There's a reason IT security spending has soared by 3,500% in the last 15 years: The bad guys want your data and intellectual property, and they're well motivated to get it. The coming year will see the scariest IT security threats yet, so the security arms race will be very active in 2020.
IT security sales have grown from just $3.5 billion in 2004 to about $125 billion today, according to Gartner, and annual sales are predicted to grow another 40% to about $170 billion in the next three years.
The reason that U.S. businesses are spending an average of over $1,000 per employee on cybersecurity is clear and obvious. Cybercrime shows no sign of slowing, corporations continue to fall victim to such attacks, and when they do the results can be catastrophic: The average cost of a data breach in 2019 was $3.92 million, according to IBM's Cost of a Data Breach report.
Among the many high-profile security breaches in 2019, a few to highlight are:
- Hackers compromised Microsoft's Visual Studio development tool and placed backdoors in three video game companies that use it. Up to 92,000 computer systems were running malicious versions of video games as a result.
- Over 100 million betting records, including wagerers' names, home addresses, phone numbers, bets, wins, deposits and withdrawals, were stolen from an Elasticsearch server that was not secured with a password.
- A Seattle-based hacker breached Capital One, one of the largest banks in the U.S., and stole personal data on more than 100 million people, including over 80,000 bank account numbers, more than 140,000 Social Security numbers, over 1 million Canadian social insurance numbers, and millions of credit card applications.
Many CISOs fear being accused of having spent too little on security in the event of a security breach, but the truth is that how an IT security budget is utilized is just as important as the total amount that is available. To help decide which areas of cybersecurity spending should be prioritized, here are some likely security trends that will emerge or continue in 2020.
Encryption becomes part of the problem
Last year we predicted that organizations would start to realize that encryption is not the answer to all their security problems, but this year it will become increasingly clear to those same organizations that encryption is becoming an escalating threat that needs urgent attention.
That's because with companies encrypting a huge percentage of the traffic moving around their networks, it is becoming increasingly difficult to recognize the malicious encrypted traffic mixed in. Hackers have been using SSL encryption for some time now to hide their activities, but as the proportion of encrypted traffic on every network rises, it is set to become a more prevalent threat.
Addressing the problem by closer packet inspection without significantly degrading network performance is difficult, and the solution may be intelligent filtering of traffic for inspection or purchasing SSL inspection hardware, or possibly a combination of the two.
Wireshark is a commonly used decryption tool.
Zero Trust overtakes perimeter-based security
Zero Trust architecture is defined by the Department of Commerce's Computer Security Resource Center (CSRC) in its SP 800-207 draft publication as an evolving set of security measures that "focus on protecting resources rather than network segments as a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary."
That's a complex way of saying that protecting a corporate network perimeter does not make it safe to assume that everything inside this perimeter can be trusted and therefore should be given access to network resources. Instead, the Zero Trust model insists that nothing and no one should be trusted on the network until they have authenticated themselves to each resource they seek to access.
This makes sense because many of the biggest security breaches have been made possible by hackers breaching the network perimeter and then having almost free reign to take what they wanted.
The Zero Trust model has been slowly proliferating over the last few years, and in 2020 it will start to overtake the old perimeter-based security model as the most promising way to secure networks and the data stored on them.
Large enterprises will be hit with massive fines for CCPA violations
The California Consumer Privacy Act (CCPA) goes into effect in just a few weeks on Jan. 1, and any company doing business with California consumers (excluding small companies meeting exemption conditions) that does not take "reasonable" steps to secure personal consumer information could face steep fines. In the event of a data breach, companies may be forced to pay statutory damages of up to $750 per customer per incident, or actual damages – whichever is greater.
Companies need to be able to demonstrate that they have taken reasonable steps to implement security measures to protect personal data. "That means they must have performed a security risk assessment, identified any security control deficits, and implemented mitigation strategies," said Shahryar Shaghaghi, a CCPA expert at CohnReznick Advisory, a New York- based professional services and public accounting firm.
Companies that are already GDPR compliant have done much of the work already, but it is inevitable that we will see a few big names face heavy fines for CCPA noncompliance in 2020.
For more on CCPA compliance, see How to Comply with CCPA.
Social media becomes a corporate security threat
Social media and disinformation campaigns can be used to manipulate public sentiment, but in 2020 these tools and tactics will be adopted by hackers to attack companies, manipulate their share prices, and hold them to ransom.
"Imagine a deepfake video of the CEO of some company saying his company won't sell to a specific minority group, and then a targeted Twitter and Facebook campaign using bots to blow the numbers up," said Chase Cunningham, a principal analyst at Forrester Research. "It's only a matter of time before that happens."
Activist groups could use this tactic against corporations they want to target, while criminals could attempt to make money by shorting a company's stock before releasing their deepfake. Even just the threat of releasing such a video – especially at a critical point in a corporate acquisition or fundraising round – could be used to extort money.
Nation-state attacks evolve
A great deal of effort has gone into protecting critical infrastructure from cyberattacks by hostile nation-states. While these are set to continue, nation-state actors wishing to the attack the U.S. and other Western countries will increasingly harness the power of social media to do this. "There is no need to target infrastructure if you can swing an election the way you want with Tweets and Facebook postings," Cunningham noted.
Charity and non-profit groups targeted
Online fraud, especially fraud enabled by phishing, is a huge problem for all organizations. But as businesses become more aware of the problem and take measures to minimize the risk of falling victim to a phishing attack, fraudsters will start to target easier potential victims in earnest.
In addition to smaller organizations, fraudsters will focus their attention on charities and not-for-profit organizations that may control significant financial resources. That's because staff and volunteers at these organizations often receive less online security training than employees in for-profit organizations, according to Professor Mark Button, a counter-fraud expert at the UK's University of Plymouth.
Millions of confidential records will leak from cloud data buckets
Organizations of all sizes use Amazon's S3 cloud storage services, but over the last few years there has been a constant stream of stories about data breaches caused by "leaky" S3 data buckets: misconfigurations meant that these buckets were "open" and publicly accessible over the internet. Examples include 1.8 million personal records from the Chicago voter database and 14 million Verizon customer records.
Amazon recently released a new protection initiative called Amazon S3 Block Public Access, which allows administrators to block existing public access and ensure that public access is not granted to newly created items.
The initiative is welcome and will no doubt help, but misconfigurations are still possible, and arguably easy. That means that leaky S3 buckets will remain a tempting target for hackers in 2020, and tens or hundreds of millions more confidential records are likely to be accessed by people who have no business doing so.
Of course S3 is not the only cloud storage service that can be misconfigured, and customers of Microsoft's Azure and other clouds will also be affected by this issue.
Container security issues will not be adequately addressed
Container-based IT setups have continued to proliferate, as more and more organizations get on board with the idea and an increasing number of companies provide the necessary supporting infrastructure, from orchestration platforms to specialized container security.
Last year Gartner analyst Ramon Krikken said, "The security and management tools for containers aren't all ready while the risks aren't fundamentally different, so there is a period where these support tools are still catching up."
These tools have had a year to play catch up since then, but there's still a gap between what's needed and what's available. That means that in 2020, security is still going to be a major issue for anyone responsible for container-based infrastructure. The problem in a nutshell? There are still "no good solutions on the market to get this solved as of now," said Forrester's Cunningham.
Ransomware will cause havoc in local government
2019 was unexpectedly quiet on the ransomware front, but ransomware attacks are easy to carry out and it only takes one successful one for a hacker to make a great deal of money.
For that reason they won't go away in 2020, but now that many larger organizations are aware of the risk, the attackers will look down market for easier victims.
"Small businesses and state and local governments will be eaten alive with this," Cunningham believes. The charity sector will also likely be hit by ransomware attacks in 2020.
eSports tournaments will be hit by DDoS attacks
DDoS attacks will remain absurdly easy to carry out using tools that can be rented by the hour to marshal botnets and manage the attacks. But DDoS mitigation has also become more effective, so in 2020 it's likely that organizations that can least afford short-duration attacks will be the victims.
That means DDoS attacks will likely be launched at the betting industry, during or just before specific sports events that attract high levels of betting, and also the games industry during eSports tournaments that attract millions of viewers.
5G will be the cause of major IoT-related data breaches
5G data services are still in their infancy, but their adoption will accelerate in 2020 as coverage becomes more widespread and the cost of the underlying technology falls. The huge bandwidth offered by 5G means that it will be useful for more purposes than 3G and 4G.
That in turn means that there will be many more applications for IoT devices, so the number of these devices out in the field is likely to explode – and IoT security issues will move to the forefront.
The combination of more IoT devices, and their collection and transmission of more and richer data, will likely prove irresistible to hackers. So expect to see a major IoT-related data breach in 2020.
Three security products on the rise in 2020
As a result of all the cyber threats, three security solutions – one old and two new – will gain traction in 2020:
- Cybercrime insurance: Smaller companies – not just large enterprises – will increasingly be looking to add cyber insurance coverage to their corporate insurance policies.
- Virtual security modelling: Large enterprises will look to use specialized applications that enable the sharing and real-time construction and design of virtual secure infrastructures before solutions are deployed. There are a number of research and open source efforts underway, and a new breed of breach and attack simulation vendors could benefit too.
- Self-sovereign identity systems: Blockchain technology offers huge potential in the IT security sphere, but it has yet to take off in any meaningful way. In 2020 it's likely that self-sovereign identity systems will be the first application of blockchain technology that ultimately hits the mainstream.