Cybersecurity is a fast-moving industry, and with a new decade dawning, the next year promises new challenges for enterprises, security professionals and workers. But what predictions do experts have for cybersecurity in 2020?
We heard from experts across the field of cybersecurity about their predictions for 2020, from new methods and targets to changing regulation and business practices.
2020 cybersecurity predictions: Enterprise practices
Businesses will take steps to protect themselves against the inevitable
Over the past few years, businesses have started to take a more proactive approach when it comes to cybersecurity. However, there is still more that can be done and 2020 will be a key year for this adjustment.
In 2020, the majority of businesses will accept an uncomfortable reality – a security breach is inevitable. This is not security fatalism, but security realism. The perimeter is gone.
CEOs, CIOs and CISOs must embrace that bad actors are already inside the firewall and adopt proven technology that detects suspicious activity quickly enough to respond before a breach becomes a crisis. Businesses must also embrace solutions that provide security without compromising privacy.
Anthony Di Bello, VP of strategic development at OpenText
Business email compromise set to grow
Business email compromise and phishing in general is ever evolving and will most likely continue to grow in both volume and sophistication. The past year we have seen an increase in advanced phishing methods targeting applications secured with two-factor authentication (2FA) and almost all reporting phishing website appear to use a secure HTTPS connection.
Although it is a good trend that 2FA and use of HTTPS is being adopted, we see that end-users still fall prey to phishing. Hopefully 2020 will also be the year of increased support and adoption for hardware authentication devices.
Hugo van den Toorn, manager, offensive security at Outpost24
API security will move up on the enterprise priority list
Data breaches have surged over the years but in 2019, many of them were the result of insecure APIs. Panera, Venmo, USPS and Salesforce are just a few of the high-profile companies that dealt with API security breaches last year, and despite all the damage, companies in general have been slow to respond to this growing concern by bringing API security under the purview of security teams.
That said, 2020 will be the year that companies wake up to the threat and move API security up on the priority list. One way to do so is by embracing OAuth (a delegated authorisation framework for REST/APIs) which helps to place the user in control of his or her data, as opposed to the company. We expect this open standard to spike in adoption.
Jesper Frederiksen, VP and GM EMEA, Okta
The rise of data intelligence
In 2020, Gartner has estimated there will be more than 10,000 Chief Data Officers (CDOs). Many of them will be breaking into the role as first-generation CDOs. If CDOs continue to add offensive capabilities (such as how do you make money from data) on top of the table-stakes defensive capabilities (how do we comply with data regulations) then the role will keep growing. These first-generation CDOs will be change agents that will lead the way in the evolution from data management to Data Intelligence.
Data Intelligence is about understanding the positive effects data can have on the business and offering the ability to create that impact. In this new paradigm, Data Citizens will use data to solve complex problems, implement ideas to drive bottom-line results and transform experiences. Moving forward into the next decade data will no longer be the purview of database admins or data architects – it will belong to every knowledge worker.
Stijn Christiaens, CTO and co-founder, Collibra
Organisations will continue to adopt a risk-based prioritisation for vulnerability management and remediation. As pressure increases on organisations to remediate quickly, this approach helps focus efforts on what to remediate and when, moving from a patch all critical to patch vulnerabilities that pose a true risk to my business.
Predictive risk prioritisation will continue to gain traction as vendors build predictive models to try to further enhance risk-based prioritisation of vulnerabilities. These models will attempt to guide organisations in what vulnerabilities are likely to be weaponised and used next. Through 2020 organisations will start to adopt these types of services more and more to build more effective vulnerability management programmes.
Simon Roe, product manager at Outpost24
Getting Burned by the Cloud
There is a ‘gold rush’ for organisations to move their data to the cloud, with everyone wanting to jump on the cloud bandwagon. The problem is many leaping before they look. Large organizations are making rapid moves to the cloud without ensuring their data is secured in transit and once it’s there.
In 2020, there will be multiple organisations who deal with data privacy breaches and regulatory fines, as these steps are not being adequately addressed from the beginning of the move.
Even with the Shared Responsibility Model and news about vulnerabilities with cloud security, we foresee many organisations failing to conduct due diligence and being burned by leaving their data insecure in the cloud. The result will be them finding out too late that proper identity governance and privileged access management practices could have been applied to data in its on-prem state and continue through the transition into the cloud.
Darrell Long, VP of product management at One Identity
Neurodiversity in cyber recruitment
In 2020, many more organisations are going to feel the effects of the cyber skills gap, and will need to rethink their cybersecurity strategies as a result. Businesses should consider using more AI and machine learning technologies to automate as many security processes as possible, taking pressure off overstretched cybersecurity teams and allowing them to focus on the biggest threats.
Organisations should also be looking to under-hired groups, such as neurodiverse candidates, who are perfectly suited for cyber roles and could help to fill open positions.
Mark Hughes, senior vice president and general manager of security at DXC Technology
Decentralisation will become the new buzzword
We are centralised now with large tech companies having control over a lot of the data. In 2020, we’ll see companies begin to position themselves as decentralized in one way or another. The control of data will begin to shift back to the consumer and end-user. People will stop becoming the product.
Rich Chetwynd, founder of thisdata and litmos, OneLogin companies
SMEs hit hardest by cyber skills
There’s a real dearth of cyber security talent and smaller businesses will be hardest hit through next year. Skilled professionals will be increasingly hard to find and difficult to retain. Market forces will put the option of full time, in-house security specialists, commanding high salaries, out of reach for many smaller businesses. Instead, they’ll need to think creatively and look at how they can plug the gap through outsourcing and affordable service-based solutions.
This is imperative as under-resourcing can cause real security risks. Bad actors are aware of the lack of defences in smaller businesses and they are an easier target to break into. Cybercriminals increasingly target SMEs, who are less likely to have the technology, people and processes in place to block or defend against those attacks.
Jeremy Hendy, CEO at Skurio
Changes to digitisation project approaches
In 2019 we’ve seen a number of digital transformation projects not fully meeting expectations. Consequently, in 2020 I expect to see a number of small but significant step changes in the way businesses approach digitalisation projects, particularly with regards to security. Focus will be on improving user experience and generating value from smaller more tangible projects. For cyber security, this will mean solutions that make day-to-day operations easier and that are proven to mitigate the impact of security incidents.
As a result of this, in 2020, security teams will need to be looking to communicate the value they bring in terms of the bottom line.
Dave Polton, VP solutions at Nominet
2020 cybersecurity predictions: Attack trends
Simple attacks to remain the most damaging
In 2020, we will see the cyber industry redesigned in some key areas. Malware will undoubtedly evolve, and ransomware will become more sophisticated, potentially even teaching businesses new ways to take payments and create customer service that encourages the victim to part with their money. That said, it will still be the simple attacks that cause the most damage, because organisations have a lot of work to do on ensuring they are utilising every layer of defence within their reach.
We’ll also see the role of the CISO redesigned in 2020, as the imbalance of their work-life worsens and the role needs to change to meet the demands of the modern cyberscape; for example becoming more of a strategic resource for the business on mitigating risk and facilitating business transformation safely.
Stuart Reed, VP cyber at Nominet
Advanced cloud attacks to occur at machine speed
The most advanced (and potentially devastating) cloud attacks will occur at machine speed in 2020. Cloud misconfiguration has been a path of least resistance for attackers. As better automation eliminates that problem, cybercriminals will have to identify a new ‘easy route’.
Going forward, cybercriminals will exploit the emerging vectors brought to bear by cloud native technologies such as containers and Kubernetes, taking advantage of organisations’ learning curves to launch new attacks at a scale and speed we have not seen in the on-prem world.
Haiyan Song, SVP and GM of security markets, Splunk
Hackers will exploit open banking
2020 will see the introduction and adoption of open banking applications that are used by consumers and enterprises, stimulated by PSD2 in Europe and similar legislations in other regions (e.g. Australia, Singapore, Hong Kong).
Open banking will give rise to new security threats and vulnerabilities, such as data breaches at third-party providers using open banking interfaces, as these companies might lack investment in security. Next to it, we may see that vulnerabilities in the IT infrastructure of third-party providers may lead to fraudulent payments.
Frederik Mennes, director of product security, Security Competence Centre at OneSpan
Mobile will become the primary phishing attack vector
Lookout expects credential phishing attempts targeting mobile devices to become more common than traditional email-based attacks. Traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from account takeover attacks, but neglects mobile attack vectors, including personal email, social networking, and other mobile centric messaging platforms such as secure messaging apps and SMS/MMS.
Moreover, mobile devices are targeted not only because of these new avenues but also because the personal nature of the device and its user interface. Enterprises must realize that when it comes to social engineering in a post-perimeter world, corporate email is not the only, or even the primary, attack vector used.
David Richardson, senior director of product management at Lookout
Faster evolution of threats
Threats will morph more and more rapidly. Standardised attack methods will be automatically synthesised into multiple, even individually customised attack vectors based on results from prior attacks.
Rapidly changing attacks customised to individuals will relegate standard pattern-based techniques to basic network husbandry. We will need tools that can recognise attack behaviour, and, we need analysts to investigate generic attack techniques. We’ll also see the rise of AI-based threat detection and an increase in the number of security tool vendors and a heavy reliance on cast-iron evidence.
Stuart Wilson, CEO at Endace
The rise of cyberattacks in the crypto-sphere
The security of cryptocurrencies rests on safeguarding users’ private keys, leaving the ‘keys to kingdom’ accessible to anyone who fails to adequately protect them. Cybercriminals usually follow the money, so expect that cryptocurrencies will be at or near the top of attacker’s wish lists in 2020.
Dr Zulfikar Ramzan, CTO at RSA Security
Quantum knows what you did last summer
2020 will see more data breaches in anticipation of cracking the data when quantum computing becomes cheap and more affordable down the road. With potential breakthroughs like Google’s this year, it’s only a matter of time before more quantum computing power is achieved.
When this happens, the encryption techniques used to sign messages and protect encryption keys will be rendered obsolete. In anticipation of that, next year will see an increase in the encrypted communications and encrypted data stolen by hackers as they stockpile information waiting for the tools to unlock it. So, in effect, quantum breaches will have already happened, long before the computing power comes to fruition.
Ashvin Kamaraju, CTO for cloud protection and licensing activity at Thales
Targeted, mass-scale attacks
Based on the real-world attacks seen in the wild in recent months, in my opinion, the single biggest security threat of 2020 will be targeted mass-scale attacks involving corporate infrastructure in the cloud as well as legacy and third-party software components, e.g. targeted ransomware, financial services, and ICS/industrial IoT attacks.
Oleg Kolesnikov, VP of threat research at Securonix
A quarter of all breaches will happen outside the perimeter
The more widespread practises of flexible and mobile working mean operating outside the traditional network boundary, which has been a key part of a layered security defence. And as mobile devices can often mask the signs of phishing attacks and other threats, we think that a quarter of all data breaches in the next 12 months will involve telecommuters, mobile devices and off-premises assets.
Corey Nachreiner, CTO at WatchGuard Technologies
Machine learning attacks on the rise
In 2020 we’re going to see the emergence of machine learning driven attacks becoming more of a threat. Vishing is on the rise and can easily be automated using machine learning to become even more effective. But it is the combination of an extended bot-cloud platform running on IoT and the automation and adaptability provided by machine learning that can create an unseen level of threat in 2020.
Machine learning technology is now mature and accessible enough to be used by malicious actors. Leveraging the power of machine learning in an attack through an immense IoT platform and the havoc created will be unprecedented.
Iván Blesa, head of product at Noble
ML and AI to be harnessed for the next generation of malware
2020 will see machine learning and artificial intelligence used to create distributed and targeted malware and attacks. An attacker using machine learning algorithms can create a suite of botnets or worm-style malware that gathers data from multiple attempts to breach commercial sites, ultimately generating more sophisticated attacks that could be targeted at Critical National Infrastructure or Governments.
Using data from breaches, vulnerabilities, successful and failed , the ‘next generation’ of malware can be created. It will make fewer obvious attacks but be more successful by using tactics proven to work. This would make pattern matching or DOS/brute-force security measures less and less effective.
Protecting against this style of attack requires analysis of network patterns, command and control, and a large-scale dataset of attacks to see these attempts happening across multiple sites and networks, rather than a single instance or victim.
Mark Burdett, head of product delivery at Nominet
2020 cybersecurity predictions: Development and SOCs
Software transparency improvements ahead
In the year to come, I anticipate that we’ll see continued developments in software transparency (e.g., NTIA Software Component Transparency efforts). Additionally, a continued need for software testing throughout the software development life cycle (SDLC) will also persist as a focus in 2020—most assuredly a positive step in terms of firms understanding the criticality of proactive security maturity.
I also have reason to believe we’ll see increased efforts to secure the hardware supply chain, and specifically efforts to develop secure microelectronic design and fabrication will come into focus in the upcoming year.
Emile Monette, director of value chain security at Synopsys
‘Zero Trust’ still won’t be a reality
Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.
As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020. This approach will remain difficult, expensive and inconvenient.
I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.
Malcolm Murphy, technical director, EMEA at Infoblox
Adoption of finer granular objects to rise
In 2020, I believe we’ll see the accelerated adoption of finer granular objects to drive efficiencies. As developers adopt these finer granular objects within their cloud applications, such as containers, microservices, micro-segmentation, and the like, security testing tools will need to be object aware in order to identify unique risks and vulnerabilities introduced by utilising these objects. I anticipate that new approaches to collecting security related data may become necessary in the cloud. In addition to application logs, cloud API access will be seen as necessary.
There will also be a growing focus on centralised logging in the upcoming year. In addition to application security, the cloud management plane will become an additional security layer that needs addressing in 2020. Developers, for example, will require access to the management plane to deploy applications. Incorrect settings here could expose the application to security risks as sensitive information flows through it.
Reduced transparency around what’s going on within a given application will likely be a growing trend. A cloud provider doesn’t necessarily tell you what security controls exist for the PaaS services they expose to you. Businesses will therefore need to make some assumptions about their security considerations and stance.
In terms of data security and integrity in the cloud, there will be more of a need to have proper policies in place so prevent improper disclosure, alteration or destruction of user data. Policies must factor in the confidentiality, integrity and availability across multiple system interfaces of user data. In 2020, the adoption of PaaS and serverless architecture will provide even more of an opportunity to dramatically reduce the attack surface within the cloud.
Multi-factor authentication to continue to rise
We’ve seen a 200% increase in the adoption of multi-factor authentication (MFA) over the last two years which has put the technology in the hands of half of end-users. That trend will continue in 2020 but it will still be two more years before we see the adoption of MFA reach 75%.
Biometrics will become an important second factor of authentication as millennials continue to adopt the technology. However, it’s still tethered to a device in many instances — facial recognition through the iPhone, fingerprint scanning must be done on the laptop.
In 2020, we’ll see the adoption of technologies like YubiKey, decoupling biometric authentication from a computer or phone, increase because authentication can then be handled anywhere and it won’t be restricted to a specific mobile or desktop device.
Jeff Broberg, senior director at OneLogin
Psychology will become an intrinsic part of security
With a constantly shifting threat landscape, psychology will be a major focus for security in 2020. Part of this will be an attempt to answer the question ‘how does an attacker think?’
At present, the inherently innovative, collaborative and dispersed nature of cybercriminals means that bad actors remain one step ahead of the enterprise. By understanding the psychology of attackers – from state-supported actors to simple vandals – organisations can better spot weaknesses in their defences before it’s too late.
There will also be a growing emphasis on understanding the psychology of security teams. Being the front line in the continuous fight against cybercrime can be an enormous drain, and security analyst burnout is a widespread problem across all sectors.
By taking steps to understand their teams – what is making them stressed? What will reduce that stress? How can we reward them for their work? – organisations stand a better chance of cultivating a security team that can operate effectively despite the pressure it’s under.
Amanda Finch, CEO at Chartered Institute of Information Security (CIISec)
Consumer security focus needed
Whether or not it will be is a different question, but 2020 needs to be all about the consumer when it comes to security.
The world of end-user electronics and services created a navigational nightmare for everyone. Personal account breaches and password reuse can put corporations at risk to improved phishing attacks. Smart devices are everywhere, connecting to everything. They provide such a large attack surface that they are a problem.
0.04% of Disney+ accounts saw password disclosure (most likely via password reuse), but I’ve heard from many people that they ‘won’t use Disney+ because it was hacked’. This type of FUD could put a smaller organisation in jeopardy financially.
Additionally, websites like IndieGoGo and Kickstarter allow anyone with an idea to fundraiser for a new smart device, regardless of how much domain knowledge the creator has. This leads to the creation of many insecure devices that find their way into homeowner networks regularly. Consumers need to be aware of what they are doing and the risks they create for business, for their employers, and especially for themselves.
Tyler Reguly, manager of security R&D at Tripwire
Advanced liveness detection will be a critical part of cybersecurity
The adoption of facial recognition and facial comparison has been hampered until now because it has been easily spoofed using video. Technology in the form of advanced liveness detection has now closed this gap in security. Combining both static and dynamic liveness detection is something that we could also see more of. In more general terms, technologies such as facial recognition and its use of artificial intelligence will come under more scrutiny.
Conor Hickey, head of solution architecture at OneSpan
2020 will be the year of API connectivity
Driven by the need for on-demand services and automation, there will be a surge in requirements for the use of technology that interconnects through APIs. Vendors that don’t interconnect may find themselves passed over for selection in favour of others with API access that add value to existing solutions.
DevOps capabilities will continue to increase their significance in moving projects to products, with only 9% of technology professionals responsible for the development and quality of web and mobile applications stating that they had not adopted DevOps and had no plans to do so. This will drive an increased focus on DevSecOps and how opensource software is managed within projects.
We will begin to see more examples of the theft of encrypted data as cybercriminals begin to stockpile information in preparation for the benefits of quantum-computing where traditional encryption will become easy to crack. The advances in quantum computing that Google has recently published bring this possibility closer to becoming reality.
Significant issues will surface around the lack of adequate detection of threats that have bypassed prevention defences. To combat this, in 2020, we will see the addition of deception technology into security framework guidelines, compliance requirements, and as a factor in cyber insurance premiums and coverage.
Carolyn Crandall, chief deception officer at Attivo Networks
Supply chain vulnerabilities on the decline thanks to automation
There are several new automation technologies that automatically detect and fix security vulnerabilities in source code. In fact, GitHub recently introduced new automation features that improve the fundamentals around how quickly problems with dependencies are identified.
Because of these improvements in the way security patches with open source code are automatically identified and remediated, in 2020, we’ll see fewer supply chain issues in code.
Chris Doman, security researcher and threat engineer at AT&T Alien Labs
MITRE ATT&CK to become the go-to framework
MITRE ATT&CK will become the go-to framework and common vocabulary for every SOC.
For organisations required to have the most aggressive stances on security, such as financial services and healthcare, ATT&CK is already the go-to framework. In 2020, it will become a basis of conversation for security operations center (SOC) teams in other industries, including retail and manufacturing, as they mature their security postures.
Monzy Merza, head of security research at Splunk
Mobile will see a rise in focus
Mobile becomes the standard platform for financial interactions. Because of this the corresponding increase in the attack surface that fraudsters will have access to gets worse. Whether mobile is already part of your offering, or you will be launching a new mobile app – security needs to be baked in from the beginning, not bolted on at the end. Many fraudsters look for loopholes in the process or registering, activating or using a mobile device in relation to an online account or transaction.
App development, whether in-house or outsourced, needs to consider the best security mechanisms to protect the app and importantly the brand. Process flows also need to be streamlined. The ability to make intelligent decisions about applying the right level of security at the precise time is going to be largely driven by machine learning.
Mark Crichton, senior director of security product management at OneSpan
2020 cybersecurity predictions: Nation states and policy
Malicious software phishing for critical infrastructure
Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don’t just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies.
In August of 2019, emails sent to US utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure.
With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence.
Alex Heid, chief research officer at SecurityScorecard
Cyberattacks on 2020 candidates will become more brazen
While attacks on campaign websites have already occurred in past election cycles, targeted attacks on a candidate’s digital identity and personal devices will mount.
With digital assistants operating in an ‘always listening’ mode, an embarrassing ‘live mic’ recording of a public figure will emerge. This recording may not be associated directly with a device owned by the public figure, but rather with them being a third party to the device. For example, the conversation being captured as ‘background noise’.
With the high value of healthcare data to cybercriminals and a need for accurate healthcare data for patient care, a blockchain-based health management system will emerge in the US. Such a system could offer the dual value of protecting patient data from tampering while reducing the potential for fraudulent claims being submitted to insurance providers.
Tim Mackey, principal security strategist for the Synopsys CyRC (Cybersecurity Research Centre)
New terminology coming
One term many technology professionals in the US will all be hearing a lot is “DSAR.” What is a DSAR? A DSAR is a “Data Subject Access Request.” It is the act, from a consumer to an organisation, requesting the details of how their personal data is being used within that organisation. Additional requests from DSARs could be made to delete their data, or to disallow the sale of their data.
Technology professionals can look within their organisation today and ask how many times are end-users requesting for an ‘audit’ of their data. The question is: can they provide this information if they were asked today? Get ready for this term, as upcoming data privacy laws (such as the CCPA data privacy law going into effect January 1, 2020) may require organisations to respond to DSARs within a certain timeframe.
Jonathan Deveaux, head of enterprise data protection at comforte AG
Cybersecurity to join the military industrial complex
Cybersecurity firms and products will, appropriately, be considered part of the military industrial complex. Offensive weaponry, espionage resources, and defensive technologies will be treated on par within traditional military budgets and take an increasing share as each year passes.
Tim Chen, CEO at DomainTools
Balkanisation of the internet
We will see further balkanisation of the internet and its services. While countries like China have traditionally maintained its own infrastructure, we have seen political issues spill out to the cyber realm, with companies like Kaspersky and Huawei being banned in the US.
We will likely see more products and services having to be tailored for local requirements and regulations.
Javvad Malik, security awareness advocate at KnowBe4
Greater regulation ahead
As we look to what will change in the year to come, California’s SB-327 IoT bill will take effect on Jan 1, 2020 requiring manufacturers to build reasonable security into their connected devices. This is a step in the right direction as it will establish minimum standards and improve security of IoT devices available in the market.
I anticipate there will be more legislative activity in 2020, especially in the US. The California Consumer Privacy Act will also take effect on January 1, 2020. I expect more states to follow suit. If done properly, regulations will bring about the accountability needed to improve the overall state of cybersecurity.
We saw several high-profile GDPR-related lawsuits, fines, and settlements in 2019. I wouldn’t be at all surprised to see more of these to hit the headlines in the coming year.
Asma Zubair, sr. manager, IAST Product Management at Synopsys
2020 cybersecurity predictions: Telecoms and the Internet of Things (IoT)
Greater connectivity, greater attack surfaces
More things will be connected, which equals a greater attack surface, for example, smart cities and buildings are increasing in number. 5G connectivity will expose legacy systems in cities, enabling connections to new threats as well as an increase in new connected buildings and factories running off the same infrastructure.
5G is going to expand the scope of OT security in the same way as IT/OT convergence exposed manufacturing plants and factories to threats. 5G opens the aperture to common everyday use cases that affect the public at large.
Dave Weinstein, CSO at Claroty
2020 will see more cyber/physical convergence
As all sectors increasingly rely on smart technology to operate and function, the gap between the cyber and physical will officially converge. This is evident given the recent software bug in an Ohio power plant that impact hospitals, police departments, subway systems and more in both the US and Canada.
Attacks on IoT devices will have a domino effect and leaders will be challenged to think of unified cyber-physical security in a hybrid threat landscape. Cybersecurity will begin to be built into advanced technologies by design to keep pace with the speed of IoT convergence and the vulnerabilities that come with it.
Josh Lemos, VP of Research and Intelligence at BlackBerry Cylance
Expect to see a cyber incident at the edge in 2020
The continued proliferation of IoT devices will make edge computing an essential component of enterprise IT infrastructure in 2020.
To power these systems, 5G will become a bedrock for organisations looking to speed up their IT operations. With this innovation and speed will come greater digital risk.
A security incident in the New Year will serve as the wake-up call for organisations leaning into edge computing. It will remind them that threat visibility across is essential as their attack surface expands and the number of edge endpoints in their network multiplies.
Rohit Ghai, president at RSA Security
IoT security to be a growing concern
This year, the use and abuse of IoT devices has risen and doesn’t look to be slowing down as we go into next year. IoT differs from computers as they have a specific purpose and cannot be re-programmed, therefore organisations need to view and assess the risks specific to the function or task of the device in order to increase the security.
Organisations, in particular the manufacturers of IoT devices, will need to adapt their security approach to ensure that these fast-growing endpoints are secure. The new Californian and Oregon IoT legislation coming into effect in January is a step in the right direction, but more must be done. IoT security is about focusing on the risks not the device.
Joseph Carson, chief security scientist & advisory CISO at Thycotic
The sleeping giant: IoT
We have been hearing many warnings about potential IoT attacks for several years – in fact, the IoT Security Foundation was launched all the way back in 2015. But while we have seen a lot of researchers warning of flaws in IoT devices, and even product recalls on home smart devices, which clearly shows hackers can misuse them we still haven’t seen a major incident compromising enterprise IoT – we are yet to have that watershed moment that makes people sit up and listen.
2020 could be the year the pendulum swings the other way, as the FBI recently warned. I have been concerned about the risk of IoT ransomware for several years, and this year we have seen ransomware targeted at hospitals and local governments with whole cities being taken offline.
Imagine if this wasn’t just data being held to ransom, but people’s pacemakers, or traffic control systems? And how do bad guys take control of these devices? They use code-signing certificates to send over the air updates and instructions, giving bad guys a backdoor into devices so they can take total control.
Kevin Bocek, vice president, security strategy & threat intelligence at Venafi