Cybersecurity is a thankless job, where success is measured by silence — mishaps make headlines.
Last year data privacy regulators sank their teeth into companies that were breached or exposed customer data. Failed cybersecurity protocols are at the root of data breaches, ransomware and supply chain attacks.
Cybercriminals are evolving their tactics as the security industry grapples with cyberattack response and weighs the merits of paying ransoms. With malware strains morphing into new threats and regulators dutifully watching for errors, companies are counting on their infosec teams more than ever.
Cybersecurity trends to watch in 2020:
1. Security is integrating with data science
Data gives companies a competitive edge. Data scientists leverage AI algorithms, made available on open source, to cut and paste AI models together.
But AI models rely on quality data, scalable computing and reliable algorithms. The cloud has lifted computing constraints, but has allowed companies to modernize rapidly, sometimes leaving behind ethical considerations.
AI implementation in outpacing "clear regulatory and ethical consensus," according to Gartner, threatening privacy's current high stakes.
"Algorithms and the handling of personal data will become more perceptive," Lenley Hensarling, chief strategy officer of Aerospike, told CIO Dive. "At the same time, the handling of data will become more careful."
Data processing, rather than data collection, is riskier for companies, according to Gartner. Deanonymization, an increase in data lakes, and various definitions of privacy all contribute to a more complex landscape in need of protection.
"Regulators, like much of the public in general are becoming savvier about data, both personal and otherwise, and about its use," said Hensarling. "We are well into multiple generations of digital natives as full participants in the marketplace."
2. Ransomware is rising to a crisis level
Ransomware took hold of industry last year, leeching off smaller entities, such as state governments, healthcare facilities and school districts.
The operators behind GandCrab retired the ransomware last year as successor REvil debuted. In 2019, McAfee said there would be "stronger malware as a service families" as malicious hackers would partner up, consolidating the ecosystem.
The actors behind GandCrab abandoned ship for REvil, while also learning from Maze's operators. The ransomware operators have taken encryption to another level, threatening to publicly disclose or sell stolen data to competitors.
It's a "double whammy" ransomware attack, Brett Callow, threat analyst for Emsisoft, told CIO Dive, in an email. Exfiltrated data "used as additional leverage to extort ransoms are a relatively new phenomenon."
While this is a micro-trend gearing up for the New Year, according to Emsisoft, ransomware-turned-breach has longevity dependent on its profitability.
3. Vendors are infusing machine learning into offerings
To combat human error in security, vendors are upping their machine learning (ML) capabilities.
"The security industry has got a real opportunity in 2020 to solve some previously unsolvable problems," Neil Larkins, CTO of Egress, told CIO Dive. Evolving from "static technology," cybersecurity is moving to be more versatile.
Cloud and data security make up a much lower portion of security spending, $15 million and $72 million, respectively, according to Gartner. However, they are the fastest growing segment for risk management.
"What we try to do is not remove the human from the loop, but make the human in the loops' job easier," Matt Scholl, chief of the computer security division at the National Institute of Standards and Technology (NIST), told CIO Dive.
ML has the potential to infringe on privacy. Companies using ML are conducting experiments, looking for conclusions, and "through that kind of discovery process using machine learning algorithms and big data sets, there's potential to have privacy issues if you don't bind algorithms and your data set appropriately," said Scholl.
Vendors will likely expand offerings to reach more privacy-specific management.
"Similar to security, [privacy is] people, process and technology," said Scholl. "If people think there's a single tool that you can use or if it's just process and legal compliance, I think both of those aren't correct. It's all of it."
4. Managed service providers beware of increasing attacks
Bad actors spent 2019 sending ransomware to smaller entities, but they were also collateral victims. Managed service providers (MSPs) will continue to be targets.
While zero trust is gaining traction, actual implementation is loose, said Larkins. Companies have a difficult time balancing constant validation and user experience. "Operational efficiency frequently creates pushback until security standards are lowered."
As a result, customers of MSPs felt the impact of their cyberattacks.
Attacks on remote monitoring and management software used by MSPs and other remote access solutions "enable multiple companies to be attacked simultaneously," according to Callow. In one case, more than 400 customers were impacted by the disruption, according to Emsisoft.
MSP CyrusOne was hit in December, impacting six customers' availability. At least 13 MSPs or cloud-based service providers were struck by ransomware in 2019, according to Armor.
Attacks on MSPs were "entirely foreseeable and mostly preventable," according to Emsisoft.
With exfiltration as an added to threat, cyberattacks create "the potential for the data of multiple organizations to be stolen in one fell swoop," according to Emsisoft.
Patched remote access solutions, protected by two or multifactor authentication, or entirely disabled, best mitigates risk.
"Additionally, they need to ensure their service providers are abiding by best practices," said Callow. MSPs, in reaction to the string of ransomware attacks, have applied cybersecurity solutions, instead of the recommended proactive stance.
5. Security tools and protocols moonlight as privacy safeguards
There are no tools explicitly for privacy, but there are mechanisms to protect consumer data. Companies will continue to lean on existing security tools to prevent incidents that jeopardizes consumer data.
Data breaches tie security and privacy implications together. This year, privacy regulators penalized Marriott International and British Airways for failing to securely protect their customers' data.
Capital One suffered a data breach after a flaw in its web application firewall (WAF) was exploited. WAFs contribute to cybersecurity strategies focused on protecting the perimeter rather than data.
Privacy is a by-product of cybersecurity protocols. Organizations are quick to declare the IT security team as most responsible for privacy, but it doesn't exist in a vacuum.
Identity management fuses privacy and security together. "Security provides the tools for the safe and careful handling of personal information," said Hensarling.
However, 95% of C-suite executives allocate 20% or less of cybersecurity funds to identify solutions, according to Deloitte. Legacy systems are complicating identity solution deployment and companies have failed to build in API-based systems compatible with app integration.
Companies are hard-pressed to outsource identity management needs, but the cybersecurity skills gap is widening. Jersey Mike's, for example, adopted an identity as a service (IDaaS) model for centralizing customer and corporate data linked to business partners.
IDaaS streamlines consumer privacy and ease of access, making it the new security perimeter. It frees companies up from having to own multiple identities, like email addresses and passwords.