Scenario #7 Cybersecurity professionals will take the spotlight as the talent gap widens

For years there’s been a significant gap between demand and supply of cybersecurity talent. If we continue along the trajectory we are currently moving within the cybersecurity space, this gap will only grow bigger.

However, necessity is the root of invention. Similar to the DevOps methodology coming to be out of the evolution which allowed development teams to build software at a faster pace, there must also be innovation allowing teams to add cybersecurity mechanisms at a faster rate, thus closing this talent gap.

With cultural shifts such as DevSecOps, I anticipate that we’ll see an amplified shift in terms of the in-demand skillsets for cybersecurity professionals. 

Scenario #8 Four sectors will be in the cybercriminal gunsights in 2020

Aaron Zander, Head of IT, HackerOne: Government, healthcare and finance are still very “easy” targets. This is not going to stop any time soon. 2019 felt like a good year to see more companies really start investing in security, but it still seems like a small inflection, and not the tipping point.

Personally, I am keeping my eye on DNA databases; I have no idea what the value of DNA data will be, but I know that in our lifetime it will probably become one of our most valuable identifiers, and right now we pay other people to tell us trivial things about our history and give it away for free with no real protection.

Jeff Hurmuses, Area Vice President and Managing Director, Asia Pacific, Malwarebytes: Healthcare organizations will continue to be hot targets for threat actors, given the sensitivity of the data held by these organizations. 

As Singapore continues on the journey of digitalizing the healthcare sector, there will be more threat actors attempting to find loopholes in the system in order to steal data. Earlier cases of data leaks such as the records of HIV patients as well as the mishandled personal data of blood donors by the Health Sciences Authority (HSA) did not result in data landing in the hands of hackers. However, we may not be as lucky next time. Healthcare is currently the seventh most targeted industry by cybercriminals according to data from Malwarebytes, and this highlights the growing threat and reason for increased concern about healthcare security as we move into 2020.

Web skimmers will broaden their impact by going after more e-commerce platforms. Looking at web skimming activity, we see that there is no target too big to take on and that no platform will be spared. 

As long as there is data to be stolen, criminals will put the effort to either compromise online merchants directly or indirectly, as seen from the Uniqlo breach and Sephora breach earlier this year that saw over 460,000 and 3.7 million leaked records respectively. 

Although the majority of them silently lurk at the checkout form where customers enter their payment data, we are starting to see skimmers impersonating payment processors and attempting to phish information. As such, we can expect skimmers to use novel attack techniques in future.

Scenario #9 New hunting grounds in autonomous vehicles, and how ISO/SAE standards will prevail

Dennis Kengo Oka, Senior Solution Architect, Synopsys Software Integrity Group: There are two major trends emerging in the automotive industry. The first is the concept of CASE (connected, autonomous, shared, electric). As technologies such as 5G lead to increased connectivity alongside advances in proprietary and open source software (e.g., Automotive Grade Linux), we will see targets move beyond the vehicle. Malicious actors will leverage new, evolving attack vectors in backend systems, mobile apps, infrastructure and services relating to automotive technologies.

The second major trend we will see in 2020 is that of standardization and regulations such as ISO/SAE 21434 and UNECE WP.29 driving cybersecurity activities in the automotive industry. This will lead to changes in organizational teams and processes, including the addition of security gates such as static code analysis, open source risk management, fuzz testing, and penetration testing to implement security throughout the entire vehicle life cycle. An increased focus on automated test processes and toolchains will continue to emerge as well in the year to come.

Scenario #10 Small businesses with cavalier security stances will be in danger

Eli Erlikhman, Managing Principal Consultant at Synopsys Software Integrity Group: In many cases, cybercriminals’ primary objective is to make money. Similar to any business, cybercriminals are looking for the easiest way to generate revenues and for ways to automate their attacks in order to increase their margins.

Small businesses tend to have weaker cybersecurity defenses than large enterprises, with limited detection capabilities, and little or no predefined plan to respond to cyber-attacks. Small businesses are also likely to have cost-effective technology stacks that can enable cybercriminals to automate large-scale attacks. 

All these factors point to continued growth of cyber-attacks against small businesses. There are, however, ways that they can take proactive security measures that don’t require enterprise-scale security budgets.

Sascha Giese, Head Geek, SolarWinds: The next step in implementing managed services or an MSP vendor in 2020 will be integrating a managed security services provider (MSSP). MSSPs are particularly appealing to organizations with limited budget, staff, or resources to maintain good cybersecurity. Employing an MSSP eliminates the internal “blame game” and tech pro finger-pointing and shifts accountability when it comes to data security disasters. An MSSP is solely focused on security, has access to round-the-clock skilled staff and tools typically more expensive than other IT solutions to offer the flexibility to take on specialized services to meet compliance regulations. For these reasons, in 2020, we will continue to see an uptick in organizations integrating MSSPs. Those who will get the most value from MSSPs will be organizations taking more responsibility for their data security and not looking for a scapegoat for when something goes awry.