[BreachExchange] Planning for 2020? Here are 3 cybersecurity trends to look out for

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 31 20:42:27 EST 2019


 From the rise in investor focus on cybersecurity issues to diversifying of
cyber insurance, there are three critical security trends cyber
professionals should be prepared to address if they want a successful — and
secure — 2020.

Investors will add cyber risk into their analyses

In 2020, cybersecurity is going to play a larger role in financial
investments than ever before. Equifax was the first company that ever
received a credit downgrade because of a data breach, and it made investors
hesitate to invest in companies without understanding their cyber risk.

It’s an understandable fear: Our research shows a majority of Fortune 1000
companies have at least one remote administration service running on an
open port. With current security like this, breaches are inevitable.

Savvy investors are holding off on investing in companies without good
security. They’re beginning to uncover a link between companies with strong
cybersecurity posture and strong stock performance. Though the research is
still in its infancy, I suspect that many investors will soon incorporate
cyber into their ESG analysis.

For the security professional, this is an opportunity to showcase your
worth to the C-suite. Having strong security will no longer be just about
protecting against breaches, it also means a better draw for investors,
whether they’re looking to purchase stocks or invest in your business.

Attackers will focus less on zero-day vulnerabilities and more on
blunt-force attacks

Zero-day vulnerabilities receive the most attention from the media, but in
2020, hackers probably won’t bother with these highly publicized attacks.
Instead, they’ll hone in on simple strategies, like gaining access to a
network through a third-party or unpatched system.

In fact, this trend is already starting to emerge. For example, APT33 uses
almost exclusively brute-force password spraying when attacking critical
infrastructure. These methods have seen success with breached companies
facing Shamoon and Shapeshifter, two of APT33’s go-to deployments. And the
number of business email compromise (BEC) attacks has soared immensely in
the past year; financial media conglomerate Nikkei lost $29 million to this
ploy. On top of these recent examples, the NSA reports that it very rarely
responds to intrusions from zero-day vulnerabilities — instead it focuses
primarily on incidents involving exploited unpatched hardware and software.

To counteract these trends, cyber plans will need to return to the basics
and focus on building a strong security foundation. This includes
continuously monitoring for new threats and vulnerabilities, consistently
evaluating the security posture of your third-party partners, and more. The
importance of employee cyber education also can’t be understated.
Oftentimes, the weakest link in security postures is still the human

Cyber insurance will play a larger role in cyber plans

>From ransomware to BEC, the costs of responding to cyberattacks are
relentlessly increasing, and 2020 will be the tipping point for cyber
insurance. Many companies, especially smaller ones, are learning the hard
way they don’t have the resources to mitigate cyberattacks alone,
especially ones that arrive from third-, fourth-, or even fifth-party

Though most cyber insurance won’t directly pay for any money lost in a BEC
or phishing attack, they will help finance legal investigations and fees.
As more companies adopt cyber insurance policies, the insurance industry
will educate themselves on the nuances in cyber attacks and begin offering
additional cyber coverage plans, including ones that cover consequences and
losses outside of the cyber realm.

Whether it’s through an extended power outage that leads to looting or a
crash from faulty transportation communications, companies need to go into
2020 ready for how cyber attacks could impact the physical world. One way
to do that is for companies to reevaluate their current cyber insurance
policy or start shopping for their first.

Planning for 2020 cybersecurity trends

The new year will bring a range of challenges for cyber professionals, but
trying to anticipate and plan for them now will mitigate their

To start, companies need to ensure their CFOs and other stakeholders
understand the growing financial impact of cybersecurity. As security tools
become more efficient, executives might be tempted to lower budget without
understanding how badly a cyber attack would affect not only their day-of
operations, but the business’s long term financial stability.

Additionally, the importance of a strong cyber foundation needs to be a
focus in the new year. We’re seeing hackers rely on tried-and-true methods
rather than chasing down the latest zero-day vulnerability, meaning routine
patching and third-party partners with continuously monitored, strong
security hygiene are key to protecting businesses.

Finally, the role cyber insurance will play in businesses can’t be ignored
any longer. Cyber insurance is expanding to mitigate losses that come from
anywhere in the supply chain, including outside of it; it doesn’t matter if
you’ve been breached or if your next-door neighbor has been.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191231/a22064ee/attachment.html>

More information about the BreachExchange mailing list