Nick Lantuh, CEO of Fidelis Cybersecurity
CISOs will continue to deepen relationships with boards. In recent years, business leaders have woken up to the financial and reputational importance of having a strong cybersecurity posture. While breaches are becoming increasingly ubiquitous, poor management of them now poses a threat to the CEO’s job, putting board seats at risk too.
As a result, the position of the CISO will continue to be strengthened throughout 2020. As they continue to rapidly adapt their approach to be more closely aligned with overall business goals, boards will react by appointing them to key decision-making positions.
Patrick McFadin, VP of Developer Relations, DataStax
Database security and operations issues will continue to cause problems. 2019 has seen more breaches and issues due to misconfigurations of database instances. This won’t go away in 2020. Unless the industry makes it easier to adopt solutions that are hardened from the start – and unless default insecure deployments are stopped – the problems will persist.
To solve this, getting best practices for security in place and making it easier to follow these will be needed. This will be down to the companies that support database technologies themselves and the cloud providers that offer these as managed services. Building on the expertise that surrounds databases and using this insight to create better services – either through the products themselves or available as a service – will go a long way to solving the problem.
George Gerchow, CSO, Sumo Logic
We will see a movement emerge in the tech industry to streamline privacy. This year we reached the one year anniversary of GDPR and have continued to see data privacy regulations come to the forefront of business conversations around the globe, both at the national and local levels.
In January 2020, the California Consumer Privacy Act (CCPA) will go into effect within the United States – a bill similar to that of GDPR that will impact not only the local region but also all U.S. and foreign entities that conduct business with the state of California. Many of these regulatory acts outline robust data protections, but they lack a clear path to implementation.
To avoid disruption to business and day-to-day operations, we’ll see increasing demand for the tech industry to come together to streamline privacy and adopt a consumer privacy-by-design mindset. In addition, organisations will continue to be challenged to remain agile and continue to scale their business while adhering to these privacy regulations.
Nikoloas Chrysaidos, head of Mobile Threat Intelligence and Security, Avast
Getting malicious apps onto the Google Play Store and the Apple App Store is not an easy task, which is why cybercriminals are shifting towards subscription scams, and fake apps integrated with aggressive adware to make money. We are already seeing community projects, like checkra1n, providing high-quality semi-tethered iOS jailbreaks based on the checkm8 bootrom exploit. While this could enable researchers to discover more vulnerabilities, we hope they will be reported to Apple and not abused by the bad guys.
Mark Lomas, technical architect at technology services company, Probrand
We will see the emergence of ‘zero trust’ as the new cybersecurity model. The cybersecurity landscape is constantly changing. In the past, businesses believed that, by securing their network’s perimeter, all risk would be eliminated. However, in recent years, this perimeter has expanded, therefore increasing the risk of a cyberattack. When employees take their work devices home or to a local coffee shop, there is a much higher chance of a security breach occurring.
The best way to maximise the level of cybersecurity in your organisation is to operate a “zero trust” security model. Exactly as it says, do not trust anything or anyone. By assuming that a security breach is possible at any given moment, businesses will be prepared for an attack and limit how much damage could occur. This can be achieved by running internal security checks on a regular basis and improving already implemented compliancy tests.
Preparing for emergency scenarios is part and parcel for any business. In the same way you would test response times with a fire drill, business leaders should be following the same procedure to test capabilities in the event of a security breach. Whichever techniques your organisation chooses to apply, they must fit the ‘zero trust’ concept so that you can respond to a breach quickly and effectively.
Darren Anstee, CTO, SBO International, NETSCOUT
The risk posed by the weaponisation of Internet infrastructure for DDoS attack generation will be a hot topic for ISPs once again in 2020.
As in previous years, we will most likely continue to see attackers identifying and then weaponizing new protocols in order to launch large volumetric reflection/amplification DDoS attacks. Our own research shows that attackers have doubled the rate at which they are doing this in the last couple of years. The explosion in the number of connected devices and the continued deployment of poorly secured applications will be the main contributing factor in this dynamic.
It is paramount that all the stakeholders in the internet community; ISPs, manufacturers of connected devices, integrators, cloud providers, government entities, enterprises and others take ownership in a collaborative effort to confront the reality of a ‘weaponised’ internet, working together to manage this problem.
Steve Nice, chief technologist at Node4
In 2020, there’s no doubt that phishing and ransomware will continue to evolve and be the number one threat to businesses, as attackers are always looking for – and exploiting – new attack vectors. Whilst there may be headline grabbing attacks on connected vehicles, TVs etc, phishing and ransomware are still the primary revenues for cyber-criminal gangs, and users will still be blasé about security.
Because of the amount of major credential breaches being reported on in the mainstream press, and the ICO’s greater powers when it comes to fining companies, I think we’ll actually begin to see a decrease in these breaches, as companies become more diligent about security. However, there will be new vulnerabilities in 2020, and while older technologies (technical debt) will continue to be exploited, mobile phones will evolve to become a prime attack vector. For example, there could be a ransomware attack on Android phones, where the whole phone becomes completely inoperable unless you pay for a decryption key.
Tim Bandos, VP of cybersecurity at Digital Guardian
I think geopolitical relationships around the world have become increasingly strained and uncertain. As a result, I believe we’ll see the frequency of state-sponsored attacks increase; possibly even against critical infrastructure. There have been a number of attempts and even successful attacks against these types of systems but for the most part they’ve all been isolated incidents.
One can only wonder though if these attacks were merely conducted to set up backdoor functionality for a future panic button push to cripple the target’s systems. Not to mention the considerable adoption of IoT devices connecting once-segregated Operations Technology (OT) environments; which only further widens the attack landscape. The security in these environments need to be fully assessed and controls need to be put in place as soon as possible in order to mitigate against future attacks. It’s only a matter of time.
Anurag Kahol, CTO at Bitglass
Threat actors are always enhancing their current tactics, techniques, and procedures (TTPs) as well as creating new ones in order to infiltrate businesses and steal data, implant ransomware, and more. One technique that will continue to gain traction in 2020 is lateral phishing. This scheme involves a threat actor launching a phishing attack from a previously compromised corporate email address. Even the savviest security-minded folks can be lulled into a false sense of security when they receive an email asking for sensitive information from an internal source – particularly from a C-level executive. As we will continue to see cybercriminals refining their attack methods in 2020, companies must be prepared.
Alex Heid, chief research officer at SecurityScorecard
Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don’t just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies.
In August of 2019, emails sent to US utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure.
With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence.
Charlene Marini, VP of Strategy, IoT Services Group, Arm
IoT device makers and deployers of connected devices will put plans in place to upgrade the capabilities they offer to ensure secure IoT systems. For device makers, this means a transition from designing and manufacturing a device to create a trusted connectable and manageable device. Embedding lifecycle management capabilities at design time, writing software with security and privacy principles at the forefront and providing accessible updates to deployers of their devices. For deployers, this means bringing IoT devices into the security realm, working with IoT specialists to have visibility and manageability of devices and networks at scale.
Renaud Deraison, co-founder and CTO, Tenable
Lateral attacks that gain a foothold in IT and spread to operational technology (OT) networks have been a well-documented concern over the past 24 months. However, heading into 2020, we will see the emergence of OT to IT attacks. These attacks will capitalise on the rapid convergence of IT and OT by targeting vulnerable OT environments as a path of least resistance to IT data repositories. For example, we can expect attacks that intentionally compromise industrial control systems (ICS) in order to gain access to IT networks and assets, like customer databases.
We should also expect to see attackers targeting OT infrastructures such as branch or remote locations at large organisations. Typically, smaller sites are connected to the larger OT network and, in the case of energy providers, to regional grids. As a result, a compromise at a remote site or even a small energy provider could have cascading impacts if an attack is able to spread.
- To learn more about cybersecurity in 2020, book your free place at Scotland’s 6th annual Scot Secure event in Edinburgh on February 19-20. For full details, visit www.scot-secure.com