In this year’s Cyber Security Predictions, the WatchGuard Threat Lab has imagined the top cyber attacks we’ll see in 2020 and has provided tips for simplifying your approach to stopping them. Even though the threats coming at you won’t be any less intense, complicated, or difficult to manage, 2020 will be the year of simplified security.
1. Ransomware Targets the Cloud
Highlights:
- Ransomware is a billion-dollar industry.
- Overall volume of ransomware is down, but targeted ransomware against vertical industries is on the rise.
- In 2020, targeted ransomware now tries to infect consolidated cloud assets, such as file stores, S3 buckets, and virtual environments.
Ransomware is now a billion-dollar industry for hackers, and over the last decade we’ve seen extremely virulent strains of this malware wreak havoc across every industry. As with any big-money industry, ransomware will continue to evolve in order to maximize profits. In 2020, we believe ransomware will focus on the cloud.
Recently, untargeted “shotgun blast” ransomware has plateaued with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.
Despite its far-reaching damages and soaring revenues, ransomware has largely left the cloud untouched. As businesses of every size move both their servers and data to the cloud, it has become a one-stop shop for all of our most important data. In 2020, we expect to see this safe haven crumble as ransomware begins targeting cloud-based assets including file stores, S3 buckets, and virtual environments.
Security Tips: Do you have cloud security? Virtual or cloud UTM? Asking these questions is where to start. Use advanced malware protection to detect evasive malware. More importantly, consider new security paradigms that allow you to implement security controls, like advanced malware protection, in cloud use cases. Finally, the cloud can be secured, but it requires work. Make sure you’ve hardened your cloud workloads. For instance, investigate resources for properly securing S3 buckets.
2. GDPR Comes to the United States
Highlights:
- California has passed the California Consumer Privacy Act (CCPA).
- A national Consumer Data Protection Act (CDPA will not pass in 2020).
- In 2020, 10 or more states will pass laws like California’s CCPA.
Two years ago, the General Data Protection Regulation (GDPR) came into force, protecting the data and privacy rights of European Union citizens. As of yet, few places outside the EU have similar laws in place, but we expect to see the United States (U.S.) come closer to matching it in 2020.
GDPR boils down to placing restrictions on how organizations can process personal data, and what rights individuals have in limiting who may access that data, and it has already shown teeth. To date, companies have been fined millions of euros for GDPR violations, including massive €50 million and £99 million judgements in 2019 against Google and Marriott respectively. While the burden placed on companies can be intense, the protections provided to individuals are massively popular.
Meanwhile, the U.S. has suffered a social media privacy plague the last few years, with no real GDPR equivalent to protect local consumers. As organizations like Facebook leak more and more of our personal data, which bad actors have used in everything from targeted election manipulation to unethical bounty hunting, U.S. citizens are starting to clamor for privacy protections like those enjoyed by our European brothers and sisters. So far, only one state, California, has responded by passing their California Consumer Privacy Act (CCPA), which goes in effect in early 2020.
Though the same senator who passed CCPA in California has proposed a Federal Consumer Data Privacy Act (CDPA) bill, we don’t think it will gain enough support to pass nationwide in 2020. However, we do expect more and more states to jump onto California’s bandwagon, and pass state-level consumer privacy acts of their own. In 2020, we anticipate that 10 or more states will enact similar laws to California’s CCPA.
Security Tips: There isn’t a specific security tip for this prediction, but you can still take action. Contact your local congressperson to share your opinion on regulations to protect your privacy. Meanwhile, consider the lack of regulation here when sharing your private information online and with social networks.
3. Voter Registration Systems Targeted During the 2020 Elections
Highlights:
- Though voting machines are hackable, adversaries won’t spend much time targeting them.
- However, external threat actors will go after state and local voter databases with the goal of creating voting havoc and triggering voter-fraud alerts during 2020 elections.
Election hacking has been a hot topic ever since the 2016 U.S. elections. Over the last four years, news cycles have covered everything from misinformation spread across social media to alleged breaches of state voter systems. During the 2020 U.S. presidential elections, we predict that external threat actors will target state and local voter databases with a goal of creating voting havoc and triggering voter fraud-alerts during the 2020 elections.
Security experts have already shown that many of the systems we rely on for voter registration and election day voting suffer from significant digital vulnerabilities. In fact, attackers even probed some of these weaknesses during the 2016 election, stealing voter registration data from various states. While these state-sponsored attackers seemed to draw the line by avoiding altering voting results, we suspect their previous success will embolden them during the 2020 election, and they will target and manipulate our voter registration systems to make it harder for legitimate voters to submit their votes, and to call into question the validity of vote counts.
Security Tips:
While there isn’t a specific cybersecurity tip for this prediction, we do have some voter preparedness tips in the event this prediction comes true. First, double-check the status of your voter registration a few days before the election. Also, monitor the news for any updates about voter registration database hacks, and be sure to contact your local state voter authority if you are concerned. Be sure to print out the result of a successful voter registration, and bring you ID on election day, even if technically unnecessary.
4. During 2020, 25% of All Breaches Will Happen Outside the Perimeter
Highlights:
- While working remotely can increase productivity and reduce burnout, it comes with its own set of security risks.
- A quarter of all network compromises or data breaches will involve off-network assets.
Mobile device usage and remote employees have been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90% of mid-market businesses have employees working half their week outside the office. While remote working can increase productivity and reduce burnout, it comes with its own set of security risks. Mobile employees often work without any network perimeter security, missing out on an important part of a layered security defense. Additionally, mobile devices can often mask telltale signs of phishing attacks and other security threats. We predict that in 2020, one quarter of all data breaches will involve telecommuters, mobile devices, and off-premises assets.
Security Tips: Make sure you’re as diligent implementing off-network protection for your employees as you are perimeter protection. Any laptop or device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication, among other protections.
5. The Cybersecurity Skills Gap Widens
Highlights:
- Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees.
- The cybersecurity skills gap grows by 15%.
Cybersecurity, or the lack of it, has gone mainstream. A day doesn’t seem to go by where the general public doesn’t hear of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber attack. Meanwhile, consumers have also become intimately aware of how their own personal data privacy contributes to their own security (thanks, Facebook). As a result, it’s no surprise that the demand for cybersecurity expertise is at an all-time high.
The problem is, we don’t have the skilled professionals to fill this demand. According to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees. Three-fourths of companies claim this shortage in cybersecurity skills has affected them and lessened their security.
Unfortunately, we don’t see this cybersecurity skills gap lessening in 2020. Demand for skilled cybersecurity professionals keeps growing, yet we haven’t seen any recruiting and educational changes that will increase the supply. Whether it be from a lack of proper formal education courses on cybersecurity or an aversion to the often-thankless job of working on the front lines, we predict the cybersecurity skills gap to increase an additional 15% next year. Let’s hope this scarcity of expertise doesn’t result in an increase in successful attacks.
Security Tips: While the available cybersecurity workforce won’t appear immediately, you do have options to help create and manage a strong cyber defense. Taking a long-term view, you can work with your local educational institutes to identify future cybersecurity professionals so that you might fill your open roles first. In the short term, focus on solutions that provide layered security in one solution, or work with a managed services provider or managed security services provider to whom you can outsource your security needs.
6. Multi-Factor Authentication (MFA) Becomes Standard for Mid-sized Companies
Highlights:
- 2020 will bring increased adoption of MFA among mid-sized companies.
- We’ll also see wide-spread adoption among all service providers, and even privileged or admin accounts at all businesses.
We predict that multi-factor authentication (MFA) will become a standard security control for mid-market companies in 2020. Whether it’s due to billions of emails and passwords having leaked onto the dark web, or the many database and password compromises online businesses suffer each year, or the fact that users still use silly and insecure passwords, the industry has finally realized that we are terrible at validating online identities.
Previously, MFA solutions were too cumbersome for mid-market organizations, but recently three things have paved the way for pervasive MFA, both SMS one-time password (OTP) and app-based models, among even SMBs. First, MFA solutions have become much simpler with cloud-only options. Second, mobile phones have removed the expensive requirement of hardware tokens, which were cost-prohibitive for mid-market companies. And finally, the deluge of password problems has proven the absolute requirement for a better authentication solution. While SMS OTP is now falling out of favor for legitimate security concerns, app-based MFA is here to stay.
The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors. That’s why we believe enterprise-wide MFA will become a de-facto standard among all midsized companies next year.
Security Tips: This tip is simple – implement MFA throughout your organization. Everything from logging in to your laptop each day to accessing corporate cloud resources should have some sort of multi-factor authentication tied to it.
7. Attackers Will Find New Vulnerabilities in the 5G/Wi-Fi Handover to Access the Voice and/or Data of 5G Mobile Phones
Highlights:
- Wireless carriers that manage 4G and 5G networks often hand off calls and data to Wi-Fi networks to save bandwidth, particularly in high-density areas.
- In 2020, flaws in this cellular to Wi-Fi handover process will allow attackers to access the voice and/or data of 5G mobile phones.
The newest cellular standard, 5G, is rolling out across the world and promises big improvements in speed and reliability. Unknown to most people, in large public areas like hotels, shopping centers, and airports, your voice and data information of your cellular-enabled device is communicated to both cell towers and to Wi-Fi access points located throughout these public areas. Large mobile carriers do this to save network bandwidth in high-density areas. Your devices have intelligence built into them to automatically and silently switch between cellular and Wi-Fi. Security researches have exposed some flaws in this cellular-to-Wi-Fi handover process and it’s very likely that we will see a large 5G-to-Wi-Fi security vulnerability be exposed in 2020 that could allow attackers to access the voice and/or data of 5G mobile phones.
Security Tips:
Most mobile devices don’t allow the users to disable cellular to Wi-Fi handover (also known as Hotspot 2.0). Windows 10 currently does, however. If unsure, individuals should utilize a VPN on their cellular devices so that attackers who are eavesdropping on cellular to Wi-Fi connections won’t be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at http://trustedwirelessenvironment.com. If the APs block these threats, attackers cannot eavesdrop on the cellular to Wi-Fi handoff.