Top 5 2020 Predictions From the Desk of a CISO

As 2019 — and the 2010s more broadly — comes to a close, one thing has become clear: internet connectivity is now foundational to every facet of modern life, and it has created both new opportunities and new risks. According to our research, enterprise IoT devices are growing at 29% CAGR and will reach 7 billion by 2021. At that point, IoT devices will account for approximately 90% of all devices in enterprise environments, many of which are already in workplaces, improving productivity, collaboration, and convenience. This IoT explosion is pervasive and transformative, but for all of the benefits it has introduced, attackers have evolved in tandem, and enterprise usage today is not without risk.

There are certain spaces that should be of particular concern to the board and C-suite; most notably, the use of IoT in mission-critical healthcare and OT environments, and in highly-regulated, emerging areas like data privacy.

As we kick off a new year and new decade, these are my top 5 predictions for the cybersecurity landscape in 2020.

1. IoT Will Take Data Protection & Privacy Efforts 10 Steps Back
   The rapid adoption of IoT devices in enterprise environments to assist with shipping and distribution, manufacturing, and the delivery of healthcare to patients has enabled industries to minimize costs while expediting services in a way never imagined before. However, not enough attention is being paid the way IoT devices will remain secure, putting not only enterprise IP at risk but in certain environments, potentially running afoul of privacy regulations like GDPR and CCPA. I anticipate threat actors will increasingly take advantage of hastily deployed, insecure IoT devices as a point of entry for IP theft, and due to the spotlight on corporate data protection practices, leading to downstream impacts on privacy and compliance efforts as well.
2. Voice Deepfakes will become the new phishing bait
   C-level executives, politicians and other high-profile individuals are already high-risk targets for standard email phishing attacks given their level of access and financial decision making within their organization. With advancements in the deepfake voice technology, I expect a rise of voice phishing schemes in 2020 in which employees are tricked into sending money to scammers or revealing sensitive information after getting voice messages and calls that sound like they are from the CFO or other executives. We’ve already seen one fraudulent bank transfer convert to $243,000 for criminals. Given how hard it is to identify these deepfakes compared to standard phishing attacks, I expect these operations will become the norm in the new year.
3. IoT attacks will hinder patient healthcare
   The majority of IoT devices in healthcare organizations have been targeted by attackers within the last year, yet the reality is that most healthcare IoT devices can’t be updated for security. This lack of patchability will come to a head in 2020. I’ve seen an infusion pump infected by malware that was still connected to a patient; in 2020, the vulnerable medical devices will be an increased focus for attackers and if compromised could prevent doctors from providing timely care to their patients and put lives at risk.
4. Energy grid attacks on the rise
   As IT/OT convergence gains momentum, IT is discovering the scale at which connected devices have been deployed in OT environments — but often in a haphazard manner and unmanaged by IT. Because IoT is often introduced outside the purview of IT’s management, teams are scrambling to gather critical details like the types and quantity of devices introduced and integration. In 2020, attackers will continue to target this weak point in IT/OT convergence. In particular, as industrial environments move towards convergence, we’ll see more attack attempts, particularly targeted at energy grids.
5. 2020 is the year of CISO burnout
   The security industry has been struggling with the skills shortage for years, and all along, the CISO has been creating solutions to work around these gaps. Pressure from lack of skilled resources, limited funding, on-the-job stress from security events, and lack of support from the C-Suite and board (until a major security incident) will come to a boil. In 2020, CISOs will express fatigue to their c-level peers. If nothing happens to change their circumstances, we’ll start to see a migration of CISOs from large enterprises to smaller, more nimble companies in the next 2-3 years.