With Thanksgiving in the rearview mirror, we find ourselves rapidly hurtling towards that annual unknown: the new year. 2019, much like 2018 before it, left businesses and customers awash in a tidal wave of data breaches. Just as prior years’ data breaches led to 2018’s General Data Protection Regulation (GDPR) furor, so the increased number and sophistication of data breaches led to 2019’s increased in regulatory oversight initiatives such as the California Consumer Protection Act (CCPA), New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act. As companies begin thinking about their primary 2020 cybersecurity activities, they need to proactively strategize. With that in mind, here are SecurityScorecard’s top 6 cybersecurity predictions for 2020.
1. Forecasting cloudy days
Organizations seeking to retain their competitive edge will be accelerating their digital transformation strategies from “cloud first” to “cloud only” over the next few years. According to Gartner, the worldwide Infrastructure-as-a-Service (IaaS) public cloud market grew 31.3% in 2018 while the overarching cloud services industry grew 17.5%. More than a third of polled organizations listed cloud services as one of their top three technology investment priorities for 2019. Based on the data, Gartner estimates that the cloud services industry will nearly triple its size by 2022.
As companies migrate their mission critical data and applications to the cloud, we predict that malicious actors will focus more on open ports, Distributed-Denial-of-Service (DDoS), and web application attack methodologies. Securing the cloud will need to be a primary initiative for organizations throughout 2020 unless they want to be another news headline.
2. Bringing in The Terminator
As more organizations look to mitigate data breach risks and costs, artificial intelligence and machine learning might be one answer to the problem. According to IBM’s “2019 Cost of a Data Breach” report, organizations using fully deployed AI/ML security solutions spent on average $2.65 million compared to the $5.16 million organizations without automation spent.
As organizations face the stark reality that data breaches are now a “when” rather than an “if,” more will incorporate new, Big Data, analytic technologies to mature their cybersecurity programs. In combination with increased cloud migration, more companies will mature their cybersecurity programs using AI/ML for greater visibility and control over digital assets.
3. Malicious software phishing for critical infrastructure weaknesses
Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don’t just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies.
In August of 2019, emails sent to U.S. utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure.
With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence.
4. A flood of data privacy regulations
The cybersecurity Magic 8 Ball indicates that “all signs point to yes” when asking whether more regulations would come in 2020.
CCPA and NY SHIELD foreshadow 2020’s privacy and security trends. The United States Congress debated a federal privacy regulation in June 2019. Despite being derailed at the end of the year, businesses and congresspeople alike are pushing to create a single, cohesive federal law governing privacy and security.
The United States isn’t the only country looking to formalize and consolidate its privacy laws. The Saudi Arabian Monetary Authority (SAMA) cybersecurity framework in conjunction with the GDPR’s extraterritorial impact pressures other Middle Eastern countries to update their privacy regulations. For example, the Dubai International Financial Centre Authority (DIFCA) sent out a call for public commentary in June 2019.
5. More than quantity – also quality
If the GDPR and CCPA taught the cyber community one lesson in 2019, it would be that not all laws are created equally. While the GDPR and CCPA are testing just how far a “local” law can reach, India’s Personal Data Protection Bill and the failed New York Privacy Act test the standard of care companies need to provide.
Both of these regulations use the term “data fiduciary.” Traditionally used in terms of money, a fiduciary duty requires a company to act in someone else’s (often shareholders’) best interests. If regulations continue to use the term “data fiduciary,” organizations may be held to a higher standard of care than “negligence.” If regulations begin to adopt the term “data fiduciary” in 2020, we predict a cultural shift recognizing information as a financially valuable asset.
6. Building a security dam for your supply stream
Judging by the increased regulatory and industry standard focus on governance, compliance requirements will continue to focus on protecting your organization from third-party risks. As more organizations add Software-as-a-Service (SaaS) applications to their IT catalog, they also they share more data with third-parties.
As new laws are enacted and enforced, companies will see more stringent vendor risk monitoring requirements and increasingly be held liable for losses caused by breaches arising from their supply stream. Continuously monitoring of your third-party risk may be one of the few ways to mitigate the financial impact of those breaches.
SecurityScorecard enables you to secure your future
A robust cybersecurity program increasingly protects your organization from financial, compliance, and reputation risks. SecurityScorecard’s platform applies AI/ML to help you continuously monitor for new cybersecurity risks that threaten your organization and your supply stream.
Our security ratings use an easy-to-read A-F scale that provide at-a-glance insight risks impacting your IT ecosystem. SecurityScorecard’s platform collects publicly available data from across the internet and aligns that information to ten groups of factors, including IP reputation, DNS health, web application security, endpoint security, network security, patching cadence, leaked credentials, social engineering, and hacker chatter. SecurityScorecard’s continuous monitoring capabilities provide meaningful alerts that enable you to mitigate threats and strengthen your cybersecurity posture.
