It’s almost 2020, which means teams are finalizing cyber budgets, strategies and goals. However, as you’re preparing for the new year, it’s important to keep an eye out for how the cybersecurity landscape might shift in 2020.
From the rise in investor focus on cybersecurity issues to diversifying of cyber insurance, there are three critical security trends cyber professionals should be prepared to address if they want a successful — and secure — 2020.
Investors will add cyber risk into their analyses
In 2020, cybersecurity is going to play a larger role in financial investments than ever before. Equifax was the first company that ever received a credit downgrade because of a data breach, and it made investors hesitate to invest in companies without understanding their cyber risk.
It’s an understandable fear: Our research shows a majority of Fortune 1000 companies have at least one remote administration service running on an open port. With current security like this, breaches are inevitable.
Savvy investors are holding off on investing in companies without good security. They’re beginning to uncover a link between companies with strong cybersecurity posture and strong stock performance. Though the research is still in its infancy, I suspect that many investors will soon incorporate cyber into their ESG analysis.
For the security professional, this is an opportunity to showcase your worth to the C-suite. Having strong security will no longer be just about protecting against breaches, it also means a better draw for investors, whether they’re looking to purchase stocks or invest in your business.
Attackers will focus less on zero-day vulnerabilities and more on blunt-force attacks
Zero-day vulnerabilities receive the most attention from the media, but in 2020, hackers probably won’t bother with these highly publicized attacks. Instead, they’ll hone in on simple strategies, like gaining access to a network through a third-party or unpatched system.
In fact, this trend is already starting to emerge. For example, APT33 uses almost exclusively brute-force password spraying when attacking critical infrastructure. These methods have seen success with breached companies facing Shamoon and Shapeshifter, two of APT33’s go-to deployments. And the number of business email compromise (BEC) attacks has soared immensely in the past year; financial media conglomerate Nikkei lost $29 million to this ploy. On top of these recent examples, the NSA reports that it very rarely responds to intrusions from zero-day vulnerabilities — instead it focuses primarily on incidents involving exploited unpatched hardware and software.
To counteract these trends, cyber plans will need to return to the basics and focus on building a strong security foundation. This includes continuously monitoring for new threats and vulnerabilities, consistently evaluating the security posture of your third-party partners, and more. The importance of employee cyber education also can’t be understated. Oftentimes, the weakest link in security postures is still the human element.
Cyber insurance will play a larger role in cyber plans
From ransomware to BEC, the costs of responding to cyberattacks are relentlessly increasing, and 2020 will be the tipping point for cyber insurance. Many companies, especially smaller ones, are learning the hard way they don’t have the resources to mitigate cyberattacks alone, especially ones that arrive from third-, fourth-, or even fifth-party partners.
Though most cyber insurance won’t directly pay for any money lost in a BEC or phishing attack, they will help finance legal investigations and fees. As more companies adopt cyber insurance policies, the insurance industry will educate themselves on the nuances in cyber attacks and begin offering additional cyber coverage plans, including ones that cover consequences and losses outside of the cyber realm.
Whether it’s through an extended power outage that leads to looting or a crash from faulty transportation communications, companies need to go into 2020 ready for how cyber attacks could impact the physical world. One way to do that is for companies to reevaluate their current cyber insurance policy or start shopping for their first.
Planning for 2020 cybersecurity trends
The new year will bring a range of challenges for cyber professionals, but trying to anticipate and plan for them now will mitigate their ramifications.
To start, companies need to ensure their CFOs and other stakeholders understand the growing financial impact of cybersecurity. As security tools become more efficient, executives might be tempted to lower budget without understanding how badly a cyber attack would affect not only their day-of operations, but the business’s long term financial stability.
Additionally, the importance of a strong cyber foundation needs to be a focus in the new year. We’re seeing hackers rely on tried-and-true methods rather than chasing down the latest zero-day vulnerability, meaning routine patching and third-party partners with continuously monitored, strong security hygiene are key to protecting businesses.
Finally, the role cyber insurance will play in businesses can’t be ignored any longer. Cyber insurance is expanding to mitigate losses that come from anywhere in the supply chain, including outside of it; it doesn’t matter if you’ve been breached or if your next-door neighbor has been.