In cybersecurity, 2019 is the year that “breach fatigue” went mainstream. It seems that every day new stories pop up about the theft of personal data, stolen password databases, or ransomware, shutting down state and local governments. The key themes we see developing in 2020 — and beyond — include the ever expanding collection of data for B2C and B2B uses.
If the insights-driven enterprise runs on data, then taking away access to that data provides attackers with a quick path to monetization, which means, ransomware will continue to grow. Attackers will use AI and ML to enhance existing attacks using the tremendous amounts of data now available to them. They will also develop new techniques in the form of disinformation campaigns against enterprises. Enterprises will push back and limit the data they share, while consumers will embrace capabilities that allow them to avoid surveillance.
In 2020, we expect that:
M&A activity will radically change to circumvent regulation and weaponize data. As the value of data continues to grow — and government oversight of data expands — companies will use the data they collect as a key reason to make acquisitions, allowing them to circumvent controls and regulatory oversight and weaponize data by using it to manipulate, subvert, or target populations. The original reasons for collecting data may not align with the intent or subsequent actions of an acquiring entity.
For example, collecting preference data or health information in a dating application is normal, but if the company owning the app is acquired by a government-owned firm, the data is now owned by a potential adversary. When dating app maker Grindr was acquired by a company headquartered in China, Beijing-based engineers got access to sensitive health information about HIV status, which could potentially allow them to use that data for intelligence operations.
A local government will seek disaster relief for ransomware damages. The surge in ransomware attacks against local governments and municipalities in 2019 spurred discussion about whether these governments would seek national disaster relief for the cyberattacks in the same manner that they would request relief after a national disaster such as an earthquake, flood, or hurricane.
In 2020, a ransomware attack targeting a municipal system and causing significant disruption for citizens, ranging from loss of services such as electrical utilities to compromised healthcare in clinical settings, will lead to one municipality to request disaster relief from the national government.
This act will generate considerable public debate about the role national governments should play in assisting to cover the costs, disruption, and recovery from cyberattacks targeting local governments.
Mass data collection will drive 15% growth in anti-surveillance technology. Concern about the erosion of privacy will lead to a booming anti-surveillance economy market in 2020. In 2019, corporate economic surveillance expanded, and it’s not just collecting data from users; 56% of global data and analytics decision makers report their firm will expand its ability to source external data.
Cities in China and the UK possess over 100 and 68 cameras per 1,000 people, respectively, which allows gait detection and facial recognition use cases. Consumers desiring to preserve privacy will turn to anti-surveillance technology that conceals, distorts, or blocks public and private surveillance tools. Examples include, clothing that foils license plate readers, anonymized search engines, lockers for private deliveries, anonymous credit cards, VPNs, anonymization services, and ad blockers.
Privacy-based use cases will expand the total addressable market of these tools as S&R pros will offer tools to employees, recognizing the surveillance economy as an enterprise risk.
20% of enterprise customers will prohibit the use of their data for AI. Despite the improvements ML and AI offer, more and more enterprises will become selective about what data they give to their vendors, even if that choice makes the product or service they’re using less effective. Companies that use enterprise customer data to improve the experiences of B2B clients in their products and services will see organizations choosing to opt out of data sharing due to concerns about anonymization, privacy, and accidental disclosure.
For example, Company A is a customer of Company B, and Company B uses Company A’s data to improve its security analytics. in the future — in response to growing GdPr concerns on the consumer side — Company A will prohibit Company B’s use of the data it generates while using Company B’s services.
Deepfakes will cost businesses over a quarter of a billion dollars. Attackers are using AI technologies like natural language generation (NLG) and video AI to generate fake audio and video designed to fool users. Social engineering attacks are nothing new. What’s new is the technologies being used. In what may be the first known attack of its type, a German energy company was defrauded out of $243,000 in March 2019 when an attacker spoofed the CEO’s voice and convinced another executive to wire the funds.
The technology used to create deepfakes continues to improve and will become easier to use and accessible by more people. This proliferation will lead to an increase in deepfake-based attacks that will eventually rival business email compromise (BeC) in size, an attack type that cost businesses $1.3 billion during 2018
Integrity attacks enter the mainstream
Consciousness evil can adopt AI and ML tools faster than security leaders can; one of the best examples of this is attackers using deepfakes to defraud companies. What was once a prank or an entertainment vehicle, became a monetization engine for cyberattackers less than two years after the underlying algorithm debuted.
Anti-surveillance economy emerges
As a mechanism to protect enterprise data, CISOs will join consumers like the data savvy digitals and skeptical protectionists by deploying anti-surveillance technologies to reduce the risk of outsiders gaining valuable information about the activities, plans, and behaviors of its employees.
Governments will step up and treat cybercrises like natural disasters
Companies’ and citizens’ dependency on technology will force governments to create assistance programs to help them weather the impact of cybercatastrophes.
— By Jeff Pollard, Andras Cser, Heidi Shey, Merritt Maxim, Claire O’Malley, Chase Cunningham, and Jinan Budge, with Joseph Blankenship, Benjamin Corey, and Peggy Dostie, Forrester.