In the cyberweapons race between cybersecurity experts and cyber attackers, the only advantage the ‘good guys’ have is staying ahead of threat scenarios so that systems can meet the threats head-on. Of course, the threat landscape is continually changing with every new piece of technology on the market, so security companies and CISOs (chief information security officers) need to be continually assessing trends and new forms of attack. Here are some predictions for the coming year that portend what may be in store.
- Ransomware Continues to Thrive
The use of ransomware by attackers is expected to continue to rise into 2020. This type of malware is evolving fast to escape detection by security programs, disable backups, and alter access permissions. With many insurance companies preferring to pay the ransom in 2019, ransomware has become a very profitable form of attack. Also, there are many ransomware-as-a-service providers willing to sell their software on the Dark Web for a small percentage of the profits, making it easily accessible to any cybercriminal. Recent developments have seen ransomware bundled with other malware, such as the ‘triple threat’ of Emotet, Trickbot, and Ryuk.
- Increase in BEC attacks
This year has seen an increase in BEC (business email compromise) attacks, as well as better targeting and more sophisticated usage of social engineering. Attackers now can compromise the email accounts of employees in the financial departments of organizations and to gather information from the conversations. They can then use this to interject at the right opportunity and get the staff member to unknowingly transfer funds into a third-party account. The success of this form of attack has seen companies lose between $26 billion between 2016 and 2019, and it is predicted that the BEC may soon overtake ransomware in profitability.1
- Manipulation of AI and Machine Learning
It is highly probable that, in 2020, we will see attackers using AI to automate and expand attacks. It could also be used to trick systems by bypassing access permissions in order to reach resources or user accounts. Using algorithms, machine learning would be able to detect and target potential victims for phishing campaigns to focus on those more likely to click on a malicious link. Or it could collect data across the web to target the right user for a BEC scam. The possibilities are, unfortunately, endless and while there has not yet been an attack using ML or AI, it is not far off. Thankfully, the very attributes which make AI and ML attractive to cybercriminals also make it extremely useful for cybersecurity purposes. Improvements in AI could speed up detection rates of intrusion, without false positives (a problem with older technologies like SIEM -Security Information and Event Management), and set in motion a response far faster than a human.2
This year also saw the first use of deep fake audio to trick a UK energy company out of $243 million.3 Now that it has been proved that this form of AI-backed technology can turn a handsome profit, you can expect other cybercriminals to follow suit. In 2020, it is predicted that the BEC will move to the phone.
- Data Stolen From Mobiles
Ads on mobiles are a common way for app developers to make money. However, it has recently been found that several of these apps contain malicious code designed to steal the personal data of the user. This year two adware and data harvesting campaigns – SimBad and Operation Sheep – both Android applications have had over 250 million downloads – have caused havoc for many users.4 These unwanted apps, while infuriating in themselves, have the potential for becoming vectors to deliver other, more dangerous malware.
- Increased Attacks on Cloud Computing and Collaboration Platforms
With more companies storing their data in the cloud, it will prove tempting to attackers to find a way to get to it, either directly through the cloud hosts or otherwise by compromising third-party libraries. The method used will most likely be code injection. Platforms used for collaboration in companies, such as Google Drive and Microsoft’s OneDrive will also see an increase in the frequency and sophistication of attacks.5
- An Increase in Cybersecurity Budgets
With greater awareness of the increasing danger from cyberattacks, organizations will spend more of their budgets on cybersecurity. 6 However, whether it will still be enough, or even focused on the right areas is another matter. Cybercriminals are evolving significantly better malware all of the time, and creating a security environment that will adapt and respond to the ever-changing threat landscape will be a challenge. There will be an increased need for fully qualified CISOs. However, while there is still a skills shortage in this area, not every company or institution will be able to attract one.
- Managed Service Providers (MSPs) Increasingly Targeted
Following on from successes in targeting MSPs in 2019 to spread malware to multiple businesses and organizations in one hit. Not only can data be harvested, but malware such as ransomware be distributed to cause maximum impact, as in the attack on 22 Texas communities in August 2019.7
- Attackers Exploit an Ever-widening Attack Surface
The continued growth of the Internet of Things (IoT), with their often vulnerable security settings, increased dependency on cloud-based and third-party services, and the larger number of people who bring their own devices to work, all widen the attack surface. Hackers will always look for the easiest way in, and although these peripheral commodities offer convenience for the user or company, they are often an open door for attackers. With more opportunities available for them, there is the potential for some substantial data breaches in 2020. The rolling out of 5G will only exacerbate the threat as more data is collected and stored across third-party platforms than ever before.8
- Data Privacy Will Become Ever More Important to Consumers
With large tech giants such as Google, Facebook, and Amazon harvesting their users’ data for marketing purposes, privacy no longer seems to be an option for the average consumer. Add to that the many data breaches from companies that store personal data, such as hotels and healthcare providers, and the flood of data out there has become a tsunami. Europe has tried to address privacy laws through GDPR, and now California is set to do the same through CCPA. Other states in the US are also drafting similar legislation such as Washington State with its Washington Privacy Act (“WPA”). As the teeth of these regulations bite, more and more firms are going to be fined if they suffer privacy breaches, and this may force other companies to tighten their procedures around cybersecurity and data privacy.9
In 2020 we are going to see a huge increase in the role of the cybersecurity professional, as well as a rise in the number of cybersecurity training schools. Companies will need to keep up-to-date with both potential risks and security systems if they are to save their business from possible financial loss and brand damage. With greater numbers of cybercriminals being able to easily and cheaply obtain malicious code on the Dark Web, as well as having a broader attack landscape to exploit, there will be absolutely no room for complacency.
- Kevin Franks, ‘11 Cybersecurity Predictions For 2020,’ Security Boulevard, 12/0/2019, accessed at https://securityboulevard.com/2019/12/11-cybersecurity-predictions-for-2020/
- Justin Fier, ‘The Threat of AI-Powered Cyberattacks Looms Large,’ AI Business, 09/25/2019, accessed at https://aibusiness.com/the-threat-of-ai-powered-cyberattacks-looms-large/
- Nick Statt, ‘Thieves Are Now Using AI Deepfakes to Trick Companies Into Sending Them Money,’ The Verge, 09/05/2019, accessed at https://www.theverge.com/2019/9/5/20851248/deepfakes-ai-fake-audio-phone-calls-thieves-trick-companies-stealing-money
- ‘Researchers Expose Massive Mobile Adware and Data Stealing Campaigns With 250 Million Downloads,’ Helpnetsecurity, 03/13/2019, accessed at https://www.helpnetsecurity.com/2019/03/13/mobile-adware-and-data-stealing-campaigns/
- Liron Barak, ‘Top 5 Cybersecurity Predictions For 2020,’ Helpnetsecurity, 12/09/2019, accessed at https://www.helpnetsecurity.com/2019/12/09/cybersecurity-predictions-2020/
- Kevin-Franks, ‘11 Cybersecurity Predictions For 2020,’ Security Boulevard, 12/0/2019, accessed at https://securityboulevard.com/2019/12/11-cybersecurity-predictions-for-2020/
- Lindsey O’Donnell, ‘Coordinated Ransomware Attack Hits 23 Texas Government Agencies,’ Threatpost, 08/19/2019, accessed at https://threatpost.com/coordinated-ransomware-attack-hits-23-texas-government-agencies/147457/ The 23 municipalities mentioned were later revised to 22.
- Ohad Amir, ‘Cyber Threats to IoT in 2020,’ Techradar Pro, 12/20/2019, accessed at https://www.techradar.com/uk/news/cyber-threats-to-iot-in-2020
- Gil Press, ‘141 Cybersecurity Predictions For 2020,’ Forbes, 12/03/2019, accessed at https://www.forbes.com/sites/gilpress/2019/12/03/141-cybersecurity-predictions-for-2020/