Top Five Cybersecurity Trends for 2020
Happy New Year! Have you noticed that December and January seem filled with cyber security “predictions” of things that may happen in the coming year? Well I would like to tweak the trend a little bit and give you the top 5 things I believe we ought to focus more on in 2020. It’s already shaping up to be a busy year so what do we need to do in cybersecurity to make sure we have the best year we can?
1.Balance privacy and information security. New privacy laws and increasing enforcement of existing laws can put constraints on security programs because it’s easier to just not look than to create a holistic program that balances security and privacy appropriately, especially for high-impact scenarios like insider theft. As we start seeing fines levied, expect pushback from internal and external stakeholders over existing security tools like encrypted traffic inspection. An end-to-end strategy that addresses privacy concerns preemptively can help strengthen your ability to protect the organization. Agree on guiding principles for your monitoring strategy that help balance needs with the constraints. Communicate the strategy & intent and ensure that the “why” is vetted with the right stakeholders to avoid surprises and roadblocks.
2. Secure the Internet of Things and Smart Devices. After record-breaking holiday season sales, connected devices are more prevalent than ever in both personal and professional environments. Expect privacy concerns around connected devices and shocking revelations about use of the data they collect, as well as increasing press coverage of the exploitation of IoT devices themselves. The increasing availability of 5g will also present some interesting challenges as. As device connectivity becomes cheap, many manufacturers will see an upside of connecting that is too small for them to invest in security – but the unintended uses of those devices could significant. Build an IoT strategy that addresses the reality of authorized and unauthorized devices on your network, how the “hype” is managed and converted into business value, and how security must be managed in this very different landscape. Work with your key stakeholders and implement the processes and governance you will need to be successful and sustainable.
3. Prepare for Nation state actor attacks. Politically motivated attacks, both electronic and influence / social media based, will be a constant theme in 2020. As we understand more of our susceptibility to these kinds of attacks, expect more debate over social media influence operations in the US elections, escalating tensions in the Middle East, The ongoing protests in Hong Kong, and other hot spots. In the workplace, this has a couple of non-obvious implications: First, collateral damage from nation-state attacks will happen. We all remember Not-Petya, and we could easily seem similar events this year. And second, expect overall use of social media to increase, which means more clicking risky links, more surface area to monitor, and more burden on already limited security team resources. Prioritize defining and actively managing your overall attack surface including social media and globally connected systems. Focus on covering the basics well from a PROCESS perspective as well as technical execution: patching, awareness, incident detection and response, and established prevention tools like DMARC. Resist the “silver bullet” marketing fluff.
4. Get ready for Cyber Insurance mandates and audits. As Cyber insurance continues to mature, it will have a dramatic impact on the corporate response to cyber-attacks like ransomware. When insurers become prominent in enterprise cybersecurity risk management practices, look for increased payouts for ransomware (cheaper for the insurer than recovery and response) and increasing required conformance to industry frameworks (e.g. NIST CSF) without considering alignment to the organizational risk tolerance. Insurance is a tool you can use, but it’s not a replacement for a security program. Insurance can’t help you if you lose the crown jewels, the factory goes down during the rush, or the ransomware keys don’t work. Do you have the right coverage, and do you have the broader program you need to favorably answer the underwriter’s questions?
5. Take care of your team. At this critical junction, burnout among Cybersecurity professionals is reaching catastrophic levels. Facing a crippling shortage already, firms are seeing an increasing number of experienced practitioners leave, causing short term (gaps in already understaffed programs) and long term (nobody to mentor and lead new entrants) impact. What are you doing to take care of your teams, make sustainability a priority, set the right tone from the top, and get help from others when you need it? Having an intentional talent, skill set, and certification management plan is crucial to your program’s execution in today’s cyber security market.
At Reveal Risk, we help our clients build and mature sustainable, pragmatic, and focused information security programs. To learn more about our risk-driven, holistic approach, contact us at firstname.lastname@example.org today!
About the Author
Tim Sewell is a lifelong security and technology advocate. Over a 20-year career, he’s worked for some of the most respected organizations in the world building top-notch information security programs. He holds a variety of certifications including CISSP-ISSAP, OSCP, and CEH. Since jumping off the corporate ladder in 2018 to co-found Reveal Risk, he’s helped numerous organizations from Fortune 500 to small non-profits build and mature their information security and privacy programs in practical, sustainable ways.