6 Cyber Security Predictions for 2020 from SecurityScorecard’s chief research officer, Alex Heid
December 2019 by SecurityScorecard’s chief research officer, Alex Heid
With Thanksgiving in the rear-view mirror, we find ourselves rapidly hurtling towards that annual unknown: the new year. 2019, much like 2018 before it, left businesses and customers awash in a tidal wave of data breaches. Just as prior years’ data breaches led to 2018’s General Data Protection Regulation (GDPR) furore, so the increased number and sophistication of data breaches led to 2019’s increase in regulatory oversight initiatives such as the California Consumer Protection Act (CCPA), New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act. As companies begin thinking about their primary 2020 cybersecurity activities, they need to proactively strategize.
With that in mind, here are SecurityScorecard’s top 6 cybersecurity predictions for 2020.
1. Forecasting cloudy days
Organisations seeking to retain their competitive edge will be accelerating their digital transformation strategies from “cloud first” to “cloud only” over the next few years. According to Gartner, the worldwide Infrastructure-as-a-Service (IaaS) public cloud market grew 31.3% in 2018 while the overarching cloud services industry grew 17.5%. More than a third of polled organisations listed cloud services as one of their top three technology investment priorities for 2019. Based on the data, Gartner estimates that the cloud services industry will nearly triple its size by 2022.
As companies migrate their mission critical data and applications to the cloud, we predict that malicious actors will focus more on open ports, Distributed-Denial-of-Service (DDoS), and web application attack methodologies. Securing the cloud will need to be a primary initiative for organisations throughout 2020 unless they want to be another news headline.
2. Bringing in The Terminator
As more organisations look to mitigate data breach risks and costs, artificial intelligence and machine learning might be one answer to the problem. According to IBM’s “2019 Cost of a Data Breach” report, organisations using fully deployed AI/ML security solutions spent on average $2.65 million compared to the $5.16 million organisations without automation spent.
As organisations face the stark reality that data breaches are now a “when” rather than an “if,” more will incorporate new, Big Data, analytic technologies to mature their cybersecurity programs. In combination with increased cloud migration, more companies will mature their cybersecurity programs using AI/ML for greater visibility and control over digital assets.
3. Malicious software phishing for critical infrastructure
Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don’t just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies.
In August of 2019, emails sent to U.S. utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure.
With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence.
4. A flood of data privacy regulations
The cybersecurity Magic 8 Ball indicates that “all signs point to yes” when asking whether more regulations would come in 2020.
CCPA and NY SHIELD foreshadow 2020’s privacy and security trends. The United States Congress debated a federal privacy regulation in June 2019. Despite being derailed at the end of the year, businesses and congresspeople alike are pushing to create a single, cohesive federal law governing privacy and security.
The United States isn’t the only country looking to formalise and consolidate its privacy laws. The Saudi Arabian Monetary Authority (SAMA) cybersecurity framework in conjunction with the GDPR’s extraterritorial impact pressures other Middle Eastern countries to update their privacy regulations. For example, the Dubai International Financial Centre Authority (DIFCA) sent out a call for public commentary in June 2019.
5. More than quantity – also quality
If the GDPR and CCPA taught the cyber community one lesson in 2019, it would be that not all laws are created equally. While the GDPR and CCPA are testing just how far a “local” law can reach, India’s Personal Data Protection Bill and the failed New York Privacy Act test the standard of care companies need to provide.
Both of these regulations use the term “data fiduciary.” Traditionally used in terms of money, a fiduciary duty requires a company to act in someone else’s (often shareholders’) best interests. If regulations continue to use the term “data fiduciary,” organisations may be held to a higher standard of care than “negligence.” If regulations begin to adopt the term “data fiduciary” in 2020, we predict a cultural shift recognising information as a financially valuable asset.
6. Building a security dam for your supply stream
Judging by the increased regulatory and industry standard focus on governance, compliance requirements will continue to focus on protecting your organisation from third-party risks. As more organisations add Software-as-a-Service (SaaS) applications to their IT catalogue, they also share more data with third parties.
As new laws are enacted and enforced, companies will see more stringent vendor risk monitoring requirements and increasingly be held liable for losses caused by breaches arising from their supply stream. Continuously monitoring of your third-party risk may be one of the few ways to mitigate the financial impact of those breaches.