2020 could be the most impactful year for the cybersecurity industry yet. The evidence is compelling: As we look back at 2019, I don’t recall a calendar year in which the topic of cybersecurity was so prominent, and there’s no sign that this trend will decline anytime soon.
That said, even if cybersecurity as a topic continues to gain serious traction in the business world, it won’t automatically make us any more secure. Security awareness is on the rise, but that doesn’t mean we should breathe a sigh of relief now or anytime in the next few years. Unfortunately, each new year brings new threats, risks and incidents for the enterprise, and 2020 will be no different.
As we look ahead to 2020 cybersecurity trends and beyond, it’s a good time to shed light on some subjects that may keep us up at night in the new year and how to prepare for what’s in store.
Emerging Threats to Look Out for in 2020
At the time of writing, there’s one attack method that is mentioned almost universally: the deepfake threat. When I first covered the topic in the summer, there was concern that deepfakes were on the rise, and it appears those concerns were warranted.
When I spoke with Bruce Schneier, security guru and author of numerous security books, the AI-driven social engineering tactic was the first that came to mind for him.
“It can be used for business fraud, and there will be more video as well [in addition to the audio deepfakes],” he told me. What Schneier predicts we’ll see more of soon, however, is automation of the process. “As it gets better, it will happen more at scale,” he said.
Complementing Schneier’s own predictions is the “Predictions 2020: Cybersecurity” report from Forrester Research. According to the report, deepfakes will cost businesses more than a quarter of a billion dollars, and as they continue improving, they will not only become easier to harness, but also much more accessible to bad actors.
Even more troubling than the potential for deepfakes is the predicted increase in ransomware. According to the Forrester report, a ransomware attack to a municipal system may be so severe that it could lead to a request for disaster relief from the federal government. The report goes on to suggest that such an attack would encourage public debate about government’s role in helping to cover the costs of disruption and recovery resulting from cyberattacks targeting local governments.
As for the ever-popular phishing tactic, don’t expect it to fade away. Experian predicts that “cybercriminals will leverage text-based ‘smishing’ (SMS and phishing) identity theft techniques to target consumers participating in online communities, such as those supporting presidential candidates, with fraudulent messages disguised as fundraising initiatives.” We should be prepared for threat actors hoping to capitalize on the election year by tricking voting communities through spoofed texts to solicit financial contributions.
What About the Consumer?
For Schneier, consumer security advice in 2020 isn’t all that different from that of previous years.
“There’s nothing I have that we haven’t thought of that’s going to be the big thing,” he explained. “Generally, the new thing is going to be incremental changes of the old things. It’s rare that there’s ever something new.”
Case in point: this two-year-old post about protecting yourself online will be as relevant in 2020 as it was in 2017.
This isn’t to say that consumer complacency should be allowed to set in due to a lack of new threats. According to independent security expert Rod Soto, privacy and security will play a more prominent role in customers’ expectations as AI consumer devices (like intelligent personal assistants — some of which will have facial recognition technology) continue expanding into homes.
“Providers of these products will have to offer a clearer picture of how personal information from all these devices in people’s houses is protected,” Soto said. “This is something, in my opinion, that is inevitable — and unfortunately, it might be accelerated by a significant leak of sensitive information from the use of these devices in the home.”
As for 5G, possibly the biggest technological breakthrough in the years ahead, 2020 may not be the year when we start worrying.
“People are talking about 5G, but I have not seen enough movement to see it growing as a standard yet,” Soto said. “There is not even a 5G iPhone on the road map until late in the year.”
How the Enterprise Can Prepare for 2020 Cybersecurity Trends
So many threats, so little time. What’s an enterprise to do? Schneier suggested keeping up with strategies that work for you.
“I’ve written about these strategies for years, and it seems we keep repeating ourselves,” Schneier said. Soto suggested that there’s no time like 2020 to think beyond the perimeter for security.
“Enterprises must drive cloud security within [cybersecurity] priorities,” Soto said. “This is difficult, however, as cloud security standards are still evolving and vendor competition prevents consensus and collaboration. Enterprises must drive this internally and pressure vendors to do it. Cloud security should be prioritized as much as inside the perimeter.”
To address the growing threat of deepfakes, an attack that Soto agrees will only increase in prominence, anti-deepfake protocols will need to be created. Furthermore, he suggested enterprise employees learn the lingo and understand common social engineering methods to strengthen defenses.
In that regard, one tactic I’ve always found to be helpful for the enterprise is a robust security awareness program. However, Schneier has some sharp advice for anyone hoping to embark on extensive awareness programs.
“Security awareness has some benefits, but it’s mostly about the industry covering up for bad design,” Schneier said. “Security awareness caters to the average person, but it really applies to your worst employee. If you convince 10 or 100 or more to not click on dangerous links, you’re no better off if you don’t convince that one person. Security awareness doesn’t work as well as people think it does. It’s a way of blaming the user.”
I must admit he’s got a point. We always say that the security chain is only as good as our weakest link, and his advice is the perfect exemplification of that point.
The Biggest Threat Yet: The Cybersecurity Skills Gap
As always, robust security ultimately relies on the human element. As we consider the coming 2020 cybersecurity trends, perhaps the biggest issue for the world of security isn’t a known threat, an emerging threat or anything else we’ve discussed here. In fact, the biggest threat to the future of cybersecurity may be the skills gap.
In early 2019, ESG reported that over half of all companies surveyed (53 percent) declared a problematic shortage of cybersecurity skills within their organizations. There’s nothing to indicate that the situation is going to improve.
“I think the skills gap is huge, and it’s going to be a big problem,” said Schneier. “I’m not an expert on the workforce, but those that are paying attention are saying it’s not going to get any better.”
One thing we can count on in the future of cybersecurity is that, unless and until we get more people signing up for cybersecurity roles — including women, people from different backgrounds, young people, etc. — the enterprise will have to continue fighting the good fight with one hand tied behind its back.