2019 was an exciting year for cyber security, with a wide variety of data breaches driving a growing awareness of the essential nature of cyber security and perhaps a deserved respect for industry members.
Can we expect more of the same in 2020 or will companies adopt solutions that security professionals have been considering for years? Only time will tell, but it is unlikely that hackers will change their tactics in 2020 (why change what works?). Their methods will become more sophisticated as technology evolves, and their goals will vary depending on the location of usable data (for example, now that US ISPs can monetize their customer data, breaches in this area are to be expected). As if I had planned it… this brings us to our main concern regarding cyber security. 2020 was an exciting year for cyber security, with a wide variety of data breaches driving a growing awareness of the essential nature of cyber security and perhaps a deserved respect for industry members.
Data breach
Data breaches occur because the target companies possess valuable data, data worth selling or holding for ransom. Data repositories are an attractive target because cyber-crooks quickly take advantage of human error and other vulnerabilities, such as delayed software patches, using the same penetration testing tools used by their ethical counterparts. This is unlikely to change in 2021.
However, regulations such as the EU’s GDPR will be fully implemented in 2021. It is worth emphasizing that compliance is necessary for companies outside the EU, with some exceptions. The California Consumer Privacy Act ((CCPA) is almost a US version of the GDPR and comes into effect in January 2021) and several countries have introduced similar data protection laws, which may induce companies to prioritize data privacy and related cyber security processes in their operations. This is largely due to the reputational damage and financial penalties that result from a data breach. Unfortunately, protection against data breaches is complicated by a lack of security awareness.
Cybersecurity skills
The demand for cyber security features exceeds the number of available candidates. It is now generally accepted that by 2021 there will be over 3.5 million cyber security positions available worldwide. Perhaps 2020 is the year when employers will invest in training their current security staff in additional security skills? Perhaps they will reduce entry requirements, allowing those with IT skills to retrain in desired security areas?
On the other hand, companies may decide to outsource, paying others to improve their security posture remotely or using software solutions based on Artificial Intelligence for vulnerability assessment.
Many companies will be too cheap (or simply not have the budget) to invest in their employees, perhaps fearing that they will train them, make them more employable and therefore allow them to accept more lucrative job offers elsewhere.
Whatever happens, every company will need to improve cyber security by hiring additional staff, training existing staff, or outsourcing.
Although cybersecurity is a highly demanded skill, with zero unemployment, in most cases, management positions are risky. If a data breach occurs, it is often the CEO or CSO who ends up «resigning» or being fired. As a mid-level security employee, where is the incentive to take a leadership role if your head ends up on the chopping block when an employee falls victim to a phishing or rescue attack? Perhaps the year 2020 is the year when those directly responsible for a breach take their share of the blame and senior staff are not used as a public relations exercise in damage control?
Endpoint Management
The more endpoints your company creates, the more attack vectors will be available to cyber-crooks. Makes sense in a strange way, doesn’t it?
If you use cloud solutions, you are open to cloud-based attacks.
If you try to make everything in your company ‘smart’ by using Internet-enabled devices, i.e. connected to the OI, then you open up additional attack vectors. This is especially true if the device is not built with security in mind (with default passwords or matching PINs that cannot be changed, for example) or if you use vulnerable connection protocols.
If you allow employee-owned mobile devices without using mobile device management (MDM), you create vulnerabilities, as the IT department does not have full access to protect the company’s data or lacks the ability to wipe the device in the event of loss or theft.
Credentials Management
Expect next generation authentication technologies to be more prominent, given the inherent weaknesses of the traditional username/password method. Multifactor authentication and biometrics are just two of the possible options. Note that facial, voice and fingerprint recognition can be easily bypassed and that compromised data is much more problematic than changing a password or token. The use of network tokens and similar methods are also a viable solution BUT all these methods are only an improvement if the data required to verify them is secure. That information will be used by hackers to bypass authentication.
Risk Management
Data breaches are increasing, they are more common, etc. and companies in the target sectors, despite following best security practices, are often affected by attacks concentrated on their networks. Cyber insurance is one way to reduce the financial risk of a data breach, now even more important due to the financial penalties imposed on those who fail to comply with regulations within and outside their jurisdiction.
This will drive the adoption of cyber-insurance in 2021, especially if insurers offer policies that demonstrate their understanding of the cyber-security landscape and business-related threats, but it must be more than compensation for service interruption or equipment failure. With increased adoption, the costs of cyber insurance for everyone should decrease… Of course, the corresponding premium will be based on the existing security posture of the company and cyber-risk underwriting has its challenges, given the variables involved