake and at least one major figure will pay the price. Thanks to leaky apps and loose data protection practices, our data and photos are everywhere. It will be game-on for anyone with a grudge or a sick sense of humour. It raises the ultimate question: What is real and what is fake? A Political Party Will Cry Wolf: In 2020, one or both of our political parties will claim a hack influenced the elections to delegitimize the results. Foreign influence has been an ongoing theme, and few prospects are more enticing than affecting the outcome of a U.S. presidential election. With so much at stake, a nation state attack is practically inevitable. The federal government has failed to pass meaningful election security reform. Even if an attack doesn’t influence the results, it’s likely that those who don’t like the outcome will claim interference, and this scenario will discredit our democracy and erode trust in the electoral process. If we want to maintain the integrity of our elections and avoid political upheaval, real change needs to happen in how we store and protect our data. CCPA...Cha-Ching!: Once January hits, the fines will roll in. A recent report released by California’s Department of Finance revealed that CCPA compliance could cost companies a total of $55 billion - and this isn’t even taking into consideration the firms that fail to comply. In 2019, we saw GDPR’s bite finally match its bark, with more than 25 fines issued to offenders, totalling more than $400M, and the same is likely to happen in the U.S. under CCPA. In 2020, at least 5 major fines will be issued under CCPA, racking up upwards of $200M in fines. While a federal regulation is still a ways off, at least 3 other states will begin to adopt legislation similar to California, though none will be as strict.”

    If you are an expert on this topic:

    Dot Your Expert Comments

    SUBSCRIBE to alert when new comments are posted on this news. :



    Join the Conversation

    Join the Conversation


    In this article