The total cost of data breaches is expected to increase nearly 70 percent over the next five years, from $3 trillion in 2019 to more than $5 trillion in 2024, according to a recent Juniper Research report. Given the rising damages along with cybercriminals’ continually evolving tactics, it’s more critical than ever for organizations to not only protect against current threats but also understand and protect against evolving threats and tactics. Below are the top four security predictions that researchers and other executives at cybersecurity firm Webroot believe businesses should be aware of moving into 2020.
Phishing and Other Social Engineering Scams Will Become Even More Sophisticated, Targeted and Believable
The most surprising and concerning finding from Webroot’s annual 2019 Nastiest Malware Report released in October was a dramatic growth in the complexity and sophistication of phishing attacks and other social engineering scams.
For example, business email compromise (BEC) was one of the most prevalent campaigns of the year – increasing 100 percent over 2018. These types of attacks require cybercriminals to impersonate their victim’s boss or colleague over email and convince the victim into sending wire transfer payments or sharing credentials. The attacks need to be tailored to each individual victim, making them difficult to launch, but also more lucrative. According to the FBI, BEC scams have caused over $26 billion in losses in the past three years.
Unfortunately, we expect this trend of highly targeted social engineering scams to continue. As security intelligence director Grayson Milbourne pointed out, “Phishing will become more targeted as data collected from breaches is incorporated into the phishing email. Things like passwords and recent transactions can go a long way in convincing people the email is legit.”
In addition to becoming more targeted, complex and damaging, social engineering attacks are also becoming more common. In fact, Webroot’s Mid-Year Threat Report released in October found that phishing attempts increased by 400 percent from January to July 2019.
Emotet Will Remain the Nastiest Malware for the Third Year in a Row
Webroot found that the Emotet botnet was the most prevalent and persistent strain of malware in 2018 and 2019, despite being shut down from June to September 2019. It held onto this notorious title by continuing to evolve and wreak havoc in different ways, whether by delivering cryptomining payloads or ransomware infections via Trickbot/Ryuk or Dridex/Bitpaymer.
Given its variety of attack methods and ability to evolve, there’s no reason to believe this won’t continue in 2020. Jason Davison, advanced threat research analyst, believes the botnet won’t just be the largest but also most persistent: “Emotet will continue to be the front runner in terms of both botnet size and malspam distributed.”
As the AI Cat-and-Mouse Game Continues, Organizations Will Need Capable AI-Powered Solutions – Not Just AI Components and Claims
AI has reached an unprecedented level of hype in the security industry. Promises have been made and broken; untold marketing expenditure has been made on promoting AI's virtues and unverified claims. With adversarial attacks against AI-based security products growing in scope and complexity, it will eventually be evident which solutions are actually AI-powered and which are mostly hype. As described by Joe Jaroch, senior director of product strategy, “There will be a bifurcation in AI providers with attacks highlighting which systems are vulnerable to sophisticated attackers. It will become clear that there are fundamentally two types of AI in cybersecurity: AI which acts like a smarter conventional signature, and AI which is built into every facet of an intelligent, cloud-based platform capable of cross-referencing and defending itself against adversarial attacks.”
Additionally, we will see tangible gains by organizations that are using AI technology in pragmatic approaches to solving security problems. This includes humans and AI tools partnering to do what each is best at – humans to unravel unseen new threats and create defenses, and AI to automate real-time detection of threats at electronic speeds and volumes.
On the adversarial side, in addition to leveraging AI to launch larger and more complex attacks, there is no doubt we will see more AI experimentation by cybercriminals. One concerning likely scenario is the implementation of AI in the production of deepfakes, where it could be used to automatically edit out artifacts and "glitches" that can be used today to differentiate between real and fake. Eventually, we will see a world where we will not be certain that the entity on the other end of any conversation – phone call, email, text, tweet, article, or feed – is human or not.
Cyber Insurance Will Gain Adoption, Especially in Government and Eventually for the Automotive Sector
Cyber insurance is booming, with the U.S. market reaching $1.8 billion in 2018, three times what it was in 2015. But still, only 51 percent of organizations are leveraging cyber insurance. This number will rise substantially as the costs of cybercrime continue growing and organizations realize that the benefits of taking preventative measures far outweigh the cost of doing nothing – particularly for government institutions.
“Local governments and state offices remain easy targets for large, well-structured threat actors,” said Jason Davison, advanced threat research analyst. “Getting ransomed for $600,000 is only fun so many times. Why not get cyber insurance to help stop the bleeding?”
After bleeding to the tune of $18 million as the result of a ransomware attack in May, Baltimore recently approved a cyber insurance plan to help protect against future attacks.
However, it should be noted that despite better protecting themselves financially, organizations that leverage cyber insurance should be prepared to face more attacks because they tend to be lucrative targets for cybercriminals.
“We will continue to see the low-hanging fruit of smaller cities and municipalities being targeted, particularly where there is a high prevalence of cyber insurance in place, where insurers find the ransom cost lower than remediation costs,” said senior solutions architect Matt Aldridge. “Hopefully as this part of the insurance industry evolves it will work more closely with cybersecurity vendors and service providers to ensure that insured parties are properly protected from the majority of threats.”
While the government sector is already a common target among cybercriminals today, security analyst Tyler Moffitt anticipates attacks on the automotive sector – and in turn, the sector’s adoption of cyber insurance – also growing in 2020 and beyond.
“Having cybersecurity protection and insurance coverage for cyberattacks on cars will become the norm down the road. Cybercriminals will take advantage of new unique automotive vectors to exploit, including unmonitored charge points for electric cars, as well as advanced software platforms on today’s cars that manufacturers are incredibly slow to react to and patch. I anticipate that we will eventually see a proof of concept on ransomware for cars as well,” he says.
Cybercrime cost businesses an average of $13 million each in 2018, a 12 percent increase over 2017, according to the Ponemon Institute – despite businesses spending an average of $1.45 million each on cybersecurity, according to Hiscox’s 2019 Cyber Readiness Report. Clearly, organizations need to adjust their approach, particularly by accounting for and protecting against emerging and future threats in addition to current threats.