1(630)802-8605 Ravi.das@bn-inc.net

Well, it is not even Halloween yet, and the Christmas spirit is already filling the air.  Some retail stores have already started to play Holiday related music, and yes, I think the Hallmark Channel has even started to air some shows as well.  Just like the winters seem to be coming later and later here in Chicago, it seems like that Holiday cheer keeps getting ramped up earlier and earlier.  So why not have Christmas in July?

With this, the Cybersecurity pundits have already started to make their predictions for what the Threat Landscape will be like in the future.  Many of them are conducting surveys, and some are just making bold predictions.  One such case of that in mind is a Cybersecurity firm known as KnowBe4. 

They just recently launched a survey, entitled the “KnowBe4 2019 Security Threats and Trends”, in which they asked respondents what they think the top threats will be in 2020.

Here is what they have discovered:

*Email/phishing scams: 96%

*End user carelessness :76%

*Social engineering: 70%

*Targeted hacker attacks: 46%

*BYOD/mobile devices: 35%

*Password attacks: 32%

*Data leaks: 31%

*Regulatory: 28%

*Lost, stolen devices: 23%

*Network edge attacks: 23%

*Misconfiguration errors: 21%

*Back door open: 19%

*Combination of issues: 14%

*Denial of service: 14%

*Insider attacks: 11%

*Physical attack: 9%

*Corporate Espionage: 5%

*Eavesdropping:5%

(SOURCE:   https://www.securitymagazine.com/articles/91153-what-security-issues-will-enterprises-face-in-the-next-12-months)

No surprise here, it appears that Phishing remains at the very top of the list.  This is what I have predicted for some time now, and what even all of my podcast guests have predicted.  But it is important to keep in mind here that simply don’t think that the Phishing attacks will come by the traditional means, sch as via Email. 

The Cyberattacker of today is well aware that the end users are becoming more aware as to what a Phishing Email scam looks like, and as a result, they are now turning over to other means in which to lure in unsuspecting victims.

One of the ways that they are doing this is by using the techniques of Social Engineering, in which they play on your emotions and fear in order to bait you in.  For example, you may get a phone call with an enticing offer, or you may just a get a call with nobody answering.  In this instance, they are just trying to see if somebody will answer on the other end in an attempt to confirm contact information.

In fact, if you see the list above, Social Engineering ranks among the third in terms of most feared Cyberattacks to occur in 2020.  The second most feared threat vector is that of employee or end user carelessness (this is what 76% of the respondents claimed in the survey). 

This simply means that an individual really has no malicious intent, but unknowingly, does something wrong that can put the corporate IT Assets at grave risk.  The old adage that “employees are the weakest link in the chain” doesn’t have to be, as long as they are properly trained, and receive that training on a regular basis.

But there is some glimmer of good news in this survey.  For example, 89% of the respondents claimed that they feel they are much better equipped to handle a Cybersecurity attack than they were one year ago.  The survey did not release the particulars in this finding, or in what specific ways that the companies feel more confident in this aspect. 

And believe it or not, yes, my mantra to be proactive is finally resonating with the SMBs, LOL.  For instance, 82% of the respondents said that maintaining this kind of mindset will be amongst one of their top Cybersecurity priorities in 2020.  Of this crowd, 61% said that keeping up to date with the relevant software patches and upgrades will be one of the most important items to keep in mind for 2020.

Now, while the IT Security Departments throughout Corporate America, unfortunately the C-Suite still does not resonate with this.  For example, here is what the survey also found:

*58% of the respondents claim that the lack of funding and budget is still a huge concern going into 2020.  In fact, the average Cybersecurity budget across Corporate America is just a mere $25,000 per year;

*40% of the IT Department is overworked, and because of that, they are unable to pay full attention to the Cyber Threat Landscape;

*27% of the respondents feel that the organization that they work for will have means to react quickly and mitigate to a security breach if they are faced with one.

Let’s face it, the lack of Cybersecurity workers is a macro problem.  It is not one that will be filled quickly.  The problem resides not in just finding skilled workers, but in keeping them as well.  But in terms of the lack of a Cybersecurity budget, there is no reason why more funds cannot be allocated.  We are now in the thick of Q3 earnings reports, and from what I am finding out, companies are just stockpiling on cash in their balance sheets.  Why?  Instead put some of that capital into increasing Cybersecurity budgets.  Just even putting a few million $$$ extra will mean a lot. 

In the end remember, a security breach can cause a lot of damage, especially from a financial standpoint.  The little extra that the C-Suite allocates now stands pale in comparison to what the actual damages could be if they are hit.

My Thoughts On This

OK, so we know that Phishing will be amongst the top concern for Corporate America in 2020.  But there is one threat that is ranked really low (at 14%), and that is the fear of Insider Attacks as well as Physical Attacks. 

As I have written about before, Insider Attacks are very difficult to detect, and because of that, this could very well be the prime point of entry for a Cyberattacker.

For example, the Cyberattacker does not necessarily have to be an employee at the organization or even directly involved with it, but through Social Engineering and with the promise of a huge financial gain, there is the strong potential that any employee could be swayed from within in order to help launch an attack. 

Also, don’t discount the risks that are posed to Physical Infrastructures as well.  When we hear the term of “Cyberattack”, we often think that it is the IT and the Network systems that are going to be impacted.  But this will soon change as attacks on Critical Infrastructure will soon start to occur. 

This is also something that I have written about before, and many people of are quite fearful of it.  Just imagine if we don’t have regular access to water or electricity . . . that would be far worse and much more devastating than simply losing your iPhone or Samsung wireless device.

Finally, more details on this survey can be found here at this link:

https://blog.knowbe4.com/knowbe4-2019-security-threats-and-trends-report-october-2019