News & Views
2020 Top IT trends
Security leaders are predicting cyber-risks associated with new technology will become mainstream in 2020, and technical debt, credential stuffing and access control will be at the fore.
Europe’s number one information security event, Infosecurity Europe (www.infosecurity-group.com) has once again asked its community of C-level security professionals (CISO) what they think the year ahead has in store.
Many of the CISOs surveyed highlighted the risks presented by emerging technologies that are expected to become more widely adopted in 2020. Deloitte cyber risk partner, Peter Gooch, says: “2020 will see more deployment of security automation tools. Where this is done well, it will allow organizations to adapt rapidly to changing attack tactics, but if it is done poorly, it will be more complicated to unpick.”
“The drive for more transparency when contracting for cloud services will continue with vendors requiring to expose more data and events for consumption by SIEM tools, and to evidence security practices and capabilities closer to real-time. Hackers are increasingly targeting unstructured data to hide and launch attacks, so the priority is to implement robust governance.”
Mark D. Nicholls, Head of Information Security & Governance at housing association, Peabody, flags up vulnerabilities with AI and IoT. “Machine learning has established itself in 2019, and we will begin to move to true AI in 2020, but one must remember whatever can be used for good can also be used by the criminals. Imagine a DDOS attack powered by true AI,” he warns.
The attack vectors most likely to take centre stage in 2020 was another common theme. Becky Pinkard, CISO at award-winning bank, Aldermore, expects to see more attacks due to technical debt. “In the bid to keep pace with consumer demand and technology capabilities, industry is borrowing more technical debt than it’s repaying. I think we’ll see more headlines about successful attacks due to this growing debt and the associated ‘shadow risk’ it creates. The march to open banking in financial services, incorporating APIs, distributed ledger technology and AI in rapid-fire succession, and with a focus on capturing the customer’s attention first, often means security gets de-prioritised on the route to delivery.”
“We’re seeing credential stuffing run rampant, and I wonder if this will escalate as more data and more username and password pairs are out there,” says Troy Hunt, Microsoft Regional Director and Founder of Have I Been Pwned and 2019 and recent Infosecurity Europe Hall of Fame inductee. “Or we might reach a tipping point where organizations decide they need to block some login attempts that have the right username and the right password but are not coming from the right person. In the US, enforcement cases are being brought against ‘corporate victims’ of credential stuffing. It’ll either get worse, or organizations will have to adapt.”
Some CISOs believe that solutions will come from the industry working more closely together. “I believe we will start to see greater collaboration between security companies, hopefully resulting in greater end to end security capability,” says Mark D. Nicholls at Peabody.
On a similar tack, Peter Gooch at Deloitte believes convergence will be a key trend: “2020 could see a number of high-profile mergers and acquisitions as well an expansion and formalisation of vendors into a more converged world. This is likely to be similar to the ERP revolution that transformed the way many finance and operations teams function, and could mean a more efficient operational model for those in cyber.”
One question that is often pondered is whether we are about to see the ‘mega breach’ that will put high profile incidents like Equifax’s in the shade. “One thing we can never know is: will there be a crazy data breach that turns the world on its head again?”, asks Troy Hunt. “If we see another incident like Ashley Madison or Equifax, which had a massive and serious impact across tens of millions of people’s lives, this will be a headline-grabber that sticks around for some time. But these things are enormously hard to predict.”
Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “2020 will see the continuation of some long-standing trends, challenges and security risks. There was less emphasis on the skills shortage and GDPR in our CISOs’ predictions this year, but we do need to remember that these challenges haven’t gone away. The ‘talent gap’ is still growing, and we need to continue working together as an industry to find solutions. While GDPR is not the burning issue it was last year, organizations can’t rest on their laurels. If they’re compliant they need to work to stay compliant. It’s not just the fines, keep top of mind that brand and reputation that can take years to redress.”
Infosecurity Europe, now in its 25th year, takes place at Olympia, Hammersmith, London, from 2-4 June 2020. To register for the free-to-attend event see https://www.infosecurityeurope.com