Cybersecurity threats are capricious, given to sudden change without warning. This year, average data breach costs rose to $3.92 million while total records breached per incident surpassed 25,000.
For infosec pros, it’s easy to get caught up in current events. What’s happening right now understandably informs 2020 cybersecurity posture and investments, but history also plays a role in defining the best practices and policies that bolster security year-over-year.
With a new decade just weeks away, it’s worth looking back on what was (and integrating what is) to develop new approaches capable of handling what will be.
A Very Brief History of Cybersecurity in the 2010s
2010 saw the rise of real-time search. In 2012, companies were leveraging data at scale to drive actionable insights, and by 2014, mobile devices took their place as collaborative corporate mainstays. But these advances in technology came with commensurate increases to cybersecurity threats, as attackers recognized the value of large-scale — and often unprotected — datasets.
Some of the top threats from the past decade include:
- Stuxnet infects SCADA systems (2010) — One of the first SCADA attacks, Stuxnet paved the way for Shamoon and other industrial control system (ICS) threats capable of combining physical and digital risk. As ICS and SCADA systems have become invariably linked to public-facing services via internet of things (IoT) devices, the potential impact of this threat has expanded.
- Cyberattacks on POS machines (2013) — In December 2013, a retail giant saw payment card details for 40 million customers compromised after point-of-sale (POS) systems were infected and spread malware to secure servers. The scale and scope of this attack put third-party threat vectors front-and-center for cybersecurity pros.
- Heartbleed’s open-source bug (2014) — Heartbleed cut into databases worldwide, opening the door on open-source security concerns and paving the way for other widespread attacks like Shellshock.
- NotPetya seeks to destroy (2017) — An updated version of the Petya ransomware, NotPetya didn’t just encrypt information — it damaged data beyond repair. This kicked off multiple rounds of ransomware attacks and evolution.
- Cryptomining malware rises (2018) — Leveraging simple mining modules that could be loaded into any website, cryptojacking techniques began mining cryptocurrency without user attention or consent and led to the development of improved detection and identification tools.
The takeaway here is that threat actors have been far from complacent over the last decade. From SCADA to POS to open source, ransomware and cryptocurrency, attackers aren’t stuck in a security rut — if you build it, they will come (and break it).
Lessons Learned From 2019 Cybersecurity Trends
While the history of cybersecurity defines broad actions, more immediate security concerns drive current responses. This year saw a mix of new threats and returning vectors, such as:
- Citywide compromise — Attackers are taking their malware on the road and using it to compromise entire municipalities. In August 2019, at least 22 Texas cities were hit by coordinated attacks that forced key services offline and demanded payment for restoration. With many municipalities now leveraging a mix of legacy and cloud-based technologies, defensive gaps are commonplace.
- Mobile malware — According to Check Point, cyberattacks targeting mobile devices are up by 50 percent compared to last year, and threats are diversifying as devices become commonplace across both personal and professional environments. Mobile banking apps are among top hacker targets, as users prioritize on-demand features, and banks are rushing to fill the gap.
- Familiar phishing — Phishing is back, or more accurately, it never really went away. While phishers have been relatively quiet over the last three years, recent data from APWG shows them jumping back into the corporate boat as business email compromise (BEC) techniques become more sophisticated.
Cryptojacking and ransomware, meanwhile, have both declined sharply, as corporate IT teams have become more adept at detecting and defusing these attacks before they’re able to gain a foothold. Add in the impact of volatile cryptocurrency markets on both mining schemes and forced-file-freedom payments and it’s no surprise that hackers have opted for lower-hanging, more lucrative fruit.
Shifting attack vectors and expanding attack surfaces have prompted three key trends in 2019:
- Bigger budgets — Security budgets are on the rise, with upticks between 1 and 9 percent planned for 2020, according to FireEye, as companies look to equip local defenders for greater effectiveness.
- Fire with fire — New technologies like artificial intelligence (AI) and machine learning (ML) are now on the investment radar to help companies counter the effects of advanced cyberattacks and deal with the massive amount of alerts and data coming into security operations centers (SOCs).
- Crashing confidence — Despite souped-up spending, recent survey data from Marsh found that just 11 percent of organizations now report a high degree of confidence in their ability to measure, mitigate and manage cyberattacks.
How to Improve Cybersecurity in 2020
As 2020 looms, how can companies develop defensive strategies that both incorporate historical trends and address the realities of 2019 cybersecurity attacks?
Here, combining past experience with present expectations is critical. In practice, this requires a three-tiered approach.
1. Recognize Repetition
Email remains a top cyberthreat vector — whether it’s delivering ransomware or leveraging social engineering to steal account credentials. As Forbes noted, while detection tools have gotten better at blocking common spam messages, the increased sophistication of those messages still puts staff in the line of fire.
The takeaway is simple: Cybersecurity is circular. What goes around comes around again, and this is especially true for email. Putting up an effective defense in 2020 and beyond demands a combination of layered email security and regular in-house training to ensure employees can spot this security risk in the wild.
2. Adapt and Integrate
Attackers aren’t afraid to shift tactics when it works to their advantage. Petya not working so well? NotPetya can pick up the slack. Ransomware and cryptojacking not paying the bills? Malicious actors can move to compromising mobile applications. Infosec professionals need to adopt the same approach in 2020.
There’s no single way to protect critical assets and deliver improved security. From cloud-based tools capable of detecting threats at scale to AI-driven defenses and intelligent threat detection methods, it’s worth diversifying defenses to defeat threat actor heterogeneity.
The caveat is that you must also keep complexity in check. While attackers shifting tactics can leave previous infiltration methods behind, companies must defend networks at scale. To that end, look for tools capable of integrating protective services without compromising performance.
3. Turn Every Security Stone
Where are systems most vulnerable? It’s a trick question — despite their best efforts, most infosec teams are a step behind attackers. From open-source exposure to POS exploitation and citywide compromise, hackers are always looking for another way in.
In 2020, organizations can’t leave any security stone unturned. Instead of assuming that systems that haven’t been attacked yet are naturally secure, companies must recognize that it’s only a matter of time — not inherent toughness — that prevents critical compromise. While the reduced confidence reported by survey results is worrisome, there’s an opportunity here for infosec teams to start from ground zero. With attacks continually evolving, the assumption of potential compromise and the practical deployment of regular penetration testing efforts can help pinpoint key network weak spots.
Cybersecurity doesn’t exist in isolation. As the past decade has demonstrated, hackers are more than willing to change tactics, take unexpected approaches and rescue attack vectors when it suits their purpose. By combining the lessons and practices from 2019 cybersecurity with past permutations, we can craft better strategies for the next decade of cyberdefense.