As digital transformation continues to change the face of business, enterprises globally are under mainstream pressure to tighten their cyber-defence as they migrate business-critical applications to the cloud and become more application centric. We are finally seeing an increase in resources for underappreciated security teams as they struggle to address the rising frequency of data breaches, and the seemingly constant barrage of new data regulation.
This article will outline some key trends and threats that should be high on any CISO’s agenda for 2020. By predicting future trends, security teams will be able to deliver better cyber-hygiene through a proactive multi-layered defence.
Regulation sets the bar:
The Californian Consumer Privacy Act (CCPA) went live on January 1st, setting the tone of regulatory compliance for the coming decade. This act has been dubbed the American counterpart to GDPR, applying to practically any enterprise conducting business in California. Failing to comply with regulation doesn’t just put your customer’s data at risk, it will also result in hefty fines. The introduction of CCPA will no doubt catch enterprises of all size off guard and 2020 will most likely see many cases of regulatory incompliance, confirming the fact that you shouldn’t wait until regulation is set in stone before securing critical data. Indeed, this decade will most likely see many other states follow California’s example as data and privacy rise to the forefront of policy discussions.
Developer education and DevOps automation:
Business-critical applications will continue to be a target for cybercriminals. One can only hope that this is the year that security education is taken seriously. The last thing we need is more needless data breaches. Perhaps education will increase as developers begin to code with security in mind. Indeed, the need for organisations to have a well-developed, and embedded education program covering the key aspects of secure coding practices and a layered defence will become more apparent with the increased adoption of DevSecOps. In 2020, automated testing tools for application security will be key to supporting a DevSecOps approach that allows internal teams to collaborate and work more efficiently while updates are continuously tested against security guidelines.
Phishing – we’re not off the hook yet:
Ideally, we would have left phishing in 2019 but unfortunately, it’s a threat that keeps on biting. In fact, phishing attempts accounted for 90 per cent of data breaches in 2019, and this trend will most likely continue and grow in both volume and sophistication throughout and beyond 2020. The past year we have seen an increase in advanced phishing methods targeting applications secured with two-factor authentication (2FA) and almost all reporting phishing websites appear to use a secure HTTPS connection. Likewise, would be criminals are targeting increasing Internet connectivity by deploying ‘smishing’ (SMS phishing) on smartphones. Hopefully 2020 will also be the year of increase support and adoption for hardware authentication devices. This will hopefully combat smishing schemes that don’t seem to focus on the content of the text message, so long as the content puts pressure on the victim, and the company name that is used as sender matches the victim’s profile. The included hyperlinks are often not even masking the fact that it is an illicit webpage. Perhaps 2020 will be the year that we finally nip phishing in the bud or maybe that’s just wishful thinking.
High hopes for hybrid-cloud:
In 2019 we have seen a strong growth of multi-cloud adoption, with more than 73 per cent of organisations using 2 or more cloud providers. A saturated market means that organisations can pick the provider that best suits their needs. Cloud provider competition has given rise to application developments, as companies are migrating more critical processes to the cloud in an effort to lower computing costs and increased flexibility. The rise in cloud reliance will see it become a target for threat actors in 2020, as hackers begin to exploit gaps in multi-cloud misconfiguration. This means that cloud providers will continue to push into security, by offering integrated solutions. These solutions will most likely increase the market share of customers with low legacy architectures but will not support multi-cloud scenario and complex hybrid architectures. In order to protect your cloud infrastructure and provide security assurance, organisations need the tools to automate discovery of cloud assets and homogenise security controls across providers to achieve a single view of the risk profile.
Back to basics and live above the hype
It is most likely that most breaches this year will be down to old forgotten systems, outdated software and poor access management, resulting in individual users with privileged access being targeted. As with phishing, we are going back to the basics of cybersecurity, and based on past trends, the next ten years do not promise to be the decade that we will eliminate the root cause of breaches. Instead, what we have seen, and unfortunately will continue to see, a misguided focus on what’s new and cool (the hype) rather than what is safe. With 60 per cent of breaches in 2019 involving unpatched vulnerabilities, this is particularly frustrating because often major risks can be resolved with proper security hygiene, regular risk reviews and security assessments. As windows 7 nears end of life in 14 January 2020, organisations who stick to the soon to be obsoleted operating system will be at increased risk of being targeted by hackers.
No escape from a widening threatscape
The next decade will complicate the security landscape as IoT devices are becoming cheaper and more ubiquitous. This will certainly pose a problem for security teams looking to secure corporate networks from external threat. We will most likely begin to see new risks being uncovered in the next year as consumers and businesses increase their reliance on wireless and smart technologies, such as Bluetooth and IoT. Each innovation brings new threats. Indeed, one need look no further than smart supply chains. Just in time, delivery and an increasing array of technological solutions means that the slightest interference in procedures can result in catastrophic delays. This is even more worrisome when considering global third-parties that aren’t subject to the same data regulations and fail to offer the same levels of visibility. 2020 might just be the year that gives us more large-scale exploitations of smart technologies and processes; particularly as corporations are so frequently overlooking basic security protocols such as network security.
2020 will surely bring a multitude of new challenges for security professionals, however it’s better to be prepared, taking a proactive approach and regain control of your attack surface before it becomes a real problem, or regulatory fine. With increasing compliance regulations coming into force, it is essential to eliminate security blind spots by providing continuous full stack assessment across network, device, application and cloud. Giving you time to focus on strategy, delivering ROI and helping to implement a security-led culture where all employees are accountable in delivering a secure future into the next decade.
Bob Egner, vice-president, Outpost24