Cybersecurity is a very serious issue for 2020 — and the risks stretch far beyond the alarming spike in ransomware.
In addition to the daily concerns of malware, stolen data and the cost of recovering from a business network intrusion, there is the very real danger of nefarious actors using cyberattacks to influence or directly impact the outcome of the 2020 U.S. general election.
Today, every company that has a computer or any connected devices or software should see itself as a “tech company.” Every individual with a smart TV, virtual assistant or other Internet of Things (IoT) device could be at risk as well — and the risks include being victimized by cyberstalkers or having personal data compromised.
“We are seeing growing attack surfaces — for example, automotive, drones, satellites and hardware components,” said Michael Sechrist, chief technologist at Booz Allen Hamilton.
There is also “increased obfuscation from sophisticated actors — that is, malware code reuse and similarities,” he told TechNewsWorld.
“Several major domestic and international events will likely provide attackers opportunities for digital disruption across large and small companies and governments alike,” Sechrist said.
Although everyone who’s connected in this increasingly connected world is a potential target, understanding the risks can help alleviate the overall threat.
“The main threat companies face is in not adequately keeping pace with the ever-evolving security threat landscape,” said Ellen Benaim, information security officer at Templafy.
“It is a constant battle to keep abreast of the latest issues. To make matters worse, we predict that in 2020 cyberthreats will become more frequent and sophisticated, spanning a wider attack surface and causing a more deadly impact,” she told TechNewsWorld.
Old Threats Still Have Teeth
Many of the same threats that have been around for years will continue to pose real problems in 2020. Among them are phishing attacks.
“Phishing is essentially tricking others into taking an action that can be profited from,” said Tom Thomas, adjunct faculty member in Tulane University’s Online Master of Professional Studies in Cybersecurity Management program.
“Since all those millions are still sitting in a bank in Nigeria for over 20 years now, I am sure phishing is here to stay as long as people are greedy and easily tricked,” he told TechNewsWorld.
“Education is quite common, but these scams are evolving as well — and some of these email scams are very believable unless you look closely, which most people do not,” warned Thomas.
Another cybersecurity threat is one that isn’t really an attack, but rather a problem due to overworked — and at times underpaid — software designers. This is the issue of software errors, and those errors can result in exploits that hackers and other criminals can target.
“These are valid concerns, and with the rise of software as king in the IT space, this means that developers are going to have to address security within their code, new and old,” said Thomas.
Threats From Within
One overlooked area of cybersecurity is who has legitimate access to the data, and whether those individuals can be trusted. Edward Snowden is just one example, but the issue has plagued tech companies for years. In the spring of 2018, Apple had to fire an employee for leaking details of the company’s software roadmap.
This problem is likely to get worse, as there is now a cybersecurity worker shortage, and companies are being less diligent when it comes to new hires.
“A big threat facing companies in 2020 is the insider threat,” said Templay’s Benaim.
“Whether it is deliberate or not, the impact of these threats can be devastating,” she added.
“Insider threats can manifest in a number of ways — for example, an overtired employee might simply forward confidential data to the wrong recipient,” Benaim said, “or a disgruntled former employee might download customer records from a CRM tool with malicious intent. Both scenarios could lead to a severe data breach, triggering inordinate fines for your company under GDPR.”
Even trusted employees can make critical mistakes. Hackers use social engineering techniques to breach a network and gather sensitive data as well as tools to encrypt data or break security systems.
In 2020 we could see “more multi-layer spearphishing, where multiple targets inside a business are used to gather information and gain access,” warned Laurence Pitt, global security strategy director at Juniper Networks.
“The delivery mechanisms will also be more complicated,” he told TechNewsWorld.
“Any threat that costs money, and especially where it affects public money — government and healthcare — will remain newsworthy,” Pitt added.
“We’ll see more attacks using common vectors, such as phishing, download via malvertising, etc.,” he predicted, “but also attacks that use old methods with new vectors. The Masad Stealer attack, reported by Juniper Threat Labs in late 2019, is a good example of this, where data and money was stolen via malware injected into a used and respected piece of software.”
It isn’t just computer networks that could be at risk in 2020. Already we’ve seen that little has been done in recent years to ensure that mobile devices are protected adequately from cyberattacks.
In the case of smartphones, devices could become infected simply by downloading apps — even from what should be trusted platforms.
“The StrandHogg malware is using malicious but popular apps on the Play store as a delivery mechanism, and until Google closes the vulnerability that allows this to work, any device and user is susceptible,” said Pitt.
“Mobile phones have become a gateway to our most sensitive and personal information, and yet the offer of a free application still gets millions of downloads without a thought as to whether it’s ‘safe,'” he added.
“Users need to stop blindly accepting device requests for access to resources; stop downloading free apps that they do not need and probably will only use once; and, finally, deny if an application requests access to something that seems strange or unnecessary — for example, a PDF reader wanting access to SMS messages,” advised Pitt. “This will help keep devices and data more safe.”
Another major concern for 2020 might not affect data directly, but it should be on everyone’s radar nonetheless: the rise of “deepfakes,” manipulated videos that have been used to discredit individuals, to spread misinformation, and to cause harm in seemingly endless ways.
Deepfakes have increased in sophistication. Ever more powerful computers and even mobile devices are making it all too easy to create convincing fakes. One concern is how they might be used in conjunction with fake news across mobile platforms.
“Deepfake technologies will be used to attempt to influence the 2020 elections in the United States and beyond,” predicted Erich Kron, security awareness advocate at KnowBe4.
“Fake videos and audio will be released close to the election time in order to discredit candidates or to swing votes,” he warned.
“While these will be proven as fakes fairly rapidly, undecided voters will be influenced by the most realistic or believable fakes,” Kron added.
Securing the Cloud
One misconception about cybersecurity is that off-site or hosted storage comes with greater risks. The cloud may have certain advantages, in fact.
“There is a common misconception that the cloud is inherently less secure than traditional on-premises solutions,” said Andrew Schwarz, professor in the Information Systems & Decision Sciences program in the E. J. Ourso College of Business Administration at Louisiana State University.
“The problem is that when there is a cloud breach — such as the breach over the summer at AWS — it makes huge headlines, and skeptics point to these examples as reasons why companies should be reluctant to move their own systems into the cloud,” he told TechNewsWorld.
“The problem with these examples is that network security is subject to the principle of the greatest weakness — your data will be vulnerable in the interface that is the weakest,” he added.
“Cloud security is going to continue to improve as the cloud itself matures,” said Tulane’s Thomas.
“In fact ‘cloud,’ if implemented correctly, can increase security risks — so ensuring that these risks are mitigated is critically important,” he pointed out.
Last summer’s AWS breach showed that the cloud isn’t the fundamental problem. It wasn’t the cloud provider that was at fault but a misconfigured firewall, which was due to a decision the client made.
“Furthermore, cloud providers will only survive if their clouds are secure and are investing R&D in providing new approaches to security that will push the boundaries of security as we know it,” said LSU’s Schwarz. “Any breach means a certain death to providers. Thus it is in their best interests to keep systems secure. The answer is therefore that the cloud is not only secure, but is more secure than most, if not all, on-premises data centers.”
Security in Real Time
Cybersecurity isn’t just about computer networks or consumer devices.
There are several significant upcoming happenings that hackers could target, and what is at stake goes well beyond money or data.
“There are three major events in 2020 that will certainly be a magnet to cybercriminals and nation state actors: the U.S. presidential election; the first-ever online U.S. census; and the Olympic games in Tokyo,” noted Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“We will identify meddling attempts on social media; attempts at infiltrating campaign staff; security holes in the census process, and attempts to exploit them; and that some attack on the Olympics infrastructure will probably succeed to some extent,” he told TechNewsWorld.
“I am very concerned about the election. Government IT Security is woefully lacking, especially when you get down to the county and precinct level, which is where these machines are accessible,” noted Thomas.
“Electronic voting is still evolving slowly — and that is what concerns me, as we have seen in the news that electronic ballots are far easier to subvert than paper ballots,” he said.
None of these problems will be easily addressed this year, or even in the years to come. Cybersecurity remains a field that has too many openings and too few candidates. It requires constant diligence and neverending training.
The cost of not doing enough, however, could be even greater.
“The fact of the matter is that as long as criminals can gain access to data, they can impact the confidentiality, integrity or availability of it — and there’s little a company can do at that point,” said KnowBe4’s Malik.
“Companies should appropriately protect data with cryptography, so that even if criminals gain access to the data, they cannot impact the integrity or confidentiality,” he recommended. “Finally, the trend we will likely continue to see is the breaching of companies through the supply chain or other trusted third parties.”