The cost of a data breach in 2019 came out to an average of $3.9 million. The U.S. proved to be the most expensive country, and healthcare was the most costly industry according to the IBM Cost of a Data Breach Report. Protecting company and customer data remains top priority for security professionals and 2020 will be no exception. Here are my predictions for how data privacy will shape the new year.
With Data Privacy Day upon us, it is the perfect time to forecast impending threats and share some security best practices to get professionals on the right track. Millions of people are unaware and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to spark that dialogue and empower individuals and companies to take action when it comes to their private information.
Data Privacy Day is an international effort to empower individuals and businesses to respect privacy, safeguard data, and enable trust. Unfortunately, the threats are coming, and they will not be any less intense, complex or difficult to manage in 2020. In fact, I would expect the opposite. Your security will truly depend on how your organization takes advantage of the knowledge and expert assistance available to safeguard your critical infrastructure.
Here are 10 predictions on data privacy in 2020:
#1 Wide-Spread Regulations Will Take Hold
In 2018 the General Data Protection Regulations (GDPR) was enacted into EU law. GDPR is a regulation covering data protection and privacy in the European Union and the European Economic Area. It addresses the transfer of personal data outside the EU and EEA areas. Since then, many companies within the United States have updated their policies on data privacy to comply, as well.
In addition to the GDPR regulations, the California Consumer Privacy Act (CCPA) was created in 2018 and went into effect on January 1, 2020. The CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California.
All companies that serve California residents and have at least $25 million in annual revenue must comply with the CCPA law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under this law.
While new regulations may not go into effect in 2020, they will be in the works. In fact, many organizations that are not required to comply with GDPR or CCPA are taking actions to do so regardless. I expect more and more states to jump onto California’s bandwagon and pass state-level consumer privacy acts of their own. In 2020, experts are anticipating that over 10 states will enact similar laws to the CCPA.
Gaining customer trust is a tricky process, but losing it is simple. Leaving the security of customers’ personal data up to chance is not an option. There are many security options available to help protect you against breaches.
Security Recommendation: If you are not currently required to comply with either consumer privacy regulation, get ahead of the game and start the process early. There is no downside to being overly secure, compliant, and safe. Gain the trust of your customers, prospects, and partners by staying in front of the competition and evolving regulations.
#2 Ransomware will Target Cloud
According to a report by EMSISOFT, the combined costs of 2019’s ransomware incidents could be in excess of $7.5 billion. While they believe this overstates the actual costs (a small school district’s recovery expenses are unlikely to run to seven figures), it nonetheless provides an indication of the enormous financial impact of these incidents.
As ransomware continues to benefit cyber criminals, it will continue to evolve in order to maximize profits. In 2020, ransomware will turn its focus on the cloud.
Recently, untargeted ransomware attacks have plateaued, with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.
As these industries and businesses move their important workloads to the cloud, ransomware will follow. It will start to target cloud-based assets including virtual environments.
Security Recommendation: Do not run from the cloud. Rather, find a cloud service provider with the proper security controls in place. Use advanced malware protection to detect evasive malware. Not all cloud services will fit your business needs. Hybrid cloud deployments are growing in popularity, and for good reason. In fact, Gartner Group reported that 90 percent of enterprises will operate some form on hybrid cloud by 2020.
#3 A Shortage of Skilled Workers Worsens
According to the State of Cybersecurity Hiring, cybersecurity jobs account for 13 percent of all information technology jobs. Yet, on average cybersecurity jobs take 20 percent longer to fill than any other IT job, even though they pay well.
The issue? Educational institutions are not producing enough qualified candidates to fill the demand for new information security employees.
Not a day goes by where we do not hear of some new data breach or attack. Meanwhile, consumers are becoming more and more aware of how their personal data privacy contributes to their own security. As a result, the demand for cybersecurity professionals is at an all-time high.
Unfortunately, according to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. I do not see the skill gap lessening in 2020. In fact, as attacks get more advanced, I foresee that skill gap widening.
Cybersecurity is a specialty, but most of the workers who practice it are not specialists. In many organizations, cybersecurity is a task built into other IT jobs, like network administrators. Overall, these “cyber-enabled” jobs form the majority (56 percent) of all cybersecurity-related openings, reported the State of Cybersecurity Hiring.
Security Recommendation: While certifications are crucial, there are too many jobs open and not enough certified workers. Employers may benefit from removing the upfront certification requirements. Instead of finding the perfect professional right out of the gate, make a commitment to ongoing education and training to foster growth with a good candidate.
Help newer professionals master the basics, then provide them with opportunities for advanced certification programs. Offer incentives for those working learners who present a strong possibility of bringing new energy into the IT security workforce.
#4. Multi-Factor Authentication Becomes the Standard
Multi-factor authentication has evolved to become one of the single most effective controls to insulate an organization against remote attacks. When implemented correctly, it can prevent most threat actors from easily gaining an initial foothold into an organization, even if credentials become compromised.
In the past, many organizations opted out of multi-factor authentication because it was cumbersome, but recently multi-factor authentication programs have simplified with cloud-only options. I believe that app-based multi-factor authentication is here to stay.
The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors.
Security Recommendation: If you have not already implemented multi-factor authentication throughout your organization, do so immediately. Everything from logging into a computer to accessing resources from the cloud should have some sort of multi-factor authentication tied to it.
#5 More Breaches will Happen Outside the Corporate Network
While many offices are allowing their employees to work remotely when it comes to increasing productivity and reducing burnout. With that comes a set of security risks to address before letting staff go completely mobile.
Mobile device usage for work and remote employees has been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90 percent of mid-market businesses have employees working half their week outside the office.
Many times, when employees work outside the corporate network, they lack network security, missing out on an important part of a layered security defense. I predict that we will see a rise in data breaches that involve remote workers, mobile devices, and off-premises assets.
Security Recommendations: Before implementing a remote workplace, create diligent off-network protections for your employees. Any work device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication (among other protections).
#6 IoT Device Vulnerability
Securing IoT networks from an attack is essential but is full of significant challenges. Many IoT devices are online 24/7 and have significant bandwidth available, making them attractive targets for Distributed Denial of Service (DDoS) botnets. Hackers can also use them as stepping-stones to compromise an enterprise or home networks utilizing their backend connectivity.
As 5G becomes a reality, billions of humans and trillions of machines can take advantage of enhanced mobile broadband. Everyone from businesses to individuals will face technical challenges when it comes to keeping their data secure and managing their IoT devices.
Security Recommendation: Most mobile devices do not allow the users to disable cellular to Wi-Fi handover, or Hotspot 2.0. Windows 10 currently does, however. If unsure, individuals should use a VPN on their cellular devices so that attackers would not be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at http://trustedwirelessenvironment.com.
#7 Security Budgets Will Increase
In the new year, businesses will significantly increase spending on cybersecurity. The big challenge is ensuring that the spending focuses on the right areas. Despite the record amount of money spent on cyber defenses worldwide, we will continue to see an uptick in data attacks and breaches. If funding is spent strategically, risk will be dramatically reduced. Unfortunately, the past as shown us that budgets are rarely spent in a beneficial way.
Security Recommendation: Rather than increasing a security budget for the sake of throwing money at an issue, get strategic on how your organization specifically needs security. Map out vulnerabilities that you face and vet out the appropriate vendors that have the security and compliance certifications and capabilities to reduce risk on your behalf.
#8 Enterprises Will Enforce Employee Security Training
Security training allows organizations to influence behavior, mitigate risk, and ensure compliance. There are countless benefits of initiating security awareness training within a company. In 2020 there will be an increased effort to enforce regular employee security awareness training to combat phishing and social engineering attempts.
Willis Towers Watson found that about 90 percent of cyber claims stemmed from some sort of human behavior or error. If a program is implemented to teach them about common scams, such as email attachments that contain malware or phishing emails that steal personal information, they are much less likely to accidentally click links or open files.
Security Recommendation: If your organization does not already, implement ongoing security awareness training. By providing mandatory education, employees are far less likely to click on a malicious link or share intellectual property with a cybercriminal using social engineering to gain access to confidential information.
#9 Malware Attacks on Medical Devices will Threaten Healthcare Security
There is an emerging trend of ransomware attacks on medical devices, creating serious vulnerabilities in healthcare security. While these attacks have mostly been under the radar, and are few and far between to date, we can expect an uptick in these highly targeted attacks in 2020.
Within the next five years, 44 percent of medical technology companies surveyed by Deloitte predict that all their devices will connect through IoT. This shift is creating a dangerous new attack surface. Despite the growing threat to medical devices, most U.S. healthcare providers still lack a documented strategy for protecting them. This lack of planning ensures that this will be a trending cyber threat in 2020.
Security Recommendation: HIPAA regulations especially the HIPAA Security Rule, provides cybersecurity guidance but does not constitute a set of comprehensive standards or IoT device rules. Start by auditing existing IoT policies for medical devices with a wide cybersecurity lens. In addition to a formalized policy, create processes and invest in solutions to improve compliance and overall security. You can learn more about protecting your IoT and Bring Your Own Devices (BYOD) here.
#10 Business Email Compromise (BEC) will Be a Top Threat Actor
Bad actors have used BEC for a considerable amount of time. Based on what we have seen in 2019 this has taken a step up in terms of complexity and profitability. According to Forrester estimated exposed losses due to business email compromise between 2016 and 2019 totaled $26 billion. We should expect that BEC will become even more profitable than ransomware.
Historically BEC has been aimed at getting users to unknowingly install malware to allow bad actors to gain access to networks to gather data. More recently it has been about creating plausible changes to payments.
Security Recommendation: To combat against these attacks, implement ongoing security training for your staff. Like security recommendation number eight, it is important that your staff is aware of the different types of malicious events they may receive. Warning them against what to open and what to send to security is top priority.
Get Ahead of the Risk with LightEdge
From secure and always on colocation to the compliance, control, and flexibility of cloud, LightEdge has you covered.
With over 20 years in business, LightEdge offers a full stack of best-in-class IT services to provide flexibility, security, and control for any stage of a customer’s technology roadmap. Our solutions include premier colocation across seven purpose-built data centers, industry-leading private Infrastructure as a Service (IaaS) and cloud platforms, and the top global security and compliance measures.
Our owned and operated facilities, integrated disaster recovery solutions, and premium cloud choices make up a true Hybrid Solution Center model. LightEdge’s highly-interconnected data center facilities now span Des Moines, IA, Kansas City, MO, Omaha, NE, Austin, TX and Raleigh, NC.