Cybersecurity in 2020 will be evolutionary but not revolutionary.
Although there is always change and churn, much of the foundational drivers remain relatively stable. Attacks in the next 12 months are likely to persist in ways already known but taking it up-a-notch and that will lead to a steady escalation between attackers and defenders. The growth of devices, users, and data continue to expand the playing field while the weaknesses of people's behaviors continue to contribute to the greatest risk factors for compromises.
Here are some of the key areas to keep an eye on.
2020 Cybersecurity Predictions
- Internet-of-Things (IoT): IoT continues to expand with insecure devices, services, and interfaces. Another 4 billion IoT devices will come online in 2020. Devices being hacked and insecure data being compromised are the two primary threats. Some progress will be made with the retirement of default or no passwords, but IoT devices will still be far from secure. At the same time, such devices will be called upon to handle even more sensitive data. Overall, the risks increase as devices become more autonomous and are employed in sensitive industries like healthcare, critical infrastructure, transportation, security, and remote-work applications.
- Cybersecurity Workforce: The demand for cybersecurity professionals continues to rise and outpace the available talent pool. By the end of 2020, there will likely be over 3 million unfilled positions. Such a global shortage leaves a dangerous range of organizations under-resourced to protect assets, services, data, and people. Leadership and technical roles will be in the highest demand. Ironically, entry-level placement will be difficult for those without experience. Frustration will fester for many entering into the field. The training gap remains for 2020 and beyond, but academic institutions will continue to move, albeit slowly, to close the deficiencies in preparing the next generation of cybersecurity professionals.
- Critical Infrastructure (CI): The war targeting critical infrastructure will heat up while remaining largely stealthy. Nation-States will jockey for access in the systems of potential adversaries. Defenders will actively pursue detection and eviction, but never achieve a high level of confidence. It is a chess game where the winner retains a foothold that could be used in the future as part of a devastating attack, to send political messages, or fuel disruption. On a positive note, no major critical infrastructure attacks will occur in 2020, at least on purpose. Accidents do sometimes happen at this level of gamesmanship. Vital sectors including government, communications, transportation, logistics, energy, national industries, and even healthcare are all potential targets for compromise. This is part of the long-game that countries play against one another.
- Cybercrime: The number of cybercriminals and attacks grows significantly, victimizing more people and incurring losses that may approach $6 trillion by the end of the year. At the top, the organized and funded crews will continue to expand and orchestrate top-tier attacks as well as massive fraud at an ever-growing scale. At the bottom of the cybercrime hierarchy pyramid, swells of novice criminals will join the ranks to help with basic labor-intensive duties. Financial hardship, desperation, and a lack of other options will draw new internet users from economically struggling geographies to venture into cybercrime. They are lured into activities such as botnet/malware distribution, money and reshipping mule duties, ransomware-as-a-service (RaaS) victim on-boarding, social engineering data harvesting, human authentication verification, amplification of investment scams, and propagation of retail fraud to make money. As a result, the global online community will suffer from an increase of ransomware, denial-of-service, online-harassment, data breaches, financial fraud schemes, and cryptojacking. The severity will drive up the overall losses due to cybercrime. The elite digital syndicates will target specific organizations for big scores with Business Email Compromises (BEC), financial transaction tampering, and data accessibility ransoms in the millions. The largest single attacks of 2020 will likely reach into the hundreds of millions in losses.
- Passwords/Authentication: Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) will remain largely ignored, regardless of the massive fleecing of accounts. Throughout the year, consumers will feel much more pain from highly automated credential-stuffing capabilities that are coupled with exploitation features for account hacking, extortion demands, and theft. Small and medium businesses (SMB) will feel the greatest pain and will struggle to find a balance between the risks, costs, and usability friction.
- Privacy: Privacy compliance will be expensive, convoluted, and political. Expectations of customers will increase for companies to keep their data private. Credit monitoring will not be enough to appease the masses. Regulatory authorities around the globe will begin greater prosecution of offenders. The news will highlight more lawsuits, massive regulatory penalties, greater customer abandonment, and executives losing their jobs because of poor choices in protecting private data or not satisfying regulations.
- Artificial Intelligence (AI): AI attacks and defenses will rise to a new level. Attacks will be more customized and scale to target large pools of potential victims. Defenses will lag, but also begin finding optimal ways to detect and block these types of attacks. Implementation of AI tools by the attackers and defenders is still in the early phases of what will be a very long and drawn out arms race.
- Malware: Vulnerability discovery, exploit creation, and development of malicious software will accelerate. It will also expand from the server, PC, and smartphone domains to include many more types of devices and services. Technical exploitation techniques get more sophisticated, but social engineering does not. It simply doesn't need to. Humans continue to be the weakest link in the ecosystem and remain the primary means for practical compromises.
- Zero-Trust: “Zero-Trust” will remain a marketing buzzword for most of the year. Basic standards and more narrow accepted concepts begin to emerge around Zero-Trust security. By the end of 2020, there will still not be a complete consensus, standards, or frameworks. As leaders emerge, customers will begin to fall into certain camps. Results will continue to vary for this premium capability. Expect various re-branding and renaming to ensue as the term begins to become stale and loses favor with marketing types because of a lack of competitive differentiation.
- 5G cybersecurity risks: The security fears of 5G reached its pinnacle in 2019. A lot of hype but real risks won't actually manifest in 2020. Yes, 5G allows for greater speed, lower latency, and more connection density but that plays for both sides. Risk organizations realize it is just the natural evolution of the battlefield, not a super-weapon. People will briefly wonder what all the fuss was about, as they enjoy a better experience. Security pundits will shift gears to focus on the next sexy potential emerging threat that could boost their budgets. Pity they aren't focusing on the human behavioral weaknesses that represent a much greater problem.
The aggregation of these factors will contribute to a thriving cybercrime industry that will show no mercy in 2020. Tools for both attackers and defenders get better. The size and complexity of our digital world will increase significantly, creating scalability issues for security while opening new opportunities for threats.
The biggest overall concern for 2020 will be that significantly more data will be in peril. Vast amounts of data will be created and potentially exposed from significantly increasing numbers of devices, services, and users. Nearly 400 thousand new internet citizens will join the connected digital world, with the largest percentage from economically struggling countries. Businesses and governments will continue to gather more information than needed and aggregate it in ways that consumers did not expect. Security will remain weak, with protections lacking for data in-use, in-transit, and at rest.
Although 2020 predictions may sound extreme, this is the normal progression for cybersecurity. It should draw a mild yawn from security professionals who are familiar with maneuvering these troubled waters every day. The best of them will remain vigilant and keep continued pressure on intersecting the tactics, techniques, and processes of attackers to drive increasing demand for better and more coordinated cybersecurity throughout the year.
Interested in more? Follow me on LinkedIn, Medium, and Twitter (@Matt_Rosenquist) to hear insights, rants, and what is going on in cybersecurity.