2020 brings even more cyber security challenges
Regardless the state of digital transformation at an organisation, cyber security must always remain a corporate priority. But adding to the complexity of the ever-widening attack surface is the increasing reliance on cloud computing and the Internet of things (IOT), and the associated impact both these have on DevOps.
With the annual costs associated with cyber attacks expected to reach more than $6 trillion by 2021, it is one of the most significant challenges facing decision-makers. Safeguarding data is not only a compliance concern, but a financial one as well. If this most valuable business asset is compromised, significant fines, the loss of shareholder trust and brand damage can combine to see less resilient businesses being forced to shut down.
As reliance on data increases, so too will the attacks. Threat actors are using more innovative ways of trying to compromise data, with the ultimate payload being infecting the business with ransomware. And without access to its data, most companies are ‘dead in the water’. This results in many choosing to pay and hoping that will be the end of their worries. Unfortunately, this only opens the business up to further attacks.
Evolving threat landscape
Beyond these more traditional corporate attacks, next year will see more threats emerging targeting online banking services. Fraudsters in West Africa will intensify their scam campaigns and become more nuanced around social engineering and phishing attacks to compromise financial credentials.
Unfortunately, relying on updating security patches alone will no longer be good enough. In the rush to keep the increasing number of digital holes plugged, patches are being rushed out, compromising their quality. It will also inevitably lead to patch gaps occurring that will cause significant weak points in the organisational defences. Yes, patches must be implemented, but they are no longer the only cyber security measures an organisation must implement.
Next year, crime as a service will become commonplace. This sees blockchain environments used to pay cyber criminals in underground markets providing them with an easy (and, ironically enough, more secure) way to monetise cyber crime. It also means companies can more easily commit corporate espionage and even governments can target foreign entities to compromise their infrastructure by simply paying top dollar to the best hackers in the market.
The growth of IOT and the increasing availability of connected devices to the corporate back-end will present a significant threat to corporates in the year to come. Coupled with this is the start of the 5G roll-out that will start happening in 2020, creating new risks that will challenge how IOT security is approached.
Given the newness of 5G technology, several vulnerabilities are likely to be introduced that can be exploited. But, despite this, many IOT attacks will still likely take advantage of older, more rudimentary weaknesses in default passwords and set-ups as well as communication protocol technology that is not effectively safeguarded.
Developing for security
As IOT, 5G, and cloud continue to drive business to a digitally connected world, the way DevOps approach security must change. The pressure to move to a cloud environment are raising concerns around the security of its different layers. For example, vulnerabilities in container runtimes, orchestrators and build environments must now become a focal point, while not neglecting the data access points into the organisation.
Furthermore, misconfigurations when it comes to cloud storage can have the unintended consequences of compromising security. This will become even more prevalent as more multinational data centres open in the country and businesses flock to the cloud.
All told, the rapidly evolving cyber-security environment means larger investments must be made to protect company data and systems. User education will be vital to ensure data protection policies remain top of mind.
Deepfakes and AI
Trend Micro went on to find that deepfakes will be the next frontier for enterprise fraud.
For years, e-mail-based scams with evolved techniques have been largely perpetrated by fraudsters in West Africa — and we do not expect this to change. We do foresee fraud advancing in 2020 with new technologies, specifically artificial intelligence (AI).
AI technology is being used to create highly believable counterfeits (in image, video, or audio format) that depict individuals saying or doing things that did not occur — commonly referred to as “deepfakes”.
The rise of deepfakes raises concern: It inevitably moves from creating fake celebrity pornographic videos to manipulating company employees and procedures. News of cybercriminals using an AI-generated voice in social engineering surfaced in 2019.
An energy company was reportedly defrauded of US$243,000 by scammers who used AI to mimic the voice of the firm’s CEO.13 More attempts will exploit the technology, using deepfakes of decision-makers to deceive an employee into transferring funds or making critical decisions.
There will be a shift from traditional business email compromise (BEC) and technical support scams. Malicious actors will no longer rely solely on spoofing email addresses and will take advantage of the audiovisual element of deepfakes to lend more credence to their schemes.
C-level executives will be prime targets for this kind of fraud since they are often in calls, conferences, media appearances, and online videos.
Google has already released a vast dataset of deepfake videos to aid researchers in detecting forgeries. While “deepfake scams” may be in their nascent stages, employees will have to learn to identify telltale signs of deepfakes, such as a different intonation, slow speech, and artificial-looking skin in videos. Additional verification steps in finance-related processes will also be crucial.