Almost everyone wants to know what the future has in store – particularly when it comes to cyber security.
Keeping aware of the latest cyber threats and the best solutions to combat them will put organisations in a better position to prevent attacks.
With that in mind, Geraint Williams, IT Governance’s chief information security officer, discusses his cyber security predictions in the upcoming year.
1. Cyber criminals will take advantage of incorrectly patched machines for known vulnerabilities.
They will take PoCs (proofs of concept) for vulnerabilities or reverse engineer released patches and deploy malware before the majority of vulnerable machines are patched.
2. Attacks involving the IoT will continue.
Attackers will use the IoT (Internet of Things) to gain access to targets, pivoting attacks through compromised devices or using their resources as part of cyber attacks.
The IoT will be used in both attacks on domestic premises and in industrial espionage.
3. Critical infrastructure and home technology will be targeted.
Attackers will continue to infiltrate critical infrastructure with the aim to disrupt daily life, and the smart home will be targeted with the same aim of disrupting the occupant’s life.
4. Ransomware will continue to increase.
However, organisations as a whole will be targeted rather than individual machines.
Cyber insurance has in some regions encouraged victims to pay as it is cheaper than remediation in some cases.
This is fuelling the cyber crime industry as each payment shows victims are likely to pay the attackers. The complexity of ransomware is such that there have been decoders released by attackers that have bugs that prevent the decryption of the data.
5. Open banking will be targeted.
The growing fintech market will be targeted as new services and innovative solutions based on open banking are exploited by attackers.
6. Deep fake technology will be used in social engineering attacks.
With better audio and video simulations, phishing will move on from email and text to things like Facebook videos.
7. Business email compromise attacks will increase.
In response, more organisations will adopt email protection technologies such as SPF, DKIM and DMARC.
8. Payment card thefts will rise.
Endpoints such as POS (point of sale) machines or the cardholder’s own browsers are the most likely targets, via card-sniffing scripts loaded into the browser through a mix of direct or third-party hosted scripts.
The retail and hospitality industries will continue to have their POS equipment targeted.
As such, PCI DSS (Payment Card Industry Data Protection Standard) compliance will become increasingly important. The Standard contains requirements that help organisations that process, transmit or store cardholder data protect customers’ information.
9. Cyber criminals will continue to use blockchain technology for transactions.
The anonymity of cyber currencies gives attackers protection against prosecution.
10. Low-level attacks aren’t going anywhere.
Despite the rise in sophisticated attacks, 2020 will continue to see newbies and unskilled attackers using toolkits from the dark web to launch scams (such as sexploitation), and phishing and ransomware attacks.
11. Weak passwords will continue to be exploited as attackers monetise credentials.
However, many enterprise and large organisations and tech-savvy individuals will realise the benefits of multifactor authentication to secure their accounts.
How should you prepare?
Organisations are becoming increasingly dependent on technology to perform even the most basic tasks, which exposes us to greater problems should our organisations come under attack.
Businesses and organisations should look into SOCs (security operations centres) and SIEM (security and incident event management) tools to protect their technology usage.
Education is also becoming increasingly important when protecting organisations. We will probably see a greater general understanding of cyber security risks this year, as more news stories hit the headlines and people become increasingly aware of cyber security risks in their everyday lives.
This won’t be enough to mitigate the risks on an organisational level, though. Businesses will need to teach employees about general threats that affect them at work, such as phishing attacks and brute-force password attacks, as well as specific issues that relate to their job.
For example, departments should specify how employees handle sensitive information and, where relevant, how employees access parts of the premises that house sensitive information.