By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP

Cyber-attacks will impact businesses on a larger scale in 2020 and will affect those who are unprepared, whether it is attributed to human error or other disasters. In an effort to combat some of the issues faced by corporations, it is time for CEOs to grasp the mettle and officially buy-in with their security practitioners’ advice.

We have all seen various vendors make predictions for Information Security for 2020. These predictions include an increase in targeted Ransomware, threats to the 2020 Elections in the U.S. and other countries, and many conversations on Deep-fakes, attributed to Artificial Intelligence and Machine Learning and the fast pace of technological developments

We asked security professionals, in the (ISC)² Community, what issues they will likely face in 2020. Many saw the same threats as the vendors, such as ransomware increasing, an end of life for passwords, privacy issues and laws, a few even saw problems with the 2020 U.S. Elections, or other countries being affected – when attempting to understand what is being presented is actually truthful information or specially adapted to influence their political agendas. Can people actually make these decisions for themselves these days?

Many practitioners approached the issue from a different stance than the vendors, as they talked about how it might affect them and their organisations. 

This is part one of a compilation of the items discussed by the cybersecurity professionals:

Data Privacy changes

• The ramifications of the California Consumer Protection Act (CCPA 2018) and SB-327 “Connected Devices” will be known in 2020 and the likelihood of the U.S. adopting a General Data Protection Regulations (GDPR) like legislation, will have far wider impacts.
• Whether the U.S. adopts something like GDPR, we see many states following California and implementing similar laws. New York will be implementing its own set of laws (NY SHIELD) effective in March 2020. The largest issue faced by practitioners is: how do these laws affect them? Or will it affect them? Do they have data on their systems covered by all the interlacing laws?
• One recommendation was to follow the CBKs for (ISC)² certifications to ensure that organisations are protected or the (ISC)² short courses on specialized subjects.
• Some worried about ethics and how that would apply to Artificial intelligence and Machine learning especially around the integrity of the original data; however, to a large extent this needs to be driven by governments around the world and their individual countries.
• However, organisations should be ensuring that when moving to the use of Artificial Intelligence (AI) that the original data sources are actually clean. We mean, any inherent bias is fully understood and monitored carefully; as any manipulation of the data sets, could lead to misleading conclusions being made.
• Does the organisation actually own the data? Has it followed the required privacy legislation to ensure they can use the data to make informed decisions appropriately?

 Lack of secure coding and development techniques

• This issue is often overlooked as corporations (big and small) want their programmers to be agile and develop software as quickly as possible.
• Implementing Security into the Software Development Life Cycle (SDLC) in the design phase and embedding it in all phases, can help organisations overcome some of these issues.
• Application Security testing in the Containers, Hybrid Cloud need to be tested before production.
• Some organisations have established the Agile methodology and transformed their companies into Tribes from top to bottom. However, there needs to be balance; or by itself, it will fail.
• There are too many situations whereby secure coding and testing is bypassed in the rush to ensure the end product is released. Often the public is used to fully test the new service – to the embarrassment and detriment of the organisation. Formal testing must never be rushed, it must be undertaken, or the consequences could be widespread.

5G networks and the high speed of WiFi-6

• The rationale behind this concern was that despite organisations being very wary about embedded electronics in vendor solutions, high speed networks are not just associated with long-range systems. There are also short-range systems requiring high bandwidth within Smart Buildings and Smart Appliances.
• There are many Internet of Things (IoT) lumping IIoT and OT into the same domain. Many automobiles, domestic appliances, and new buildings already have systems embedded by default. Therefore, they have the ability to sense, measure, passively eavesdrop by audio and video, communicate with their high-speed interfaces, collect, and store private information.  If the human body’s nervous system is analogous to a communications system with senses, then IoT networks is an electronic highway to controlling digital systems and devices physically, automatically and quietly in the background. By default, a lot of these IoT systems will have no or very little security associated with them. These systems may include medical devices, potentially impacting the health and welfare of humans attached to them, workplaces or means of transportation.

We’ll continue to discuss the Internet of Things (IoT), replacement of passwords as well as other topics in the next blog post.

This information has been compiled by Diana-Lynn Contesti and John Martin on behalf of cybersecurity professionals within the (ISC)² Community.