More 20/20 visions

As cyber anxiety manifests itself ever more widely, Part 2 of our top predictions for 2020 looks at the many challenges that lie ahead

With four generations working alongside each other for the first time, organisations will need a new approach to protecting data in 2020 and beyond, advises Jon Fielding, managing director, EMEA Apricorn. "They'll be dealing with a range of different attitudes to security, as well as evolving working practices - in particular a continued increase in mobility and flexibility. A complex security strategy that attempts to address this diverse workplace with copious models and technologies will only create more risk."

There's no 'one size fits all' when it comes to securing the multi-generation enterprise - but encrypting all data as standard, both at rest and on the move, will bring us as close as it's possible to get, he suggests. "Encrypting data end-to-end renders it unintelligible to anyone not authorised to access it. This is especially valuable when employees are mobile working - and the use of hardware encrypted storage devices will eliminate an element of the 'human risk' of data loss entirely." With the cybersecurity skills shortage biting hard, and an increasing expectation that IT will help drive the goals of the business, enterprises must look outside the industry to recruit the right people. "The most effective way to defend a modern business against cyber threats is to build a diverse security team, equipped with a range of different skillsets and experience - including business acumen, and the ability to communicate, collaborate and lead," adds Fielding.

"It may seem counter-intuitive to recruit non-specialists to a specialist role, but, when it comes to cybersecurity, an understanding of the basic, best-practice fundamentals is most important. If somebody has a solid foundation in good security hygiene, and they're willing to learn, the technical knowledge they need can be built from there."

Richard Walters, CTO of Censornet, points out that every year Artificial Intelligence (AI) bags a top spot in the list of security trends and predicts that this year will be no different. "However, whereas 2019 was heralded as the year of AI, 2020 will see businesses take a shrewder approach towards the technology. The widespread hype around AI in the industry has made it harder to determine just what it can and can't deliver. While projections indicate budgets for AI in cyber security will increase, the industry itself will have a much more critical role in deciding how AI will be applied."

The industry is shifting away from the mindset that AI will be the silver bullet in the war against cybercrime, he adds. "As with any technology, AI has its limitations. It also won't be viewed as a 'crystal ball', capable of foretelling every single attack before it happens. Despite exaggerated claims, no AI tool can predict a Black Swan event; a completely unknown attack. That's not to say that AI has no role in cyber security, as long as the tool itself is well suited to the task at hand.

"Using AI to address some of the more common information security problems is like taking a sledgehammer to crack a walnut," he comments, "so it should only play a part where the situation dictates. A company's security posture should be judged by how effectively its strategy is aligned with its objectives, rather than how much of the latest technology it has."

Stuart Reed, VP cyber - redesign - malware & CISO roles, Nominet, believes this year will see the cyber industry redesigned in some key areas. "Malware will undoubtedly evolve and ransomware will become more sophisticated, potentially even teaching businesses new ways to take payments and create customer service that encourages the victim to part with their money. That said, it will still be the simple attacks that cause the most damage, because organisations have a lot of work to do on ensuring they are utilising every layer of defence within their reach.

"We'll also see the role of the CISO redesigned in 2020, as the imbalance of their work-life worsens and the role needs to change to meet the demands of the modern cyberscape; for example, becoming more of a strategic resource for the business on mitigating risk and facilitating business transformation safely," he says.

Mark Burdett, Nominet's head of product delivery - ML & AI enhanced cyber-attacks, believes machine learning and artificial intelligence will be used to create distributed and targeted malware and attacks. "An attacker using machine learning algorithms can create a suite of botnets or worm-style malware that gathers data from multiple attempts to breach commercial sites, ultimately generating more sophisticated attacks that could be targeted at critical national infrastructure or governments," he warns. "Using data from breaches, vulnerabilities, successful and failed attacks - the 'next generation' of malware can be created. It will make fewer obvious attacks, but be more successful by using tactics proven to work. This would make pattern matching or DOS/brute-force security measures less and less effective." Protecting against this style of attack requires analysis of network patterns, command and control, and a large-scale dataset of attacks to see these attempts happening across multiple sites and networks, rather than a single instance or victim, he concludes.

Dean Coclin, senior director, Business Development at DigiCert, highlights several areas of concern for businesses this year:

• Certificate Automation - with shorter validity periods on the horizon for TLS certificates, organisations will need to start embracing automation in order to make cert management easier
• Consumers will have to heighten their security awareness, as threat actors take advantage of free Domain Validated TLS certificates to show the padlock on their websites. It's no longer sufficient to "look for the lock", one must look "beyond the lock"
• IoT Security - hackers will continue to find vulnerabilities in consumer devices, since security is not top of mind when these devices are developed. Industrial IoT security has improved, especially for critical systems such as automotive, SCADA and healthcare. "This year, we have seen the adoption of the CCPA (California Consumer Privacy Act) and the failed NYPA (NY Privacy Act)," states Coclin "There is impetus for a national privacy act, similar to GDPR, but the likelihood of that happening in the current administration is low. Nonetheless, consumers are very concerned about recent privacy breaches. States are filling the hole by adopting their own acts, but this will make compliance very difficult for companies, due to the patchwork nature of adoption," he cautions.

"After years of haplessly watching technology race ahead of regulation, governments around the world have started to enact regulations to protect consumers and mitigate security risk, says Mike Riemer, chief security architect at Pulse Secure. "A big focus for 2020 will be the increase in regulatory requirements around IoT and IIOT devices as they proliferate in corporate networks and OT systems. When organisations do not know where a device is on their network, or who it is communicating with, that poses severe security risks."

And, as more organisations adopt IoT and IIoT devices in the workforce, there need to be security policy and controls in place. "In the United States, much of this regulatory reform has been spearheaded by the state of California, which recently passed SB-327, the first law to cover IoT devices. It took effect on January 1 and regulators around the world will certainly be watching to see how effective the legislation is at minimising security risks from IoT devices," he adds. "Since the regulatory laws often have a cascading effect, we can certainly expect to see similar bills appearing across the country and eventually at a federal level. Organisations will need to make sure they, or any third-party security vendors, are compliant to protect IoT devices and the information they contain."

In terms of trends that will shape the cybersecurity landscape in 2020, Security Orchestration, Automation and Response (SOAR) will rocket as attacks demand an AI-based approach to security, believes Azeem Aleem, VP Consulting Security, NTT. "Cyber-attacks are happening at machine speed, not human speed. To keep up, organisations will need the help of machines - and data scientists - and SOAR will be the hottest area in cybersecurity. It enables organisations to predict when an attack is going to happen - and fast. We don't talk about proactive security anymore, but predictive security, which will become essential for delivering an active cyber-defence in 2020."

There are four other key trends that Aleem identifies for the security industry in 2020: Applications are becoming the new attack vector: Application-specific and web-application attacks now account for a third (32%) of hostile traffic - according to the NTT 2019 Global Threat Intelligence Report (GTIR). "Now that infrastructure is more cloud-based and software-defined, we're entering a world where the application is the easiest way to compromise data," he states. "The number of attacks on applications will increase, so organisations need to regularly evaluate the security hygiene of applications across their business and apply necessary patches - an exercise that can no longer be neglected."

Security goes to the cloud: "While organisations still buy on-premises equipment, largely for compliance reasons, more is being created and hosted in cloud environments," says Aleem. "However, if organisations are using multiple hosting centres or hyperscalers, it's more difficult to apply standardised, software-based security controls across the entire infrastructure. Applying security to the application or workload will enable them to monitor and implement the appropriate controls."

Hyperscaler patterns continue to be elusive: Fixed infrastructure tends to have standard traffic patterns that make it relatively easy to identify anomalies. "This is not the case with hyperscalers, which also make hundreds of thousands of high-speed updates to their platform on any given day. This will make it very difficult for organisations to monitor the interactions between humans, machines, data and applications in order to identify patterns and anomalies. Information, context and intelligence therefore need to be applied for a robust security posture."

Data lakes and data wallets: Data lakes will enable new models of predictive analytics, he says. "What's more, we will see data wallets that put data in the hands of the person who owns it and making it completely secure for them. Nobody can access that data without certain permissions being in place and, if the user is under threat, can be locked down."