Cyber Security 2020

It’s that time of the year when would-be prophets come crawling out of the woodwork to predict the future of our industry. Each year these predictions are pushed out, but are they new and truly insightful, or just recycled me-too efforts, or even just a way of pushing a hidden agenda? Do they help or inspire, or are they just industry noise?

“Those who have knowledge, don’t predict. Those who predict, don’t have knowledge.”, Lao Tzu, 6th Century BC Chinese Poet

These type of lazy prediction pieces frustrate me for several reasons:

  • They are often not written by experts but by PR firms as ‘cheap content wins’ – they are increasingly statements of the obvious or just poorly disguised marketing
  • There’s an inference that senior managers are not doing their jobs properly, or don’t really understand the issues (but the writer does)
  • They are becoming a cast of thousands that make War and Peace look like chick lit. Forbes recently published one called: “141 cybersecurity predictions for 2020”. I lost the will to live on page 3
  • They’re focused on scare tactics, not on pragmatics.

Making everyone aware of the threats that the digital world brings, and the dramatic effect this can have on unprepared individuals and businesses, has some value. But repeating the same message with different headlines is tiresome. Those at the coalface don’t need to read about the gathering clouds of doom. What they need to know is how they can keep the sky blue above their heads.

Five common predictions from the security industry and why they’re not helpful

  1. Data breaches are set to soar in 2020 due to an inordinate rise in attacks. This is a statement of the blindingly obvious. In 2019 around 12.4 billion data records were breached, compared to 2.3 billion in 2018 and 826 million in 2017. There’s clearly a trend here. Presenting long lists of attacks and scary numbers does nothing to help businesses figure out where to focus their efforts. No business has unlimited resources so they have to prioritise where they spend their time, money and effort. Don’t tell them to start looking for the “unknown, unknowns,” because they can’t get budget to fix something no-one knows about – especially when resources are already maxed out dealing with stuff they do know about. And companies can only protect against what is known, which is why any attack not previously seen puts data at risk.
  2. Cyberattacks in 2020 will get personal. Which begs the question – was a data leak ever not a personal attack?  In July 2019, Orvibo leaked 2 billion records related to smart home products; in May 2019 Canva, a graphic-design tool website, suffered a data breach that affected 139 million users; in 2018 attackers went after Facebook (30 million personal records) and Under Amour (150 million personal records). Each of these attacks was very personal for those affected. Many of these articles are just long lists of previous attacks, but the target audience doesn’t have time to read about what they already know. What they want are answers and they want these at the beginning of the content, not after several pages reviewing what has already happened. I have a few honourable mentions here – well done to Forcepoint, Zscalar and Varonis for at least trying to highlight ‘best practices’.
  3. Cybersecurity professionals are in-demand/a scarce resource – the number of degrees and accreditation courses is growing rapidly. But in a world where pretty much everything and everybody – individuals, companies, governments, critical infrastructure – are increasingly dependent on connected systems, networks and devices, this issue needs to be far higher up the educational agenda. Citing a big number of unfilled cyber security roles (3.5 million by the end of 2020) doesn’t help solve the key issues. What companies need to know is how can they make existing staff more proficient and how can they engage with young people to ensure the number taking STEM subjects increases (thereby increasing the supply of interested and qualified individuals)? They also need to know how they can utilise AI and  ML to remove repetitive tasks so that they can focus their valuable and scarce human expertise where it delivers most value.
  4. The importance of data and the power of being an insights-driven enterprise are increasing the damage factor of data breaches. Everyone knows that we’re living in a data-driven world. 7.6 billion people now live on the planet, 67% of whom now have a mobile phone (5.11 billion), with each mobile consumer using an average of 7Gb of data per month.  There are 4.39 billion internet users, with around 1 million new users per day and the typical user now spending over 6 hours per day on the internet watching videos (92%), streaming TV content (58%) and playing games (30%). 40% are now also using voice controls and commands. There are 3.48 billion social media users, with the average user having around 9 social media accounts, and spending 2 hours and 16 minutes engaged with friends and businesses. 24% of people now use social media for business. The IoT is growing exponentially in both our working and home environments. This is why telling companies that because they are keeping more ‘informed’ data they are more likely to incur more damage if breached, is like telling a bank that if they keep more money in their vaults then they’ll lose more when they’re robbed. What they actually need to know is how to consume data on mobile devices securely and ensure that any interactions with the internet (web) and social media can be performed safely and securely.
  5. Aging communications protocols will cause industry-wide breaches. Vulnerabilities in SS7 were first raised as an issue in 2014, with the situation set to get worse as mobile and IoT connected usage increases. In 2017 an incident in Washington DC, close to the White House, saw attackers use a fake base station and SS7 access to obtain subscriber information. 2018 saw an increased number of attacks utilising SIP flaws – a specific example being where Cisco equipment was used to cause a denial of service attack (DDoS) using malformed SIP traffic. So, what is the telco industry to do? Embedded signalling protocols will remain for many years due to the effort, cost and potential disruption of replacing them. Organisations such as the GSMA have therefore recommended that operators implement a number of practical steps such as:
    • Implementing signalling controls outlined in the GSMA Fraud and Security Group (FASG) guidelines on securing interconnect protocols.
    • Having a fraud management system (FMS) to identify, detect and prevent potential fraud transactions within the signalling messages.
    • Deploying a signalling firewall, or equivalent technology, to support the monitoring and blocking of signalling traffic.
    • Preparing for realistic threat scenarios where the network is compromised. Once these threats are modelled a set of security parameters, based on the signalling protocols, can be deployed.

Maybe you wrote a different type of prediction story? Well before you feel too smug other typical predictions span security budgets, board room awareness of security, ransomware, privacy, email, multi-factor authentication, cloud security, mobile malware, and the new cyber ‘cold war’ (it’s been cold for a while now).

The Do’s and Don’ts of writing predictions

For those thinking about writing this type of content, here’s some hints about how to make it better.
Do:

  • Get to the point – inform the reader about the known threat in less than a paragraph
  • Be precise – state what features/functions or actions are needed to mitigate the threat
  • Be practical – Explain what readers could do with their existing systems and processes to minimise the effects
  • Share experience – highlight who has already experienced the threat and mitigated it successfully

Don’t:

  • Dramatise – by painting a dramatic black picture. You are not Stephen King
  • Insult – by inferring your audience doesn’t know what to do, or aren’t doing their jobs properly (remember they sign off POs)
  • Boast – by claiming you’re the only company that can thwart the threat or setting yourself up as an expert (it’s a long way to fall). Just say you have the know-how to assist.

At Omnisperience we align ourselves with the Nils Bohr principle: “Prediction is very difficult, especially if it’s about the future.” Which is why we keep our feet firmly on the ground and focus on helping our clients navigate the present and foreseeable challenges they face.