Cybersecurity is a very serious issue for 2020 — and the risks stretch far beyond the
alarming spike in ransomware.
In addition to the daily concerns of malware, stolen data and the cost of recovering
from a business network intrusion, there is the very real danger of nefarious actors using cyberattacks to influence or directly impact the outcome of the 2020 U.S. general election.
Today, every company that has a computer or any connected devices or software should see itself as a “tech company.” Every
individual with a smart TV, virtual assistant or other Internet of
Things (IoT) device could be at risk as well — and the risks include being
victimized by cyberstalkers or having personal data compromised.
“We are seeing growing attack surfaces — for example, automotive, drones,
satellites and hardware components,” said Michael Sechrist, chief
technologist at
Booz Allen Hamilton.
There is also “increased obfuscation from
sophisticated actors — that is, malware code reuse and similarities,” he told TechNewsWorld.
“Several major domestic and international events will likely
provide attackers opportunities for digital disruption across large
and small companies and governments alike,” Sechrist said.
Although everyone who’s connected in this increasingly connected world is a potential target, understanding the risks can help alleviate the overall threat.
“The main threat companies face is in not adequately keeping pace with
the ever-evolving security threat landscape,” said Ellen Benaim,
information security officer at
Templafy.
“It is a constant battle to keep abreast of the latest issues. To
make matters worse, we predict that in 2020 cyberthreats will become
more frequent and sophisticated, spanning a wider attack surface and
causing a more deadly impact,” she told TechNewsWorld.
Old Threats Still Have Teeth
Many of the same threats that have been around for years will
continue to pose real problems in 2020. Among them are phishing attacks.
“Phishing is essentially tricking others into taking an action that
can be profited from,” said Tom Thomas, adjunct faculty member in
Tulane University’s Online
Master of Professional Studies in Cybersecurity Management program.
“Since all those millions are still sitting in a bank in Nigeria
for over 20 years now, I am sure phishing is here to stay as long as
people are greedy and easily tricked,” he told TechNewsWorld.
“Education is quite common, but these scams are evolving as well —
and some of these email scams are very believable unless you look
closely, which most people do not,” warned Thomas.
Another cybersecurity threat is one that isn’t really an attack, but
rather a problem due to overworked — and at times underpaid — software
designers. This is the issue of software errors, and those errors can
result in exploits that hackers and other criminals can target.
“These are valid concerns, and with the rise of software as king in the
IT space, this means that developers are going to have to address
security within their code, new and old,” said Thomas.
Threats From Within
One overlooked area of cybersecurity is who has legitimate access to
the data, and whether those individuals can be trusted. Edward Snowden
is just one example, but the issue has plagued tech companies for
years. In the spring of 2018, Apple had to fire an employee for
leaking details of the company’s software roadmap.
This problem is likely to get worse, as there is now a cybersecurity
worker shortage, and companies are being less diligent when it comes to
new hires.
“A big threat facing companies in 2020 is the insider threat,” said
Templay’s Benaim.
“Whether it is deliberate or not, the impact of these threats can be
devastating,” she added.
“Insider threats can manifest in a number of ways — for example, an
overtired employee might simply forward confidential data to the
wrong recipient,” Benaim said, “or a disgruntled former employee might download
customer records from a CRM tool with malicious intent. Both scenarios could lead to a severe data breach, triggering inordinate fines for your company under GDPR.”
Pointed Attacks
Even trusted employees can make critical mistakes. Hackers use
social engineering techniques to breach a network and gather
sensitive data as well as tools to encrypt data or break security systems.
In 2020 we could see “more multi-layer spearphishing, where multiple
targets inside a business are used to gather information and gain
access,” warned Laurence Pitt, global security strategy director at
Juniper Networks.
“The delivery mechanisms will also be more complicated,” he told TechNewsWorld.
“Any threat that costs money, and especially where it affects public
money — government and healthcare — will remain newsworthy,” Pitt added.
“We’ll see more attacks using common vectors, such as phishing,
download via malvertising, etc.,” he predicted, “but also attacks that use old methods
with new vectors. The Masad Stealer attack, reported by Juniper Threat
Labs in late 2019, is a good example of this, where data and money was
stolen via malware injected into a used and respected piece of software.”
Malware Hangups
It isn’t just computer networks that could be at risk in 2020. Already
we’ve seen that little has been done in recent years to ensure that
mobile devices are protected adequately from cyberattacks.
In the case of smartphones, devices could become infected simply by
downloading apps — even from what should be trusted platforms.
“The StrandHogg malware is using malicious but popular apps on the
Play store as a delivery mechanism, and until Google closes the
vulnerability that allows this to work, any device and user is
susceptible,” said Pitt.
“Mobile phones have become a gateway to our most sensitive and
personal information, and yet the offer of a free application still
gets millions of downloads without a thought as to whether it’s
‘safe,'” he added.
“Users need to stop blindly accepting device requests for access to
resources; stop downloading free apps that they do not need and
probably will only use once; and, finally, deny if an application
requests access to something that seems strange or unnecessary — for
example, a PDF reader wanting access to SMS messages,” advised Pitt.
“This will help keep devices and data more safe.”
Fake Out
Another major concern for 2020 might not affect data directly, but it should be on everyone’s radar nonetheless: the rise of “deepfakes,” manipulated videos that have been used to discredit individuals, to spread misinformation, and to cause harm in seemingly endless ways.
Deepfakes have increased in sophistication. Ever more powerful
computers and even mobile devices are making it all too easy to create convincing fakes. One concern is how they might be used in conjunction with fake news across mobile platforms.
“Deepfake technologies will be used to attempt to influence the 2020
elections in the United States and beyond,” predicted Erich Kron, security
awareness advocate at
KnowBe4.
“Fake videos and audio will be released close to the election time in
order to discredit candidates or to swing votes,” he warned.
“While these will be proven as fakes fairly rapidly, undecided voters
will be influenced by the most realistic or believable fakes,” Kron added.
Securing the Cloud
One misconception about cybersecurity is that off-site or hosted
storage comes with greater risks. The cloud may have certain
advantages, in fact.
“There is a common misconception that the cloud is inherently less
secure than traditional on-premises solutions,” said Andrew
Schwarz, professor in the
Information Systems & Decision Sciences
program in the E. J. Ourso College of Business Administration at
Louisiana State University.
“The problem is that when there is a cloud breach — such as the breach
over the summer at AWS — it makes huge headlines, and skeptics point to
these examples as reasons why companies should be reluctant to move
their own systems into the cloud,” he told TechNewsWorld.
“The problem with these examples is that network security is
subject to the principle of the greatest weakness — your data will be
vulnerable in the interface that is the weakest,” he added.
“Cloud security is going to continue to improve as the cloud itself
matures,” said Tulane’s Thomas.
“In fact ‘cloud,’ if implemented correctly, can increase security risks —
so ensuring that these risks are mitigated is critically important,”
he pointed out.
Last summer’s AWS breach showed that the cloud isn’t the fundamental problem. It
wasn’t the cloud provider that was at fault but a misconfigured firewall, which was due to a decision the client made.
“Furthermore, cloud providers will only survive if their clouds are
secure and are investing R&D in providing new approaches to security
that will push the boundaries of security as we know it,” said
LSU’s Schwarz. “Any breach means a certain death to providers. Thus it is in
their best interests to keep systems secure. The answer is therefore
that the cloud is not only secure, but is more secure than most, if
not all, on-premises data centers.”
Security in Real Time
Cybersecurity isn’t just about computer networks or consumer devices.
There are several significant upcoming happenings that hackers could target, and what is at stake goes well beyond money or data.
“There are three major events in 2020 that will certainly be a magnet
to cybercriminals and nation state actors: the U.S. presidential
election; the first-ever online U.S. census; and the Olympic games in
Tokyo,” noted Mounir Hahad, head of
Juniper Threat Labs at Juniper Networks.
“We will identify meddling attempts on social media; attempts at
infiltrating campaign staff; security holes in the census process, and
attempts to exploit them; and that some attack on the Olympics
infrastructure will probably succeed to some extent,” he told TechNewsWorld.
“I am very concerned about the election. Government IT Security is
woefully lacking, especially when you get down to the county and
precinct level, which is where these machines are accessible,” noted
Thomas.
“Electronic voting is still evolving slowly — and that is what concerns
me, as we have seen in the news that electronic ballots are far easier
to subvert than paper ballots,” he said.
None of these problems will be easily addressed this year, or even in
the years to come. Cybersecurity remains a field that has too many
openings and too few candidates. It requires constant diligence
and neverending training.
The cost of not doing enough, however, could be even greater.
“The fact of the matter is that as long as criminals can gain access
to data, they can impact the confidentiality, integrity or
availability of it — and there’s little a company can do at that point,”
said KnowBe4’s Malik.
“Companies should appropriately protect data
with cryptography, so that even if criminals gain access to the data,
they cannot impact the integrity or confidentiality,” he recommended. “Finally, the
trend we will likely continue to see is the breaching of companies
through the supply chain or other trusted third parties.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.