2019 Security Predictions: Hackers Focus on the Cloud, Defenders Zoom in on Risks
by Stan Lowe - Zscaler CISO
If there’s one thing we can predict for certain for 2019, it’s that cybercriminals will continue to spin up more and more innovative ways to exploit gaps in security. The hackers have IoT devices on their radar, and they'll keep on looking to the cloud for new opportunities to attack vulnerable applications. As for the defenders, they’ll work on finding more effective security solutions that don’t overwhelm budgets.
Below are my predictions for the key trends in security we’ll be watching next year. You can also check out this webinar
where Bil Harmer, Zscaler’s Americas CISO, and I shared our top 5 security predictions of 2019.
Prediction #1: We’ll see an increase in attacks targeting specific cloud applications.
As more enterprises shift workloads and data to applications like Office 365 and Workday, hackers will start to craft new attacks specific to those apps. Expect to see hackers use special exploits to gain access to the application itself, rather than just user data.
Prediction #2: Governments will look to the private sector for help with securing cloud apps.
Governments, like everyone else, want to offload commodity IT applications and services to the cloud for the cost-saving and maintenance benefits. But due to skills shortages, governments don’t have the in-house capabilities to migrate data, applications, and services to the cloud effectively. As a result, they’ll look to the private sector for help with securing cloud apps.
Prediction #3: More state-employed white hat hackers will “moonlight” with organized criminal elements.
Information security professionals are moonlighting as hackers-for-hire within criminal organizations all over the world. This trend is especially prevalent in Russia, where poorly paid government employees can earn extra income working for powerful and sophisticated criminal networks with ties to the government.
Prediction #4: Government and businesses will increase their focus on cyber risk instead of spending.
Cybersecurity practitioners spend vast amounts of money to mitigate all risk to an unsustainable extreme. When spending keeps going up but attacks still occur and systems remain vulnerable, we’ll see both enterprises and government organizations ask, “How much is enough?” Expect boards to start pressuring CISOs and CSOs to cut budgets and find new, more efficient ways to protect against cyber attacks.
Prediction #5: IoT system exploits and botnet recruitment will grow.
As the number of IoT devices rises (up to about 7 billion worldwide
at the moment), and we deploy 5G to connect everything, we’ll see a huge increase in the use of IoT devices for DDoS attacks, phishing, ransomware, and crypto mining. The Reaper IoT botnet of 2017
was an example of the power that criminals can amass with IoT devices. With the addition of 5G and increased compute power, the risk is only going to become greater.
Prediction #6: Cyber breaches will impact stock prices, especially in the technology and cybersecurity sector.
Even though high-profile attacks are becoming more common, we haven’t yet seen them damage stock prices to a great extent. But look for this to change in 2019 as organizations complete their digital transformations and oversight bodies have the ability to levy significant fines. Once this happens, breaches will have a much more serious impact on the business, revenue, and customers – and logically, a detrimental effect on stock price.
Prediction #7: The security market will consolidate into ecosystems.
There’s an immense amount of product complexity companies must deal with when trying to secure their networks. In an attempt to reduce that complexity, drive down costs, and own a larger share of the pie, security vendors will begin consolidating – a trend we started to see in 2018, with examples such as Proofpoint's acquisition of Wombat. Just as we saw in the OS market, single vendors will compete to become one-stop security shops for their customers.
Prediction #8: Supply chain sourcing and security will receive renewed attention, especially from the government.
The U.S. government has long required parts used inside government systems to come from “approved” sources. However, there hasn’t been any teeth in enforcing these policies. In 2019, government agencies will increase physical site audits and require companies to meet security standards in their physical and logical supply chains – and will hold companies liable if their security is weak. Companies that fail to comply with policies or show due diligence can expect to be hit with fines more often.
Prediction #9: Security vendors will experience specific targeted attacks
As we see continued consolidation in the security marketplace platform integration challenges will be seen as an opportunity by bad actors as an avenue for infiltration. Criminal and state organizations will be watching closely and will try to use these integration challenges to target cybersecurity companies to create and exploit any vulnerabilities created or exposed by these activities.
Just like death and taxes, cybersecurity threats are a certainty. No doubt they’ll grow in number and sophistication in the next year, taking advantage of the endless amount of data and complexity that exists in our security architectures – architectures which we heavily depend on in our enterprises to protect our users and business. I suggest that organizations consider New Year’s resolutions that include reducing complexity and insisting on simplicity in their architectures.