18 December 2019

The Top 20 Security Predictions for 2020

BY DAN LOHRMANN 
Source Link

“The main thing is to keep the main thing the main thing.” These wise words of world-renowned business author Stephen Covey challenge each of us as we stand on the precipice of a new decade. 

But what’s the ‘main thing’ when navigating technology as we enter 2020?

The simple answer is… Cybersecurity.

As innovation explodes into every area of our lives, cybersecurity is providing the glue that can enable the good and disable the bad for implementing cutting-edge innovation as well as reducing risk from older vulnerabilities. We also see cybersecurity continue as the top priority for chief information officers (CIOs) in 2020, just as it has been for most of the past decade, with groups like the National Association of State CIOs (NASCIO).

But even as cybersecurity solutions offer a way forward to ensure privacy protections are workable and effective, most people see the data breaches, ransomware, identity theft, denial-of-service attacks and other cyberattacks as proof that cybersecurity has become the Achilles Heel, not the savior, for new innovation. Even as exciting advances occur in artificial intelligence (AI), autonomous vehicles, 5G networks cloud computing, mobile devices and the Internet of Things (IoT), these same developments seem to cause negative societal disruptions that make daily news headlines. 


So what will happen next with cybersecurity? That’s what this annual security prediction roundup will cover, from the perspective of the top cybersecurity industry companies, thought leaders, executives and journalists. Every year we catalogue the evaluators to see who has made a New Year’s security prediction list and checked it twice.

And the best security industry prediction reports do much more than just make educated guesses at what might happen in the future. The top 20 security predictions for 2020 dig deep into global security incident databases, analyze what’s working and what’s not, examine new cybersolutions and use science and data to gaze into the future.

The best prediction research shows us the “who, what, when, where and how” about the cybersecurity statements made. Some forecasts even include the why — with the best offering detailed context and a wider story that crosses years and sometimes even decades and learning from history. These presentations offer their materials in professional ways to maximize end-user usefulness regarding potential answers and recommended actions for enterprises and individuals to take.

Some call them security predictions, while others refer to them as cybersecurity trends. Several researchers prefer to offer “cybersecurity forecasts,” while others refer to “growing trends” or “situational outcomes” — based upon connecting the incident dots or running various data breach scenarios. Regardless, the central questions are very similar and methodologies used are (generally) repeatable. 

2020 — and the New Decade

What are the greatest threats for the coming year? What solutions will be most important? What data breaches or ransomware attacks or other threats will cause the most harm? And readers say: "The more detail the better — please."

Common prediction themes across vendors include the 2020 elections in the U.S., more targeted ransomware, more ways to attack the cloud, and an explosion of problems with deepfake technology.

There’s disagreement on the most important cyberthreats to focus on as we head into 2020, even though everyone agrees that cybersecurity is more important than ever before. Just as in 2019, we have the continuation of arguments for and against AI (i.e., how helpful is AI really and will our enemies use it or not?). Also, the continued disagreement on whether cloud versus mobile threats are more of a challenge.

For 2020, AI does show up again in a number of new ways — with several specific warnings for those who fail to use AI to counter bad actors who will be using it. 

There are also many ways that you and your organization can benefit by studying these predictions and implementing recommendations, and we outline several of those career benefits here. As always, I encourage you to visit the full reports, blogs, articles, PDFs, videos, and other materials referenced (hyperlinked) to dig deeper into the details on each company prediction list. 

Please note that the embedded videos are only a small part of the marketing of these wider prediction reports. I also encourage readers to review the award winners for 2020 predictions at the end of this post.

Quick Security Prediction Recap on the Teen Years within the 21st Century

I’ve been writing about security predictions for more than a decade, and this annual holiday season tradition is now exploding even faster than the overall cybersecurity industry — mainly because cyberprotections are showing up as a top priority in every other industry from finance to defense and from government elections to toys. And make no mistake, this topic carries much more weight now than in December 2009, when we were heading into the second decade of the 21st century.

As I wrote back in 2016, while some were predicting that the cybersecurity industry would diminish in importance and be automatically built into every technology product (and quietly protect us from behind the scenes), the opposite has happened. Cybersecurity predictions, and the information security market overall, continue to surge as we head into 2020. Here’s what I wrote four years ago:

“The more the security and technology industries grow, the more predictions we will have. From the Internet of Things, to new technologies to robots to self-driving cars, do you really think we will be talking about security and privacy less in 2020? I don’t. 

Predictions are not new, and they are not going away. In fact, they are just getting started. Congratulations security industry, and welcome to center ring in this three-ring circus. Yes, it is a very big circus, but that’s where all the action is.” 

This year has brought (by almost double) the largest and most diverse number of security predictions ever online — when measured by several metrics. I received literally hundreds of emails and thousands of individual predictions — and also went out to explore as much of “the rest” online as of mid-December 2019. If we missed you or you want to add a prediction, email me at the https://www.govtech.com/blogs/lohrmann-on-cybersecurity/ contact address listed, and you may get a mention near the end — with a link to your list of your 2020 cyber insights. Our goal is to be as comprehensive as possible with this forecast summary and be a one-stop shop for security prediction lists for 2020.

As a reminder, here are the prediction reports from the past three years for your review and to help keep score:

The Top 20 Security Prediction Reports by Security Industry Companies 

1) Trend Micro – We lead off with another WOW prediction-report from Trend Micro – which takes the top vendor prize for best prediction report for the third year in a row. (And it wasn’t a close call.)

Here’s the Trend Micro intro: “The year 2020 marks the transition to a new decade, and recent notable events and trends signify a similar changeover in the threat landscape. Cybersecurity in 2020 and beyond will have to be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to advancing technological developments and global threat intelligence — only so defenders can keep up with and anticipate cybercrime mainstays, game changers, and new players. …”

A visit to: The New Norm: Trend Micro Security Predictions for 2020 will quickly show you the thought-provoking, creative, expert research and packaging that sets this report apart. Trend Micro groups their detailed predictions into four sub-headings (with explanations under each prediction) about our cybersecurity future, including: 

Complex (these are only small excerpts):
Attackers will outpace incomplete and hurried patches.
Cybercriminals will turn to blockchain platforms for their transactions in the underground.
Banking systems will be in the crosshairs with open banking and ATM malware.
Deepfakes will be the next frontier for enterprise fraud.

Exposed:
Cybercriminals will home in on IoT devices for espionage and extortion.
Critical infrastructures will be plagued by more attacks and production downtimes.

Misconfigured:
Vulnerabilities in container components will be top security concerns for DevOps teams.
Serverless platforms will introduce an attack surface for misconfiguration and vulnerable codes.
User misconfigurations and unsecure third-party involvement will compound risks in cloud platforms.

Defensible:
Predictive and behavioral detection will be crucial against persistent and fileless threats.
Threat intelligence will need to be augmented with security analytics expertise for protection across security layers.

One great Trend Micro example on deepfakes: News of cybercriminals using an AI-generated voice in social engineering surfaced in 2019. An energy company was reportedly defrauded of US$243,000 by scammers who used AI to mimic the voice of the firm’s CEO. More attempts will exploit the technology, using deepfakes of decision-makers to deceive an employee into transferring funds or making critical decisions.


2) FireEye - FireEye once again provides an excellent special report (20 pages) with predictions and guidance from four of their top leaders.

For 2020, the FireEye Report is entitled, The Road Ahead: Cyber Security in 2020 and Beyond. They include some insightful video from their top leaders and offer interesting perspectives from different vantage points in their organization. (However, I missed the opening letter from CEO Kevin Mandia that we saw last year, along with solid overall company predictions. See Kevin's video interview below.) For example, here are insights from Sandra Joyce, senior vice president of Global Intelligence:
Big Picture – We are all targets. (If you work with a high-value target, you are also a high-value target.)
Ransomware Tactics Evolving – In 2020, defenders need to be looking out for new techniques involving ransomware. What we’ve been seeing in the underground is threat actors advertising their access to organizations, no matter what industry, and trying to find partners who have ransomware that they can deploy deep in those networks in a very customized fashion. We’ve also seen some of the most sophisticated criminal intrusion operations shift to this type of ransomware deployment, away from other tactics.

Steven Booth, the FireEye CSO, leads with: “Proof of Compliance” 

In 2020 there will be a broadening push on providers to offer more proof of compliance to industry regulations and customer requirements, with clear ways for their customers to validate that vendors are doing what they say they are doing.

Overall, FireEye's prediction report addresses these topics:
How increasing use of the cloud continues to change security
The skills gap and thinking outside the box when it comes to staffing
Threats such as ransomware and weak spots such as supply chain
Cyberactivity during the upcoming U.S. elections
How organizations and vendors need to start thinking about security
The emerging role of the general counsel
The continued evolution of information operations
Geopolitics as a driver of cyberactivity
Increasingly sophisticated cybercriminal operations

This interview with Jim Cramer and FireEye CEO Kevin Mandia on CNBC discusses 2020 election threats. 

3) WatchGuard Technologies again released a top-notch set of new year predictions. These cover the most prominent attacks and infosec trends that the WatchGuard’s Threat Lab research team believes will emerge in 2020, including voter registration database attacks, state-level GDPR legislation, cloud-focused ransomware, and more.

WatchGuard’s named their report: “A Simplified Approach to staying secure in 2020,” which is in contrast to the Trend Micro approach regarding complexity. What sets them apart (again) is the helpful video content to support each prediction, which is very professionally delivered.

Here are WatchGuard’s main predictions:
Ransomware Targets the Cloud
GDPR Comes to the USA
Voter Registration Systems Targeted During 2020 Elections
The CyberSecurity Skills Gap Widens
During 2020, 25% of All Breaches Will Happen Outside the Perimeter
Attackers Will Find New Vulnerabilities in 5G / WiFi Handover
Multi-Factor Authentication (MFA) Will Become Standard For Midsized Companies


4) Forcepoint offers this excellent report: 2020 Forcepoint Cybersecurity Predictions and Trends, which includes video commentary on each prediction. They cover similar election and ransomware issues as others, but I especially like their unique prediction for “Deepfakes-as-a-Service.”

"Deepfakes" is a term that was coined in 2017 and relates to fake videos being created by deep learning techniques. We expect deepfakes to make a notable impact across all aspects of our lives in 2020 as their realism and potential increases. Our prediction is fourfold:
Ransomware authors will send targeted deepfakes to ransomware targets. Recipients will see realistic videos of themselves in compromising situations and will likely pay the ransom demand in order to avoid the threat of the video being released into the public domain.
It is well known that Business Email Compromise/Business Email Spoofing has cost businesses billions of dollars as employees fall for the scams and send funds to accounts in control of cybercriminals. In 2020 deepfakes will be used to add a further degree of realism to the request to transfer money.
We have already seen deepfakes in the political arena in 2019. With the 2020 United States presidential elections due in November 2020 we expect deepfakes to be leveraged as a tool to attempt to discredit candidates and push inaccurate political messages to voters via social media.
We will see Deepfakes as a Service move to the fore in 2020 as deepfakes become widely adopted for both fun and malicious reasons.

Some other predictions from Forcepoint include (see the full report for the details):
5G offers unprecedented data theft speeds
Organizations will become “Cloud Smart” but remain “Cloud Dumb”
Organizations will mature in their approach to data/privacy protection legislation
Cybersecurity strategies will incorporate a move from Indicators of Compromise to Indicators of Behavior

5) McAfee - McAfee Labs 2020 Threats Predictions Report was once again a top-notch forecast report which shows their quality research and insightful approach offered. This report is a glorified blog post, but with helpful links to their tops predictions, including:

McAfee also offers these separate privacy predictions for the coming year:
More Awareness, More Regulations
New Tricks for the New Year
Dark Web Draws in More Data

6) Splunk – Splunk again offers another very good prediction report, with similar predictions to others, although it can be a bit challenging to get the download. (The website kept telling me my business email was invalid – not true.)

I did like the thoughtful quote at the start of their report: “It does not do to leave a live dragon out of your calculations, if you live near him.” — J. R. R. Tolkien

Splunk broke their predictions down into categories like:

Social Engineering
Deepfakes will uplevel the danger of social engineering. New ways to lie make it more imperative to instill a strong security culture.

Critical Infrastructure
Cyberattacks will hit home (literally). Hackers and nation-state attackers are targeting systems that run our day-to-day lives, and they’re already succeeding. It’ll only get worse in an election year.

Cloud Security
Hackers will find new low-hanging fruit in the cloud. The most advanced (and potentially devastating) cloud attacks will occur at machine speed in 2020.

Threat Intelligence
MITRE ATT&CK will become the go-to framework and common vocabulary for every SOC. The real-world knowledge base has made tremendous gains in security circles, and deservedly so.

7) Kaspersky Labs – Kaspersky always produces a ton of great material regarding threats for the coming year, threat reports, detailed analysis of risks, and so much more from all over the world. The problem (and reason they are not higher on this list) is that it is hard to find and very segmented and targeted towards many different audiences. While this may be a deliberate marketing tool that works for them around the world (and they are much bigger outside the U.S.), it is tough to find one solid list of all their predictions.

The good news is that I have pulled from several lists and provide links here. 

To begin, visit Kaspersky’s report: “Advanced Persistent Threats in 2020: abuse of personal information and more sophisticated attacks are coming.” Here are their headline items (with details in the links, as always):
The abuse of personal information: from deepfakes to DNA leaks
False flag attacks reach a whole new level. Explanation: This will develop further, with threat actors seeking not only to avoid attribution but also to actively lay the blame on someone else. Commodity malware, scripts, publicly available security tools or administrator software, mixed with a couple of false flags, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.
Ransomware shifts toward targeted threats.
New banking regulations in EU open new attack vectors.
More infrastructure attacks and attacks against non-PC targets.
Cyberattacks focus on trade routes between Asia and Europe.
New interception capabilities and data exfiltration methods.
Mobile APTs develop faster.
Personal information abuse grows, armed with AI.

Also visit these excellent Kaspersky reports on the present and future:

8) Sophos really stepped up their game this year with this Sophos Labs 2020 Threat Report. Just a well-done, solid material with plenty to offer – and excellent lead-in exec summaries here. They even take a 10-year-out prediction with a bold: “Ten years out, machine learning targets our ‘wetware.’”

Top Sophos predictions (with detailed analysis on each item) include:
Ransomware attackers raise the stakes
Mobile malware trends: Dirty tricks are lucrative, Ad money feeds non-malicious scammers, Fleeceware charges consumers hundreds, Bank-credential stealers evade Play Store controls, Hidden Adware.
The growing risks of ignoring "internet background radiation" - Remote Desktop Protocol in the crosshairs, Public-facing services targeted by increasingly sophisticated automation, Why Wannacry may never totally disappear, and why you should care.
Cloud security: Little missteps lead to big breaches - The biggest problem in the cloud is the cloud itself. Misconfiguration drives the majority of incidents. Lack of visibility further obfuscates situational awareness. A hypothetical cloud security breach incident.

9) Checkpoint offers their: 2020 Vision: Check Point’s cyber-security predictions for the coming year. There are five global cybersecurity predictions and 10 technology cybersecurity predictions. Here are some highlights:

Global cybersecurity predictions for 2020:
A new cyber "cold war" – The new cold war is intensifying, and taking place online as Western and Eastern powers increasingly separate their technologies and intelligence. The ongoing trade war between the U.S. and China and the decoupling of the two huge economies is a clear sign. Cyberattacks will increasingly be used as proxy conflicts between smaller countries, funded and enabled by large nations looking to consolidate and extend their spheres of influence, as seen in the recent cyber operations against Iran, following attacks on Saudi Arabia’s oil facilities.
Fake news 2.0 at the U.S. 2020 elections
Cyber-attacks on utilities and critical infrastructures will continue to grow

Technology cybersecurity predictions for 2020:
Targeted ransomware
Phishing attacks go beyond email
Mobile malware attacks step up

10) RSA Security (A Division of Dell) - RSA offers this easy to find and very well done report (that is very easy to use and jump around) with 20 Predictions for 2020: Preparing for the Future of Digital Risk

They cover Business Predictions, InfoSec Predictions, Technology Predictions, Cyber Predictions, Consumer Predictions and Regulatory Predictions. While we liked RSA’s graphics and great displays, the predictions seemed more like trends than new happenings. Still, it is definitely worth reviewing this report.

Here are their top five predictions:
The rise of the cyber-savvy board
Authentication demands adapt to evolving needs
A focus on data sovereignty in the Middle East
Brexit brings new risk assessments
Security shifts left - Increasing demand for cloud-native apps will force security teams to work more closely with DevOps. Moving pen-testing and code analysis up in the development life cycle will boost product security.

This separate prediction article with RSA execs is also very good.

11) AT&T - AT&T ThreatTraq came out with this video with predictions and thoughtful commentary. What I like about this is the relaxed, expert commentary which explains these three predictions in detail in a comfortable setting via a conversation.

AT&T led with Artificial Intelligence (AI) – Machine Learning (ML) being used in documented cyberattacks – or at least used more in the background.
Second, Malware Will Take Advantage of Domain Fronting
Third, IoT Security getting better.

12) Beyond Trust has a solid list of security predictions that also go deeper into the 2020s (to 2025) with this lead-in quote: “The more CISOs and other IT staff understand the security implications of evolving technologies, the better prepared they are to make the right investments for their business,” said Morey Haber, CTO and CISO at BeyondTrust.

Here are a few highlights for 2020:
Malware Auto Updates Increase – Since many applications auto-update, cyber criminals now target cloud-based update mechanisms using a variety of techniques. Most users trust their applications to auto update and may be unaware of the threats made possible by a compromised cloud connection. Although old-school software piracy is on the decline due to the cloud, cyber criminals’ creativity will continue to zone in on auto updates to infect users. Expect high-profile applications and operating systems to be targeted by these advanced threats in 2020. 
Reruns of Old CVE’s
Identities Become the Latest Attack Vector

Here are a few Beyond Trust highlights through 2025:
End-User Passwords Phase Out – Operating systems and applications will continue to push to end dependency
Next-Gen Processors Gain Footing
Facial Recognition Transactions Increase
Cloud Offerings Triple

13) Fortinet offers this solid list of industry trends and New Threat Predictions for 2020. This very good report also offers a complementary set of activities in their threat landscape report. According to Derek Manky, chief, security insights and global threat alliances at Fortinet, "Much of the success of cyber adversaries has been due to the ability to take advantage of the expanding attack surface and the resulting security gaps due to digital transformation. Most recently, their attack methodologies have become more sophisticated by integrating the precursors of AI and swarm technology. Luckily, this trajectory is about to shift, if more organizations use the same sorts of strategies to defend their networks that criminals are using to target them. This requires a unified approach that is broad, integrated, and automated to enable protection and visibility across network segments as well as various edges, from IoT to dynamic-clouds.”

Topping their list of Fortinet predictions for 2020 are these items:
Combining machine learning with statistical analysis to Predict Attacks by uncovering the underlying attack patterns of cybercriminals, thereby enabling an AI system to predict an attacker's next move, forecast where the next attack is likely to occur, and even determine which threat actors are the most likely culprits.
A deep look at how Deception Technologies can be used to create a virtually insurmountable layer of defense around your network, regardless of how far it has been distributed.
Recent developments in Law Enforcement that will enable them get out ahead of cybercrime.
And the rise of New Zero-Day Exploits that, when combined with AI-enabled systems, will enable cybercriminals to strike in ways and places that many organizations are simply unprepared to defend.

The Fortinet report ends with a video with solutions and recommendations on a path forward.

14) Experian – Offers another good report entitled: Data Breach Industry Forecast 2020 – which is free, but requires registration. You can read some more details on their report in this NextGov article.

Experian’s main findings forecasts include (with detailed explanation in the report:
Cybercriminals will leverage text-based “smishing” identity theft techniques to target consumers participating in online communities, such as those supporting presidential candidates, with fraudulent messages disguised as fundraising initiatives.
As cities install more free public Wi-Fi systems, hackers will take to the skies via the use of readily available drones to steal consumer data from devices connected to unsecure networks on the streets below.
Cybercriminals will use so-called “deepfake” video and audio technology to disrupt the operations of large commercial enterprises, and potentially create geo-political confusion among nation states, in addition to disruption in financial markets.
As a form of protest, we will see many burgeoning industries, such as cannabis retailers, cryptocurrency entities, and even some environmental organizations, targeted for cyberattacks as a result of online activism or “hacktivism.”
With mobile payment options popping up everywhere from a local cafรฉ to the beer vendor at a stadium, we predict that there will be a significant spike in identity theft as cybercriminals seek to exploit the convenience of point-of-sale transactions, especially at large venues like concert festivals and sporting events.

15) Gartner - Gartner Top Strategic Predictions for 2020 and Beyond – Gartner always does an excellent job of offering predictions on technology risk and cybersecurity in detailed ways – the trouble is that most of their material must be purchased. This fact lowers their ranking each year; nevertheless, they offer very helpful, specific advice that is oftentimes unique. Three of Gartner’s free prediction lists that I found intriguing as we head into 2020 include:

Gartner Top Strategic Predictions for 2020 and Beyond – including these three excerpts:
BYOD becomes BYOE - Through 2023, 30% of IT organizations will extend BYOD policies with “bring your own enhancement” (BYOE) to address augmented humans in the workforce.
Mobile cryptocurrency increases - By 2025, 50% of people with a smartphone but without a bank account will use a mobile-accessible cryptocurrency account.
Blockchain authenticates content - By 2023, up to 30% of world news and video content will be authenticated as real by blockchain, countering deep fake technology.

99 percent of threats to data security will spring from underlying vulnerabilities already known to the enterprise and its workforce.
About 40 percent of the organizations dealing with DevOps will purchase developed applications.
Cloud-based access security brokers or CASBs should take note because, by 2020, 80 percent of new deals will collaborate with a truckload of security features.

16) Forrester – Like their rival Gartner, Forrester also offers lots of excellent predictions in many business areas – but generally these come at a cost as in the case of their cybersecurity report for 2020. (Side note: I don’t review prediction reports that cost you money, but I will review reports that require users to complete a form to download.)

Nevertheless, there are exceptions, such as this Forrester Predictions 2020: On The Precipice Of Far-Reaching Change, which is available for download once you provide your contact details.

Here are two highlights from that guide:
Deepfakes will cost businesses over a quarter of a billion dollars.
Privacy class-action lawsuits will increase by 300 percent.

Here’s an insightful excerpt from Forrester: “But three troublesome dynamics are converging in 2020 and will persist beyond: 1. The importance of data and the power of being an insights-driven enterprise are increasing the damage factor of data breaches. 2. The adoption of emerging technologies like the internet of things is creating a larger attack surface that’s often built with only a few security controls, exposing enterprises in never-before-seen ways. 3. The unfortunate reality will come to light that evil forces can adopt technologies such as AI and machine learning faster than security leaders can. Simply put, there are more attackers with more sophisticated tools aimed at a larger attack surface. And those attackers want enterprises to pay.”

17) Forbes – Gil Press always does a nice job compiling diverse cybersecurity predictions over at Forbes, and this year is no exception. Last year he had 60 predictions for 2019 from various sources, and this year he is up to a robust 141 security predictions that are all over the map – but worth reading.

Here are his first two with great sources throughout:
“AI is going to be HUGE in 2020. And by huge, I mean that a lot of vendors will claim they are using AI—ranging from using simple linear regressions, up through using deep learning. While linear regression is pretty far from AI, we might trust those vendors more to deliver a working product than many who use deep learning techniques as the entirety of their solution. What we’ll see in many spaces is folks starting to understand the limitations of algorithmic solutions, especially where those create, amplify, or ossify bias in the world; and companies buying technologies will really need to start understanding how that bias impacts their operations”—Andy Ellis, Chief Security Officer, Akama
“As AI adoption in cybersecurity expands, security concerns around AI bias will grow. As security teams' use of AI continues to grow, they'll need to monitor and manage for potential bias in their AI models to avoid security blind spots that result in missed threats or more false positives. One way to help prevent bias within AI is to establish cognitive diversity - diversity in the computer scientists developing the AI model, the data feeding it, and the security teams influencing it"—Aarti Borkar, Vice President, IBM Security

Of course, Forbes has many other contributors beyond Gil Press, and they also have many other prediction lists. Here are a few to consider: 

Tech Trends 2020: Moving From Disruption To Transformation – Here’s one item from this list:
Cybersecurity: Fear Of The Cloud - 2020 will be the year of cloud security anxiety. According to a survey conducted by Cyber Security Hub, 85 percent of executives view it as one of their largest cybersecurity threats. Though AWS, Azure and Google have worked hard to bring down costs and increase security measures, vast data storage will always be vulnerable to attack, and these attacks continue to grow in quantity and quality.

With more connected devices comes the possibility that those devices and the networks connecting them will be hacked. Cybersecurity will also become increasingly important with new regulations like the California Consumer Privacy Act going into effect January 2020. Data security solutions focused on compliance will continue to gain traction.

And here’s a late update. Gil Press just released another 42 more cybersecurity predictions from industry executives for 2020. This just reaffirms what I mentioned above and continue to see in December 2019 – namely that everyone wants to get into the security prediction business.

18) Imperva – Imperva Offers their Top 5 Cybersecurity Trends to Prepare for in 2020. This well-written blog starts with: “I don’t need a crystal ball to predict that in 2020 cybersecurity attacks will accelerate and the tactics will evolve. We’ll continue to be hounded by greater volumes of the attacks that have threatened us for years and, as businesses adopt new innovations, new vulnerabilities to threats will surface.”

Here are Imperva’s Top 4 Trends (with details in the link):
Cloud Transformation Will Accelerate
Automated Attacks Will Increase
Businesses Will Adopt Zero Trust
Non-Compliance Will Become Costly

19) Bitdefender – Bitdefender once again offers their 2020 Cybersecurity Predictions via their company’s Business Insights Blog. Jumping right in, the list looks fairly familiar with a few new twists:
More vulnerabilities with greater impact
Complexity of software and knowledge needed for attacks and protection will increase. Malware sophistication grows
Increased diversification of IoT without proper security: attacks on infrastructures and reruns of old CVEs
State actors will increasingly use cyberwarfare, at least covertly. Attribution to other nations
Fight against government censorship (fight for privacy) will increase

20) Thycotic – Rounding out the top 20 industry cybersecurity prediction reports is an intriguing one from my respected colleague Joseph Carson at Thycotic, who always brings new material and unique insights to online webinar panels and cyber conference speeches. Thycotic’s Cyber Security Predictions and Trends for 2020
Deepfakes will take Identity Theft to a new level
We’ll move beyond Zero Trust into Building Trust, with PAM still a CISO priority

Prediction: Biometrics will not be used for Security but more as an Identifier
Prediction: Privileged Access will become critical to securing IoT 
Prediction: The 6th Day will move closer to becoming reality

Honorable Mention Security Predictions for 2020:

So what about all of the other cybersecurity predictions out there, along with hundreds of small tech companies with predictions from their CEOs? Here are some of those, but I also encourage you to visit the Forbes lists above which has even more. 

One Prediction: Compliance fatigue will spread among security professionals - Being a source of ongoing controversy and debate, the California Consumer Privacy Act (CCPA) was finalized on 11th January 1, 2019.

One Prediction: Misconfigurations of cloud databases will continue to plague enterprises around the world and will be a leading cause of data breaches in 2020.
DivvyCloud - Cybersecurity and Data Privacy Trends in 2020 by Chris DeRamus, CTO and co-founder – five listed, here’s one:

One Prediction: Increased caution around M&A deals. Learning from the mistakes of Marriott, companies going through M&A deals in 2020 will prioritize comprehensive evaluations of cybersecurity and risk. Before Marriott acquired Starwood in 2016, it was reported that Starwood suffered a breach of North American customers' credit and debit card data after threat actors implanted malware on the company's point-of-sale registers. Eventually, Marriott became aware of its breach of about 383 million Starwood guests' data when a security tool flagged a database query from an unauthorized user who had admin privileges. Although Marriott later found out that the intrusion went undetected for four years before acquiring Starwood, they still had to pay more than $120 million to the U.K. Information Commissioner's Office for violating GDPR, and the hotel giant can even face additional punishments from other data privacy mandates, including the soon-to-be-enforced CCPA. While M&A is an important part of many companies' growth plans, organizations will become increasingly wary of suffering a similar fate as Marriott. In 2020, organizations will place cloud security at the forefront of the M&A process by including thorough audits of how the acquisition or merger target is operating cloud services. In a multi-cloud world, companies will need solutions that provide complete visibility across all clouds and cloud services and encompass an approach to bringing these into their security and compliance posture via automation.

Prediction Excerpt:

Drones Open up New Pathway for Intelligence Gathering - To date, the security concern around drones has mostly been focused on the physical damage nefarious actors, including nation states, could perpetrate. In 2020, we could start seeing attackers focus more on what drones know and how that information can be exploited for intelligence gathering, corporate espionage and more.
Valimail - Peter Goldstein, CTO and co-founder offers his 2020 Predictions for message identification, email security, AI and more

One Prediction Excerpt:
Email security will prove to be the weakest link in election security. Email is implicated in more than 90 percent of all cybersecurity attacks, and election infrastructure is also vulnerable to email-based attacks. This means email security must be a priority for thwarting interference with the 2020 presidential election. But research shows the majority of U.S. states are overlooking this vulnerability. Only 5 percent of email domains associated with local election officials across the U.S. have implemented and enforced DMARC.
SecPlicity: Offers this piece which focuses on how the cybersecurity skillset gap will widen – while pointing to Watchguard’s video on the topic.

Excerpt: Unfortunately, we don’t see this cyber security skills gap lessening in 2020. Demand for skilled cyber security professionals keeps growing, yet we haven’t seen any recruiting and educational changes that will increase the supply. Whether it be from a lack of proper formal education courses on cyber security or an aversion to the often-thankless job of working on the front lines, we predict the cyber security skills gap to increase an additional 15% next year. Let’s hope this scarcity of expertise doesn’t result in an increase in successful attacks.

Cybereason - CSO Sam Curry offers his thought-provoking analysis in 2020 Cyber Crystal Ball: Extending From 2019 (part 1 of 4), Part 2: The Adversary, Part 3: The 2020 Security Industry and Part 4: The Hope for 2020 – all published in in Forbes. 

Excerpt From Part 2: “For the future, the lines among actors will become increasingly blurred, as was the case when North Korea started making currency grabs when embargoed in the world community. Attribution is already highly unreliable, but false flags are getting easier to run. This makes the assumption that an attacker is who we think they are a potentially dangerous one. Expect the degree of specialization in the dark ecosystem of nation state players, hacktivists and cyber criminals to increase and become more murky and complex in 2020. Be leery of pat answers and pundits without real, tangible evidence, which is something rare in the world of cyber attribution. The connected world makes for strange bedfellows indeed on the dark side of the Internet.”

Here’s an excerpt: Quantum Communication Will Start to Become Integrated into Security Policies

Quantum communication, the field of applied quantum physics for protecting information channels against eavesdropping, will become an important technology for organizations that trade in sensitive and highly valuable information. …

But as researchers get closer to quantum supremacy, the tension will grow among organizations that are handling sensitive and highly valuable information. This tension will push certain organizations across the line to take protect their communications against cryptographic attacks through quantum communication technology. I predict that we will see this trend begin in 2020.
Exabeam – Exabeam offers Eight Cybersecurity Predictions for 2020

Here’s one of the eight predictions on Device security. “Nation state attackers will be the greatest cybersecurity threat in 2020,” says Joe Lareau, a senior security engineer at Exabeam. He notes IoT and the security of voting machines and repositories of voter information will be front and center. “Entities such as states and the federal government will react to the threat of election tampering by building and using ‘defense in depth’—multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program.” And, of course, analytics and machine learning. The same will be true for operational technology (such as plan monitoring and control systems) and IoT devices in use at enterprises and governments such as security cameras, HVAC systems, and a myriad of sensors. These systems continue to be vulnerable to state actors looking to disrupt operations, to corporate and government espionage and to attackers looking to benefit financially from theft and ransomware.
Claroty - Dave Weinstein, CSO of Claroty and former CTO of New Jersey, has some predictions for where he sees the state of industrial cybersecurity, critical infrastructure and the role of IT and OT security professionals going in the coming year. Dave’s predictions are here.

Excerpt: The ‘I’ in CISO will start to disappear for companies with big industrial footprints. As IT and OT begin to be viewed as one, enterprises need to govern and secure them accordingly. Unless you’re a bank, the idea of being a CISO is going to become a thing of the past. The CISO is gaining responsibility for OT and as a result the role will be more than taking responsibility for securing information, they will have all the OT security responsibility too. Wherever there’s technology, it needs to be secured.
BairesDev - Paul Azorin, founder and chief technology officer, BairesDev, offers his cybersecurity and data privacy trends in 2020

Excerpt: Cybersecurity budgets - Cybersecurity is at the top of every corporate executive’s mind. Companies have already started increasing investments in data privacy. Research has found that cybersecurity budgets have increased by 141 per cent from 2010 to 2018.

As a result, global investments in information security are expected to total more than $124 billion in 2019. 

What’s more - companies are currently spending between $1,300 to $3,000 per employee on cybersecurity. This averages to about $2,300 per employee for most businesses. This, however, is not nearly enough. That’s why corporations are expected to increase information security spending by 8.7 per cent per year.

Excerpt: The smallpox of cybersecurity - passwords - will be eradicated by 2025. Passwords are ingrained in our society because they've been around for over 60 years, but this doesn't mean it's the safest way to secure our digital lives. Passwords are not only a hassle - they're antiquated and open us up to even more cyber threats. Similar to how smallpox was eradicated, if we ban together, we can wipe out passwords and the onus is on the technology industry to drive security forward by eliminating them. Capabilities like zero sign-on, software and hardware tokens, behavioral analysis, and biometrics already exist that allow organizations to switch to passwordless authentication today.
Bugcrowd - Casey Ellis, chairman, founder and CTO of Bugcrowd, offers his 2020 Vision: Cybersecurity predictions for the year and beyond – I really like Casey’s perspectives and enjoy listening to him speak at events. I was on a panel with him in Detroit in 2016, and respect his global cyber expertise.

Excerpt: The “unknown” is the biggest cyber threat businesses will face

When protecting against known elements, such as WannaCry or other pre-existing threats, organizations have a clear picture of what the enemy looks like and can thereby adopt successful defensive techniques against such known threats. However, the biggest threats today are the ones we won’t know about until tomorrow (or even later), which is why a proactive, hacker-minded approach is integral to catching these issues before they’re found and exploited in the wild. 

The next big breach is already happening now, and we’ll only learn about it months down the road. From what we continue to see with leaks and breaches, it’s often the exposed but unknown attack surface is that’s much more likely to sink an organization than breaks in their core apps or architecture (an exposed file, key, server, that nobody knew about or thought was a risk). And while one fundamentally can’t expect the unexpected, organizations can take steps to ensure there are fewer unknowns. In doing so, reduce their available footprint for being surprised, as well as get ahead of potential back doors to the organization. 
IoT World Today offers these 6 IoT Security Predictions for 2020 - As we transition to a new decade, there is growing maturity in the field of IoT security, but also a wave of new risks.

Excerpt: Building Security Concerns Grow

In 2020, the prospect of smart building security is bound to become more of a top-of-mind concern for facility managers. With buildings accounting for eight out of 10 connected things in 2020, according to Gartner, smart buildings could provide new avenues for adversaries to attack. Experts are divided, however, whether there will be a significant uptick in such attacks next year. Mirel Sehic, global director of cybersecurity for Honeywell Building Solutions, expects such an increase. Attackers could use building management systems as a pivot point to get to IT data as well as to manipulate building controls. 
Honeywell – Speaking of Honeywell Building Solutions, Honeywell Predicts 2020’s Top Cybersecurity Trends for Buildings

Excerpt: Securing building operational systems will become a priority for many businesses as increased threats related to connected building technologies will likely arise.

The need to secure both Operational Technology (OT) and traditional Information Technology (IT) is expected to create demand for a new skillset and new type of security professional.
BitDam - Liron Barak, CEO, BitDam, offers her top five cybersecurity predictions for 2020

Excerpt from BitDam: Breach and attack simulation vendors will expand their solutions to various channels and attack vectors
Enterprise Irregulars – The online magazine lays out 10 Predictions How AI Will Improve Cybersecurity In 2020 for various vendors. Here’s one from Sean Tierney, director of threat intelligence at Infoblox:

There’s going to be a greater need for adversarial machine learning to combat supply chain corruption in 2020. Sean Tierney predicts that “the need for adversarial machine learning to combat supply chain corruption is going to increase in 2020. Sean predicts that the big problem with remote coworking spaces is determining who has access to what data. As a result, AI will become more prevalent in traditional business processes and be used to identify if a supply chain has been corrupted.”

Excerpt: The BYOD and CYOD trend enterprises have adopted will be met with employee pushback as increased regulations and growing privacy concerns continue to raise awareness about inefficient device security: 

67% of employees report using a personal device at work to some degree. As enterprises continue to adopt a BYOD (bring your own device) or a CYOD (choose your own device) strategy for their employees, there will be continued push pack from employees who are required to relinquish control over their mobile devices and the private data stored on them. As the stakes for privacy management become higher and higher from endless breaches (54% higher in 2019 alone) and increased regulations, like GDPR and CCPA, we’ll see enterprises deploy more effective means of privacy control for its employee’s personal devices (like application-specific security, as opposed to only device-level). This will mitigate privacy invasion for employees and enable tighter vulnerability controls for the enterprise, all while still providing necessary corporate data and accessibility to the end-user via the mobile device of their choice.” - John Aisien, CEO of Blue Cedar

Excerpt: Revenue growth is not a simple equation.

CompTIA predicts that the global IT industry will grow by 3.7% this year, and IDC is projecting $5.2 trillion in global revenue. However, this growth is not consistent across all areas of IT. IDC expects that technology services and traditional hardware will each grow by 23%, software will grow by 50%, and emerging technologies will grow by a whopping 104%. This growth in emerging technology is the driver for all the hype, but there are two things to remember. First, solutions using emerging technology require significant investment in skills and product support. Second, emerging technology solutions don’t exist in a silo—they are part of overall architectures that include traditional components such as networking or storage. Those components often need to be upgraded to take advantage of new trends, so there are revenue opportunities across the board, but simply targeting emerging technology will not automatically lead to astronomical growth.

Also from CompTIA: The biggest customer needs are (and will be) around software development and cybersecurity.
Varonis – This Forbes article brings some unique predictions like this one from Brian Vecci, Field CTO, Varonis:

Except: “REAL ID will cause real chaos: As the October 2020 deadline looms, REAL ID will catch several states off guard. Expect states to scramble to meet demand for new licenses. In the rush, security will be placed on the backburner. At least one state will be caught with exposed, sensitive data on drivers. And infrequent travelers who failed to update to the new licenses will be disappointed when they are turned away at airport security and must cancel their vacation to Disney”

Excerpt: Biometric-based identity proofing and authentication will continue to be adopted in highly regulated industries to assure a person’s digital identity matches their real identity.

The global market for mobile biometrics is forecast to grow at an impressive 31.14 percent CAGR, adding $28.45 billion per year in incremental growth between 2018 and 2023, despite the CAGR decelerating by 22 percent in the period. The growth forecasts in the latest set of market analyst reports that indicate widespread adoption of biometrics technology: 22 percent for mobile biometrics, 22 percent for 3D sensors, and 19 percent for healthcare biometrics.
OpenText – 2020 predictions from Anthony Di Bello, vice president, Strategic Development, OpenText:

Excerpt: The Radicalized Insider. We have only begun to see the impact insiders can have on organizations as well as national and global security. While Snowden and Manning exfiltrated data for the purposes of shining a light on what they perceived to be unethical conduct, even more dangerous insiders focus on exfiltrating data to foreign governments and terrorist organizations. Cyber theft leading to the exploitation of national security is one of the top threats in 2020.

Excerpt from Gaurav Banga, CEO and founder of Balbix’s:

“In light of the ever growing cybersecurity skills gap, and an exploding attack surface, infosec leaders will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk, solving the most impactful issues first, CISOs can ensure that even a small team can have maximum possible impact.”
Information Age – The online magazine offers these Predictions for cyber security in 2020

Excerpt: New adaptions for RATs – Liz Rowley went on to state how attackers could go about adapting their tactics.

Although cyber security teams may well have familiar viruses scouted, it’s important to remember that these kinds of attacks, much like their biological namesakes, can mutate.

“Cybercriminals are constantly redesigning Remote Access Trojans, or RATs, so they get better at bypassing security protections,” said Rowley.
CSO Magazine - 2020 cybersecurity trends: 9 threats to watch - Here's how your biggest threats of 2019 will likely trend for 2020 and how you might change your defensive strategy for them.

Excerpt on first item: Dmitry Galov, security researcher at Kaspersky, sees the risk from employee-owned devices increasing in 2020. He sees a greater willingness for companies to allow employees to use their own devices to cut costs, enable remote work, and increase employee satisfaction. As a result, attackers will target personal devices as a way to bypass corporate defenses. “By default, users’ personal devices tend to be less protected than corporate devices as the average users seldom apply additional measures to protect their phones and computers from potential threats,” he says.
Crowdstrike & Auto Club Group CISO – While not an actual 2020 prediction report this Crowdstrike video and explanation blog does an excellent job showing how the “Speed of Onset” or “Breakout Time” is becoming a key factor in 'Cyber Risk Calculations' in addition to breach impact and likelihood. Gopal Padinjaruveetil, CISO at Auto Club Group, believes tracking this speed will become a major trend in 2020 – as expressed in the Information Security Community posting (of this piece) on LinkedIn. 

Quote from Gopal – “In terms of sheer speed, Russian hackers are now able to complete a major system breach in less than 19 minutes, eight times faster than their nearest competitors in North Korea” My prediction for 2020 An increasing number of CISOs will start focusing on The importance of Speed in Cyber Risk."

2020 Security Prediction Awards

Top Security Industry Predictions Report - The New Norm: Trend Micro Security Predictions for 2020 - Trend Micro (for third year in a row.)

Individual Prediction that is Most Unique, Different and Insightful – “The unknown is the biggest cyber threat businesses will face.” Casey Ellis, chairman, founder and CTO of Bugcrowd

Individual Prediction that is Most Creative — “Deepfakes-As-A-Service emerges.” ForcePoint 

Individual Prediction that is Newest & Specific (2 Tie)— “False flag attacks reach a whole new level. Explanation: This will develop further, with threat actors seeking not only to avoid attribution but also to actively lay the blame on someone else. Commodity malware, scripts, publicly available security tools or administrator software, mixed with a couple of false flags, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.” Kaspersky

Also – “REAL ID will cause real chaos: As the October 2020 deadline looms, REAL ID will catch several states off guard.” Varonis

Individual Prediction that is Most Scary (yet practical) — “Hackers will find new low-hanging fruit in the cloud. The most advanced (and potentially devastating) cloud attacks will occur at machine speed in 2020.” Splunk

Individual Prediction that is Most Common and Likely — (3 Tie) – More Targeted Ransomware & Deepfakes cause (myriad) problems & various election hacks and misinformation campaigns will emerge (Numerous) 

Topic of Most Disagreement Among Security Companies — Cloud –vs- mobile threats will take the lead – multiple companies on both sides. (Numerous – but more say cloud over mobile malware) 

Best Overall Advice in Predictions Report — “We are all targets. If you work with a high value target, you are also a high-value target.” FireEye

Final Thoughts - What's Missing?

Just as I was preparing to release this report, Boris Johnson won a surprise landslide victory in the U.K. election – running on “Get Brexit Done.” (The polls predicted a small victory or hung Parliament.) This surprise result reminds us (again) that plenty of unknowns will emerge next year – making Bugcrowd’s quote about the unknown so relevant in cybersecurity.

Missing in the prediction lists again this year are specific predictions about hacks related to upcoming events (the U.S. election is excluded from this comment though it is covered by almost everyone.)

There is little about the 2020 Olympics or other major sporting events. Could Russia being banned from the Olympics and 2022 football World Cup lead to trouble? Or, could hacktivists disrupt world leaders meetings at the G8 or NATO or other various summits?

Finally, will cyberterrorism re-emerge? Very few dire predictions (again) about Cyber 9/11s or Cyber Pearl Harbors or even people dying in hospitals from cyberattacks.

Could implanted chips become a big privacy debate and/or cause other security issues? I think so – but perhaps not in 2020. I do predict that this issue will be huge for the next decade and bring a new round of opposition from the privacy activists and others for religious and other reasons. 

In closing, Boris Johnson pledged to unite the United Kingdom and heal its Brexit divisions in his speech after his victory. 

2020, he said, would be "a year of prosperity and growth and hope."

That’s one prediction that I hope comes true for all of us around the globe, wherever you live, whether offline or online.

No comments: