Cybersecurity is a very serious issue for 2020 — and the risks stretch far beyond the alarming spike in ransomware.
In addition to the daily concerns of malware, stolen data and the cost of recoveringfrom a business network intrusion, there is the very real danger of nefarious actors using cyberattacks to influence or directly impact the outcome of the 2020 U.S. general election.
Today, every company that has a computer or any connected devices or software should see itself as a “tech company.” Everyindividual with a smart TV, virtual assistant or other Internet ofThings (IoT) device could be at risk as well — and the risks include beingvictimized by cyberstalkers or having personal data compromised.
“We are seeing growing attack surfaces — for example, automotive, drones,satellites and hardware components,” said Michael Sechrist, chieftechnologist at Booz Allen Hamilton.
There is also “increased obfuscation fromsophisticated actors — that is, malware code reuse and similarities,” he told TechNewsWorld.
“Several major domestic and international events will likelyprovide attackers opportunities for digital disruption across largeand small companies and governments alike,” Sechrist said.
Although everyone who’s connected in this increasingly connected world is a potential target, understanding the risks can help alleviate the overall threat.
“The main threat companies face is in not adequately keeping pace withthe ever-evolving security threat landscape,” said Ellen Benaim,information security officer at Templafy.
“It is a constant battle to keep abreast of the latest issues. Tomake matters worse, we predict that in 2020 cyberthreats will becomemore frequent and sophisticated, spanning a wider attack surface andcausing a more deadly impact,” she told TechNewsWorld.
Old Threats Still Have Teeth
Many of the same threats that have been around for years willcontinue to pose real problems in 2020. Among them are phishing attacks.
“Phishing is essentially tricking others into taking an action thatcan be profited from,” said Tom Thomas, adjunct faculty member inTulane University’s Online Master of Professional Studies in Cybersecurity Management program.
“Since all those millions are still sitting in a bank in Nigeriafor over 20 years now, I am sure phishing is here to stay as long aspeople are greedy and easily tricked,” he told TechNewsWorld.
“Education is quite common, but these scams are evolving as well –and some of these email scams are very believable unless you lookclosely, which most people do not,” warned Thomas.
Another cybersecurity threat is one that isn’t really an attack, butrather a problem due to overworked — and at times underpaid — softwaredesigners. This is the issue of software errors, and those errors canresult in exploits that hackers and other criminals can target.
“These are valid concerns, and with the rise of software as king in theIT space, this means that developers are going to have to addresssecurity within their code, new and old,” said Thomas.
Threats From Within
One overlooked area of cybersecurity is who has legitimate access tothe data, and whether those individuals can be trusted. Edward Snowdenis just one example, but the issue has plagued tech companies foryears. In the spring of 2018, Apple had to fire an employee forleaking details of the company’s software roadmap.
This problem is likely to get worse, as there is now a cybersecurityworker shortage, and companies are being less diligent when it comes tonew hires.
“A big threat facing companies in 2020 is the insider threat,” saidTemplay’s Benaim.
“Whether it is deliberate or not, the impact of these threats can bedevastating,” she added.
“Insider threats can manifest in a number of ways — for example, anovertired employee might simply forward confidential data to thewrong recipient,” Benaim said, “or a disgruntled former employee might downloadcustomer records from a CRM tool with malicious intent. Both scenarios could lead to a severe data breach, triggering inordinate fines for your company under GDPR.”
Even trusted employees can make critical mistakes. Hackers usesocial engineering techniques to breach a network and gathersensitive data as well as tools to encrypt data or break security systems.
In 2020 we could see “more multi-layer spearphishing, where multipletargets inside a business are used to gather information and gainaccess,” warned Laurence Pitt, global security strategy director atJuniper Networks.
“The delivery mechanisms will also be more complicated,” he told TechNewsWorld.
“Any threat that costs money, and especially where it affects publicmoney — government and healthcare — will remain newsworthy,” Pitt added.
“We’ll see more attacks using common vectors, such as phishing,download via malvertising, etc.,” he predicted, “but also attacks that use old methodswith new vectors. The Masad Stealer attack, reported by Juniper ThreatLabs in late 2019, is a good example of this, where data and money wasstolen via malware injected into a used and respected piece of software.”
It isn’t just computer networks that could be at risk in 2020. Alreadywe’ve seen that little has been done in recent years to ensure thatmobile devices are protected adequately from cyberattacks.
In the case of smartphones, devices could become infected simply bydownloading apps — even from what should be trusted platforms.
“The StrandHogg malware is using malicious but popular apps on thePlay store as a delivery mechanism, and until Google closes thevulnerability that allows this to work, any device and user issusceptible,” said Pitt.
“Mobile phones have become a gateway to our most sensitive andpersonal information, and yet the offer of a free application stillgets millions of downloads without a thought as to whether it’s’safe,'” he added.
“Users need to stop blindly accepting device requests for access toresources; stop downloading free apps that they do not need andprobably will only use once; and, finally, deny if an applicationrequests access to something that seems strange or unnecessary — forexample, a PDF reader wanting access to SMS messages,” advised Pitt.”This will help keep devices and data more safe.”
Another major concern for 2020 might not affect data directly, but it should be on everyone’s radar nonetheless: the rise of “deepfakes,” manipulated videos that have been used to discredit individuals, to spread misinformation, and to cause harm in seemingly endless ways.
Deepfakes have increased in sophistication. Ever more powerfulcomputers and even mobile devices are making it all too easy to create convincing fakes. One concern is how they might be used in conjunction with fake news across mobile platforms.
“Deepfake technologies will be used to attempt to influence the 2020elections in the United States and beyond,” predicted Erich Kron, securityawareness advocate at KnowBe4.
“Fake videos and audio will be released close to the election time inorder to discredit candidates or to swing votes,” he warned.
“While these will be proven as fakes fairly rapidly, undecided voterswill be influenced by the most realistic or believable fakes,” Kron added.
Securing the Cloud
One misconception about cybersecurity is that off-site or hostedstorage comes with greater risks. The cloud may have certainadvantages, in fact.
“There is a common misconception that the cloud is inherently lesssecure than traditional on-premises solutions,” said AndrewSchwarz, professor in the Information Systems & Decision Sciences program in the E. J. Ourso College of Business Administration atLouisiana State University.
“The problem is that when there is a cloud breach — such as the breachover the summer at AWS — it makes huge headlines, and skeptics point tothese examples as reasons why companies should be reluctant to movetheir own systems into the cloud,” he told TechNewsWorld.
“The problem with these examples is that network security issubject to the principle of the greatest weakness — your data will bevulnerable in the interface that is the weakest,” he added.
“Cloud security is going to continue to improve as the cloud itselfmatures,” said Tulane’s Thomas.
“In fact ‘cloud,’ if implemented correctly, can increase security risks –so ensuring that these risks are mitigated is critically important,”he pointed out.
Last summer’s AWS breach showed that the cloud isn’t the fundamental problem. Itwasn’t the cloud provider that was at fault but a misconfigured firewall, which was due to a decision the client made.
“Furthermore, cloud providers will only survive if their clouds aresecure and are investing R&D in providing new approaches to securitythat will push the boundaries of security as we know it,” saidLSU’s Schwarz. “Any breach means a certain death to providers. Thus it is intheir best interests to keep systems secure. The answer is thereforethat the cloud is not only secure, but is more secure than most, ifnot all, on-premises data centers.”
Security in Real Time
Cybersecurity isn’t just about computer networks or consumer devices.
There are several significant upcoming happenings that hackers could target, and what is at stake goes well beyond money or data.
“There are three major events in 2020 that will certainly be a magnetto cybercriminals and nation state actors: the U.S. presidentialelection; the first-ever online U.S. census; and the Olympic games inTokyo,” noted Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“We will identify meddling attempts on social media; attempts atinfiltrating campaign staff; security holes in the census process, andattempts to exploit them; and that some attack on the Olympicsinfrastructure will probably succeed to some extent,” he told TechNewsWorld.
“I am very concerned about the election. Government IT Security iswoefully lacking, especially when you get down to the county andprecinct level, which is where these machines are accessible,” notedThomas.
“Electronic voting is still evolving slowly — and that is what concernsme, as we have seen in the news that electronic ballots are far easierto subvert than paper ballots,” he said.
None of these problems will be easily addressed this year, or even inthe years to come. Cybersecurity remains a field that has too manyopenings and too few candidates. It requires constant diligenceand neverending training.
The cost of not doing enough, however, could be even greater.
“The fact of the matter is that as long as criminals can gain accessto data, they can impact the confidentiality, integrity oravailability of it — and there’s little a company can do at that point,”said KnowBe4’s Malik.
“Companies should appropriately protect datawith cryptography, so that even if criminals gain access to the data,they cannot impact the integrity or confidentiality,” he recommended. “Finally, thetrend we will likely continue to see is the breaching of companiesthrough the supply chain or other trusted third parties.”