Tim Mackey, Principal Security Strategist for the Synopsys CyRC (Cybersecurity Research Centre):
Politicians, be weary of digital assistants
Cyber-attacks on 2020 candidates will become more brazen. While attacks on campaign websites have already occurred in past election cycles, targeted attacks on a candidate’s digital identity and personal devices will mount. With digital assistants operating in an “always listening” mode, an embarrassing “live mic” recording of a public figure will emerge. This recording may not be associated directly with a device owned by the public figure, but rather with them being a third party to the device. For example, the conversation being captured as “background noise”. With the high value of healthcare data to cybercriminals and a need for accurate healthcare data for patient care, a blockchain-based health management system will emerge in the US. Such a system could offer the dual value of protecting patient data from tampering while reducing the potential for fraudulent claims being submitted to insurance providers.
Martin Jartelius, CSO at Outpost24:
Organisations won’t be able to do without certain tools
Organisations won’t be able to do without tools to map new devices, track devices over time, identify risks to them including their users, identifying data and its exposure and then tools to help prioritize the risks to this now rather enormous attack surface.
Then come the basic tools such as all tools you need to manage this access, to isolate, log, track and monitor. Those are must haves to defend, but to do it efficiently, starting with knowing what there is to defend is a must, and being able to spot the holes in ones layers of defence a must, especially as both our environments and our protection solutions gets increasingly complex.
Jonathan Deveaux, head of enterprise data protection with data security company comforte AG:
New cybersecurity terminology…
One term many technology professionals in the U.S. will all be hearing a lot is “DSAR.” What is a DSAR? A DSAR is a “Data Subject Access Request.” It is the act, from a consumer to an organization, requesting the details of how their personal data is being used within that organization. Additional requests from DSARs could be made to delete their data, or to disallow the sale of their data. Technology professionals can look within their organization today and ask how many times are end-users requesting for an ‘audit’ of their data. The question is, can they provide this information if they were asked today? Get ready for this term, as upcoming data privacy laws (such as the CCPA data privacy law going into effect January 1, 2020) may require organizations to respond to DSARs within a certain timeframe.
Javvad Malik, security awareness advocate at KnowBe4:
Everybody wants to rule the human
The fight for attention will formalise and the battle lines will be drawn on all sides. Social media networks will continue to try and build ‘stickiness’ into their products, while we will see IoT hardware come into the fold with smart speakers, glasses, and similar trying to retain the focus of consumers. And all of this will take place under the shade of big brother and other interested parties looking to sow seeds of distrust and doubt.
David Richardson, senior director of product management at Lookout:
2FA is dead. Long live MFA.
Authentication will move from two-factor to multi-factor, including biometrics in 2020. Most companies have implemented one-time authorization codes (OTAC) to provide two-factor authentication (2FA), but Lookout, and others in the industry, have already seen OTAC targeted by advanced phishing attacks. To protect against credential theft and to address regulatory compliance, enterprises are increasingly adopting MFA and biometrics using mobile devices. This new approach strengthens authentication and improves user experience, but it is critical that the mobile device is free from compromise.
Bindu Sundaresan, Director, AT&T Cybersecurity:
The future is MSSPs
Organizations will throw DIY security out the window: IT and security infrastructures are becoming Increasingly complex and organizations are looking to automation and orchestration capabilities to detect and respond to them, yet there is a shortage of skilled cybersecurity professionals who can deploy and manage those technologies. For that reason, in 2020 managed security service providers (MSSPs) will become the first line of defense for organizations. We’ll see growth in the adoption of managed security services to help control cybersecurity threats.
Darrell Long, VP of product management at One Identity:
Getting Burned by the Cloud
There is a “gold rush” for organizations to move their data to the cloud, with everyone wanting to jump on the cloud bandwagon. The problem is many leaping before they look. Large organizations are making rapid moves to the cloud without ensuring their data is secured in transit and once it’s there. In 2020, there will be multiple organizations who deal with data privacy breaches and regulatory fines, as these steps are not being adequately addressed from the beginning of the move. Even with the Shared Responsibility Model and news about vulnerabilities with cloud security, we foresee many organizations failing to conduct due diligence and being burned by leaving their data insecure in the cloud. The result will be them finding out too late that proper identity governance and privileged access management practices could have been applied to data in its on-prem state and continue through the transition into the cloud.
Darrell Long, VP of product management at One Identity:
AI is no longer “Smoke and Mirrors”
AI has the opportunity to go from being an underutilized tool, seen as “smoke-and-mirrors” to providing real value to organizations. AI and analytics will change the way identity governance and administration (IGA) is implemented for companies and will provide a major step in the right and more secure direction of continued governance of access to a company’s enterprise and the data it holds. The reason AI and analytics were not properly secured and governed in the past was due to the fact that many organizations were not aware of how to integrate AI and analytics into their security and governance program. However, in 2020, companies are now at a point that they are more comfortable with AI and fully understand the high value it brings into the security program and now they need to step up and secure and govern it in an effective way.
Tyler Reguly, manager of security R&D at Tripwire:
2020 should be all about consumers
Whether or not it will be is a different question, but 2020 NEEDS to be all about the consumer when it comes to security. The world of end user electronics and services created a navigational nightmare for everyone. Personal account breaches and password reuse can put corporations at risk to improved phishing attacks. Smart devices are everywhere, connecting to everything. They provide such a large attack surface that they are a problem. 0.04% of Disney+ accounts saw password disclosure (most likely via password reuse), but I’ve heard from many people that they “won’t use Disney+ because it was hacked.” This type of FUD could put a smaller organization in jeopardy financially. Additionally, websites like IndieGoGo and Kickstarter allow anyone with an idea to fundraiser for a new smart device, regardless of how much domain knowledge the creator has. This leads to the creation of many insecure devices that find their way into homeowner networks regularly. Consumers need to be aware of what they are doing and the risks they create for business, for their employers, and especially for themselves.
Tim Chen, CEO at DomainTools:
Cybersecurity firms and products will, appropriately, be considered part of the military industrial complex. Offensive weaponry, espionage resources, and defensive technologies will be treated on par within traditional military budgets and take an increasing share as each year passes.