As we have just entered the new year, it’s time to summarise our predictions in this post about cybersecurity trends that will be significant in 2020.
We’ve collected a list of ten trends that will have an impact on information security strategies globally.
As this list is subjective, some of these trends may be relevant for you, while others are probably something that you’ve already implemented or are not relevant for your business.
As cybersecurity is becoming a top priority in most organisations, it is vital to know what to expect from 2020 and how it could impact your security.
1. Security becomes a C-level and board-level concern
Typically, cybersecurity has been the concern of security professionals. In recent years, this has started to change. As cyberthreats are ever-increasing, you could be under attack any time soon. A cyberattack could negatively impact not only the company’s financials but also its reputation. Just think about the news when customer data is leaked.
Thus, cybersecurity has become a board-level and C-level concern. Everyone in the leadership team must understand what the consequences could be. Working on prevention makes a lot more sense than trying to minimise the damages.
Make sure that your CFO understands that investing in cybersecurity could pay off quickly if it means that you have prevented an attack.
Information on the average cost of cyberattacks varies; some mention 200 000 USD, others 1 million USD, while some sources claim an attack could cost you 4,6 million USD. Nevertheless, according to a security magazine, cyberattacks cost $45 billion in 2018.
If you are investing in employee training, you want to have HR on your side. HR can help you with policymaking, onboarding, offboarding, and giving remote workers some extra attention to make sure that they comply with your security requirements.
Having support from the executive means that you will most likely have the financial support to implement your cybersecurity strategy/program. As most plans fail because of a lack of resources, you are one step closer to success when you have a top-down approach and the full support of the leadership.
2. Data breaches are on the rise as data becomes more valuable than before
There are a couple of problems with creating, owning, and sharing data—these make you prone to a data breach.
Companies are creating more data day by day, and a lot of this data must be kept private; thus, you should never neglect data encryption. Still, often, data encryption strategies are outdated, and this makes your data vulnerable to attacks.
Data is still precious for hackers. It’s widely exchanged on the dark web, and it’s a black-market commodity. Once your data has been leaked, the damage can be exponential, as many can buy this data from hackers.
Siloed and disconnected data is a significant security challenge. Integrating applications to break down siloes and share information in real time has been trending in recent years. Whenever you are integrating, you should make sure that you take the proper security measures. Especially when you are sharing data outside your organisation, you should be extremely concerned about the security of your information as most breaches start with third parties (more about that soon).
You need to create various means to protect your data; for instance, invest in technology, educate your employees, and focus on vendor security compliance.
3. Information security technology remains important
Security teams have been long investing in cybersecurity technology to keep organisations safe from attacks. We don’t see a reason why investing in technology would slow down in 2020. It’s the opposite: Gartner predicted that technology spending would reach 124 billion US dollars in 2019 and predicts that the trend will continue in 2020.
Currently, a typical organisation that is concerned about information security uses between 25 to 49 security tools. Among these, tools for cloud-based security and data encryption are increasingly important.
When you invest in new technologies, you should also consider two important factors:
– Do you have so-called “tech debt”? It means that you are using legacy technologies, and protecting this ageing technology can be a significant challenge for your security team. Even if you are migrating to the cloud, you will have to take extra measures to ensure that all your information is safe from attackers.
– Are you creating innovations and investing in digital transformation? If you are digitalising your business and creating innovations, you want to put security at the forefront. From day one, you want to ensure that cybersecurity is a concern.
While information security technology remains super important, your people will have an equally important role in your defences. We’ll get to that soon.
4. All vendors must comply with information security standards
In an article, HelpNet Security mentions that nearly half of the firms that suffered a data breach were because of their “trusted” third parties.
Cyber GRX compiled an impressive list of third-party breaches of 2018. The list includes names such as BestBuy, Sears, Delta, MyFitnessPal, and Universal Music Group, to name a few.
Working with third-party vendors could put your operations at risk. Whenever you select a new vendor, put them under your security microscope and make sure that they have healthy security hygiene. All of the vendors you work with should comply with all of your security regulations to avoid the possibility of a data breach—or at least do your best to mitigate the hazards.
According to research from Esentire, companies typically contractually obligate vendors to comply with their security and privacy practices and then frequently review their security and privacy policies and procedures and ask for proof of security certification.
5. Cyber insurance is a must
Another one of the cybersecurity trends we think will become important is cyber insurance. Cyber insurance is a preventive measure. However, it won’t protect you from cybercrime. However, the digital economy is still underinsured, and many companies haven’t yet taken out cyber insurance.
While cyber liability insurance coverage (CLIC) won’t cover all of the damages, it can help to mitigate the costs in case of an attack. It typically covers expenses that relate to first parties and claims by third parties, investigation fees, legal fees, business losses (to some extent), and credit monitoring for customers if their information is stolen in a data breach. Typically, insurance doesn’t pay for ransomware and such.
Insurance providers have had a hard time keeping up with today’s cyberthreat landscape.
6. Instead of cybersecurity awareness, focus on strong cybersecurity behaviour
Cybersecurity awareness doesn’t work as well as many would think. While there’s hype around creating cybersecurity awareness, awareness is not enough.
Information security awareness does not lead to behavioural change. Being aware of cyberthreats is not the same as being able to recognise, for example, phishing emails, and know what to do when one lands in your inbox.
Instead of emphasising awareness, focus on creating a strong cybersecurity culture that highlights the importance of the right cybersecurity behaviours across the entire company.
You need to move from awareness towards behavioural change. In your program, you should plan activities that help you to improve your employees’ behaviours regarding threats. By building a cybersecurity culture and enabling activities that decrease the human asset risk, your company will have an added level of protection against cybercrime.
When you are creating and developing your cybersecurity culture, it’s important to reinforce positive behaviour by helping people to learn to identify an attack and report it using lightweight training sessions.
A compelling cybersecurity culture focuses on reducing the most critical risk factor in terms of information security. As most attacks start with a human error, emphasising the importance of employee learning through behaviour change is your best bet on keeping your company safe.
7. Cybersecurity talent is scarce
It’s nothing new that cybersecurity talent is scarce. Why do we list it among 2020’s cybersecurity trends? Because we think that in the new year, finding, developing, and retaining talent will be a CISO’s top priority.
You want to make sure that you gather all the best players to your security team so that you can execute your security strategy.
There are a variety of cybersecurity training programs on the market, so you want to ensure that you invest in these so that your employees can have all the necessary skills.
You also want to ensure that different people have a diverse skill set for the best possible execution of your plan and the best possible protection.
8. There’s a variety of cyberthreats that are increasingly sophisticated
Evergreen attack types won’t disappear in 2020. Instead, these attacks will become increasingly sophisticated. You should make sure you stay up-to-date with the threats that could also damage your operations.
In 2020, we expect that attacks like phishing (and all of its subcategories, like vishing, web phishing, mass marketing phishing, smishing, spear phishing, C-level email impersonation), social engineering techniques, business email compromise, and ransomware to continue to dominate the cyberthreat landscape.
All your employees should be prepared against these types of attacks – and not just in theory but also in practice. Remember, educating employees on the right behaviour is more important than simply creating awareness about the risks.
9. Employee cybersecurity training above all
In terms of cybersecurity, employees are the most considerable risk for your organisation.
While you invest in information security technology, why wouldn’t you invest in employee cybersecurity training?
Most employees have never heard of the threats mentioned in the paragraph above. Often, when they did, they just heard about it in a classroom or some e-learning material. This means that they cannot identify real-life cyber threats, and they do not know how to help you prevent them.
You cannot decrease the risk of being attacked just by creating awareness about cybersecurity. Awareness does not lead to behaviour change. This is why traditional security awareness training doesn’t work.
You must train your employees against threats, and practice is a must for behaviour change. It would be best if you emphasised the importance of engagement. Investing in employee training is not enough if none of your employees is engaging with the training modules/materials. You must promote the importance of day-to-day practice, and this can only happen if employees are willingly participating in the training.
By training your employees and including them in your defences, you are creating a sense of shared accountability.
10. Continuous measurement and improvement are the keys to a great cybersecurity strategy
Measuring the results of the execution of your cybersecurity strategy will become essential in 2020.
If you want to impact the way you implement and perform information security in your company, measuring your results and acting on the data will have an essential role in your life in the new year.
Depending on what actions you take in terms of cybersecurity, the measurement can vary company by company. The more mature your cybersecurity is, the more critical it becomes to measure everything. You need to specify what you want to measure and create KPIs. You should set goals for your company. Make sure that the goals are ambitious yet, smart and achievable.
Continuous improvement is only possible when you have the right data available.
Even when you are working with third parties, you should ensure that you are working with companies that can provenly help you to measure the impact of your information security efforts.
Focus also on collecting intelligence, analyse these, and use them to improve your defences. By collecting and analysing threats, you will also be able to respond to them better.
While companies have been prioritising cybersecurity, too many companies are still ranking too low on the cybersecurity maturity model. The more mature your company is in terms of cybersecurity maturity, the better your organisation is guarded against cyberthreats.
While you can never be completely safe, doing your best and taking some of the advice from our cybersecurity trends prediction could significantly impact the state of information security in your organisation.