Cyber risks associated with new technology “to become mainstream” in 2020

Infosecurity Europe has asked its community of C-Level security professionals what they think the year ahead has in store. The list includes a range of challenges, opportunities and broader trends across technology, business and the world. Many of the participating CISOs have highlighted the risks presented by emerging technologies that are expected to become more widely adopted in 2020.

Deloitte’s cyber risk partner Peter Gooch observed: “2020 will see more deployment of security automation tools. Where this is done well, it will allow organisations to adapt rapidly to changing attack tactics. Where it’ done poorly, it will be more complicated to unpick. There will be a drive for more transparency when contracting for cloud services, with vendors required to expose more data and events for consumption by SIEM tools and to evidence security practices and capabilities closer to real-time. Hackers are increasingly targeting unstructured data to hide and launch attacks so the priority is very much to implement robust governance.”

Gooch added: “More than 100 companies worldwide will begin testing private 5G by the end of 2020, which could increase the attack surface, in turn making data flows harder to follow and the job of those responsible for securing them more challenging.”

Mark Nicholls, head of information security and governance at housing association Peabody, has flagged up vulnerabilities with Artificial Intelligence (AI) and the Internet of Things (IoT). “Machine learning has established itself in 2019, and we will begin to move towards true AI in 2020, but one must remember whatever can be used for good purposes can also be used by the criminals. Imagine a DDoS attack powered by true AI. As consumers strive for a smarter and even more connected world, we will see more attacks targeting connected devices as a means to an end. This isn’t new, but the attack surface will become bigger. We must continue to educate to ensure that people are our strongest line of defence.”

The attack vectors most likely to take centre stage in 2020 is another common theme. Becky Pinkard, CISO at award-winning bank Aldermore, expects to see more attacks due to technical debt. “In the bid to keep pace with consumer demand and technology capabilities, industry is borrowing more technical debt than it’s repaying. I think we’ll see more headlines about successful attacks due to this growing debt and the associated ‘shadow risk’ it creates. The march towards open banking in financial services, incorporating APIs, distributed ledger technology and AI in rapid-fire succession, and with a focus on capturing the customer’s attention first, often means security is de-prioritised on the route to delivery.”

Reaching the tipping point

“We’re seeing credential stuffing run rampant, and I wonder if this will escalate as more data and more username and password pairs are out there,” stated Troy Hunt, regional director at Microsoft. “Or we might reach a tipping point where organisations decide they need to block some login attempts that have the right username and the right password, but are not coming from the right person. In the US, enforcement cases are being brought against ‘corporate victims’ of credential stuffing. The situation will either worsen or organisations will have to adapt.”

When it comes to the security approaches that will mitigate the risks which dominate in 2020, David Boda (head of information security for the Camelot Group) believes ‘back to basics’ is best. “A focus on robust and timely access control and patching will still yield the biggest reduction in risk for the majority of organisations across all sectors. These are the two areas that vendors, consultants and end user organisations should all be talking about.”

Killian Faughnan, Group CISO at William Hill, agrees that access control will be important, and particularly so when it comes to the next generation workplace. “Access control is difficult to solve without being either too restrictive or too lenient. Given that, in 2020, 35% of our workforce will be millennials, we need to find the right balance to enable employees in a way that works for them.”

Some CISOs believe that solutions will come from the industry working more closely together. “I believe we will start to see greater collaboration between security companies, hopefully resulting in greater end-to-end security capability,” asserted Mark Nicholls.

On a similar tack, Peter Gooch believes that convergence will be a key trend. “2020 could see a number of high-profile mergers and acquisitions as well an expansion and formalisation of vendors into a more converged world. This is likely to be similar to the ERP revolution that transformed the way in which many finance and operations teams function and could well mean a more efficient operational model for those in cyber.”

Addressing the skills shortage

Two hot topics in 2018-2019 are not front of mind with our CISOs this year. One of these is the skills shortage. “We will continue to talk about it,” commented Killian Faughnan, “though I think we may have hit a critical point. More companies will begin to recruit from pools of potential security professionals rather than existing ones. It’s easier to teach a developer how to be an application security professional than the other way around.”

There was also less focus on the European Union’s General Data Protection Regulation (GDPR), probably due to the fact that both it and its impact are no longer the unknown they once were. Paul Watts (CISO for Dominos Pizza in the UK and Ireland) has observed signs of ‘breach apathy’ and wonders whether 2020 will see a continuation of this trend. “While this could be attributed in part to political distractions, I do think industry seems to be reporting more, but are the public caring less? I’m still reflecting on whether this is a blessing or a curse for CISOs as we move into the next decade.”

One question that’s often pondered at this time of year is whether we’re about to see the ‘mega breach’ that will put high-profile incidents like Equifax’s in the shade. “One thing we can never know is: will there be a crazy data breach that turns the world on its head again?” posited Troy Hunt. “If we see another incident like Ashley Madison or Equifax, which had massive and serious impacts across tens of millions of people’s lives, this will be a headline-grabber that sticks around for some time. However, these things are enormously hard to predict.”

Nicole Mills, senior exhibition director at the Infosecurity Group, explained to Risk Xtra: “2020 will see the continuation of some long-standing trends, challenges and security risks. For example, a number of technologies that have been talked about for some time will become more widely adopted. We need to be ready to implement, use and protect them in an appropriate way.”

Mills added: “There was less emphasis on the skills shortage and the GDPR in our CISOs’ predictions this year, but we do need to remember that these challenges haven’t gone away. The ‘talent gap’ is still growing, and we need to continue working together as an industry to find solutions. While the GDPR isn’t the burning issue it was last year, organisations cannot rest on their laurels. If they’re compliant they need to work to stay compliant. It’s not just the fines that should worry organisations, either. Negative brand and reputation issues can take years to redress.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts