The decline of passwords, the rise of encryption and deepfakes -- cybersecurity predictions for 2020
It's the time of year again where the great and good of the tech sector like to consult the tea leaves, gaze into the crystal ball, read the runes -- and of course draw on their industry knowledge -- to give their predictions for the year ahead.
So, what do they think is in store for cybersecurity in 2020?
The decline of the password has been on the horizon for a while, but Ben Goodman, CISSP and SVP of global and corporate development at ForgeRock believes 2020 will mark the beginning of the end. "Consumers already log in to dozens of protected resources everyday: from email, banking and financial accounts, social media, healthcare, government accounts, and beyond. Even when tools like TouchID are leveraged each of these resources currently still have an associated username and password that can be attacked. To save time and remember their credentials for all these sites, consumers reuse the same username and password across several sites. As a result, the user's exposure from any one security breach on one of those profiles dramatically increases the odds that additional accounts can be compromised as well, allowing attackers to access far more sensitive information."
This is echoed by Clayton Calvert, a consultant at IT security and risk assessment firm netlogx. "With passwordless authentication, IT reclaims its purpose of having complete visibility over identity and access management. Reuse and sharing are common issues in password-based authentication. Without passwords, there is nothing to phish, share, or reuse. The user is no longer a wild card in an organization's access scheme. It is this crucial element that gives passwordless solutions their security advantage. As an added benefit, GDPR prefers that companies use passwordless authentication to eliminate the storing and securing of passwords exchanged over the network. While consumers have used this technology for a number of years in Apple and Samsung products, companies are beginning to do so as well. Sixty percent of large enterprises and nearly all of midsize organizations will use passwordless authentication by 2020."
With the decline of the password though the rise of deepfakes becomes a greater concern. CEO of Jumio, Robert Prigge says, "With a reported 50 percent of consumers using the same credentials across multiple accounts, automated account takeover attacks will continue to run rampant in 2020. As the industry abandons outdated authentication methods that are easily susceptible to fraud, like SMS-based 2FA and knowledge-based authentication, and turn to more advanced, biometric-based authentication methods as a secure alternative, the rise of deepfake technology will become a larger concern. A deepfake superimposes existing video footage or photographs of a face onto a source head and body using advanced neural network powered AI -- and are relatively easy to create. In 2020, we will see an increase in deepfake technology being weaponized for fraud as biometric-based authentication solutions are widely adopted. Even more concerning is that many digital identity verification solutions are unable to detect and prevent deepfakes, bots and sophisticated spoofing attacks."
Deepfakes raise other concerns too according to Optiv Security, "There has been much publicity around the potential to impact elections using deepfakes (AI-doctored videos that enable individuals to make it appear people said things they never said). However, not enough attention has been paid to how cybercriminals can make money using deepfakes against businesses. This will change in 2020 as we expect to see the first deepfake attacks designed to impact stock prices, by having CEOs, financial analysts, Federal Reserve leaders or other powerful economic figures make phony statements that will cause stock market movements. Cybercriminals will use these videos to make quick killings in the market."
2020 is also set to be the year of encryption according to Peter Galvin, vice president strategy and marketing at nCipher Security. "In the US, lawmakers on Capitol Hill have re-energized a push for encryption backdoors, an initiative that is seeing bipartisan support. Internationally, the UK and Australian governments (in addition to the US government) are pressuring Facebook to scrap plans for end-to-end encryption of Facebook Messenger.” Galvin adds, “Consumers, meanwhile, want more control and privacy over their data yet are often left confused about what that really means – and how to make it a reality. Also factoring into the encryption conversation is the protection of voter information leading up to the US election and advancements in facial recognition software."
We can also expect to see more attacks aimed at critical infrastructure and governments according to Alex Heid, chief research officer at SecurityScorecard. "Malicious nation-state actors will continue to focus on malware and ransomware attacks. Nation-state actors don't just want to sell cardholder data on the Dark Web, they’re targeting critical infrastructure such as electricity and water companies.
"In August of 2019, emails sent to US utilities companies contained a remote access trojan as part of a spear phishing campaign. The advanced persistent threat is another in a long line of attacks targeting critical infrastructure.
"With at least thirteen global presidential elections scheduled for 2020, we can expect to see more malware and ransomware attacks attempting to undermine voters’ confidence."
The ongoing skills shortage will add to problems says Bret Fund, head of cybersecurity at training specialist Flatiron School, "While the average pay for cybersecurity positions in North America is $90,000, pay levels in some areas -- such as local and federal government -- is below what's needed to attract and retain skilled talent. With healthcare, financial services and other large enterprises making it more lucrative for qualified cybersecurity professionals to work in their organizations, local government will be faced with a great cybersecurity skills shortage. Local government agencies will have to think creatively about how they can re-skill their current employee base to meet their cybersecurity needs."
Healthcare is set to come under attack too says Mike Riemer, chief security architect at Pulse Secure, "It is already well-understood that the healthcare industry struggles to secure its trove of sensitive data. But, even as widely discussed as this issue is, the healthcare industry has been slow to adopt effective security measures and quick to embrace an even greater influx of data during digital transformation efforts. As healthcare continues to evolve towards the convenient, self-service model that today’s digital-first consumer demands, there will be serious security implications as companies try to control the release of data and information. For example, telemedicine is making patient care extremely convenient, but is the doctor-patient communication secured and encrypted? If not, anyone can intercept the data and communication in transit. How do you secure that information stored on the end-user's phone? The security of any network is only as strong as the weakest link. In this service model, the end-point device is most likely to be compromised and healthcare organizations need to ensure they are meeting all the security and regulatory requirements."
Are there other trends that you think will affect cybersecurity in 2020? Let us know.