Email and internet-facing applications will continue to be the top threat vectors as we head into 2020. Unfortunately, many organisations still have inadequate protections in place. Email threats evolve quickly as attackers find new ways to evade traditional email security solutions, so organisations will need to turn to more advanced protection that can keep up with changing tactics. Web application security is often overlooked because most organisations don’t have the resources or skills needed to manage the solutions properly. In addition, many customers presume their hosting service supplies this protection when they may cover some but not all their requirements. A continuing trend toward cloud-based and as-a-service application security solutions will help make this more accessible for a broader number of organisations, which will help address this problem in the coming year. Finally, as more and more customers leverage public cloud infrastructure and solutions, human error will continue to be the primary source of breaches, leading to misconfigurations and overlooked vulnerabilities.
Going into 2020, CISOs will need to understand the proliferation of privacy and compliance laws that are being proposed and implemented globally. General Data Protection Regulation (GDPR) was just the beginning, and executives need to be prepared to adapt as similar regulations are introduced. The implications of these types of rules can be far-reaching, and they’re bound to get more complex, particularly as organisations try to navigate potential overlap. CISOs also need to continue to make sure they are effective at driving support for key security initiatives with the CEO and board members, capitalising on the attention raised by increasing security concerns to get the resources they need to address new challenges. It will be increasingly important for security executives to focus on how to integrate security into company culture so everyone in the organisation understands the roles they play in keeping the company secure.
Highly targeted attacks, conversation high jacking and deep fakes of peoples voices will proliferate as mechanisms for business email compromise attacks, making these highly targeted threats even more convincing, and ultimately more costly. Recent Barracuda research showed that BEC makes up only 7 per cent of spear-phishing attacks, but the price for successful attacks can be steep. According to the FBI, businesses have lost $26 billion in the past four years due to BEC attacks, and with new tactics like this, I expect to see that number grow even faster. It’s also a major election year so we should expect to see nation states using the Russian playbook to influence elections at both a local and national level, and government organisations need to be prepared to defend against these attacks. Internet of things-based security attacks will gain more prominence as cybercriminals find new ways to exploit IoT security vulnerabilities.
The public sector and education will continue to be key targets of hackers and attackers. Organisations in both of these industries are operating under tight budgets, often with minimal security and IT staff and outdated technology, which leaves them vulnerable to a wide ranges of attacks, such as ransomware.
I expect to see more consolidation amongst vendors in 2020 as customers look for platforms instead of standalone solutions. Customers will be looking for streamlined experiences that are simple to manage and make their lives easier, and vendors will need to adapt accordingly.