20 January 2020
BSI Cybersecurity and Information Resilience centre of excellence forecasts five key trends across the cybersecurity landscape for 2020.
1. Multi-Factor Authentication (MFA) Attacks
A report by LastPass* highlighted that last year 57 per cent of global businesses adopted MFA, compared to 45 per cent in 2018. While this indicates a growing uptake of MFA in 2019, it also means attacks against MFA will inevitably rise.
Stephen O’Boyle, Global Head of Cybersecurity and Information Resilience Services at BSI says, “MFA is a method of authentication developed to add an additional layer of protection for users, and while we have seen a positive roll out in 2019, we expect to see attackers increase their attempts to bypass it. One such example is what we call a ‘9am attack’, whereby the attacker attempts to login at around 9am local time of the user. The end user arrives at the office, and when logging on, gets a prompt on their authenticator app to approve; if the attacker has it timed correctly, the user approves and inadvertently grants access to the attacker.”
“This along with other targeted attacks, such as Evilginx (a man-in-the-middle attack framework used for phishing credentials and session cookies) or SIM swapping (at its most basic level, when a hacker convinces your phone carrier to switch your phone number over to a SIM card they own), will become more prominent this year. Provided that phishing attacks remain a ‘high return and low risk’ proposition, they will continue to be attractive to attackers. Organizations must have the capability to detect and react to advanced attacks in order to keep their clients, employees, and information secure.”
2. Third Party / Supplier Risk Management
Managing supplier risk effectively has been strengthened by a number of new directives and regulations which have wide reaching effect, including the Network and Information Security (NIS) directive and the General Data Protection Regulation (GDPR). While companies are following ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls
and ISO/IEC 27036 Information technology — Security techniques — Information security for supplier relationships to improve their ability to manage risks and are substantially increasing their security control, the risks relating to supplier relationships will continue to expand in 2020.
O’Boyle explains, “Supplier risk management allows organizations to identify, assess, manage, and treat supplier risk. This year businesses will need to further enhance their solutions when it comes to reducing risks associated with third party management. This includes processing of information, outsourced system development, integrations, configurations, and hardware product provenance. Doing so will allow them to be in a better position from a security perspective to achieve their objectives and meet their compliance requirements.”
3. Ongoing Privacy Assurance
Globalization and the relentless advance in technology mean that privacy safeguards are necessary to ensure the protection of the fundamental rights of citizens. The need to adopt a principles-based privacy program to establish a rights-centered approach to controls will be further required this year as enforcement of regulations, such as the GDPR, are progressed - in 2019, 134 fines were reportedly issued under the GDPR equating to over €417 million.
“Many organizations have realized their compliance requirements under GDPR; however, new and evolving global legislation, such as Japan’s Act on Protection of Personal Information (APPI), Brazil’s Lei Geral de Proteção de Dados (LGPD), Thailand’s Personal Data Protection Act (PDPA) and California’s Consumer Privacy Act (CCPA) mean that an organization’s privacy compliances continue to evolve. These global requirements must be considered based on a company’s global reach and their data jurisdictions,” says O’Boyle.
4. Advanced Hacking Techniques
Mature security organizations often attribute significant human and financial resources to their cybersecurity programs. In 2019, many industry security teams were tasked with proving the value of the company’s security investments. In addition to certifications such as PCI DSS (Payment Card Industry Data Security Standard), ISO/IEC ISO 27001 Information Security Management Systems, and SOC 2 (Service Organization Control 2), companies began conducting Purple Teaming exercises, where Defenders (Blue Team) are pitted against Attackers (Red Team) to determine the effectiveness of their defense capabilities and this will expand in 2020.
“This technique provides a truly effective view of attack susceptibility and defense capability in a close to real-world attack scenario. The benefits to organizations are extremely valuable as defenders gain attack experience in a safe scenario environment, deficiencies are highlighted, and opportunities to improve identification and response capabilities are advanced through process improvements and monitoring system tuning. We will see more companies adopt this approach as part of their annual assessment activities this year.” says O’Boyle.
5. Cloud Security - Zero Trust Networks
As cloud adoption grows and organizations begin to truly accept the ‘death of the perimeter,’ the Zero Trust model will rise to the fore. Security measures for protecting organizations beyond the traditional firewall will proceed to improve and conditional-based access considering device enumeration, certificates, location, biometrics, and user secrets will become the norm for protecting organizations leveraging cloud first models.
“Cloud services, including Microsoft Office 365, are key targets for attackers with password spray and credential stuffing attacks as examples of methods used to gain access. Companies who progress their cloud journey without adequate Identity and Access Management tools and processes will soon find themselves subject to compromise. Those with limited monitoring in place can expect attacker persistence to remain for extended durations,” said O’Boyle.
He concludes: “We are seeing the next phase in cyber threats, cyber-related regulations, technological evolutions, and specific solutions within these trends, looking beyond the stalwart and ever-present security risk of inadequate patching. Defense preparation must remain high on the agenda for 2020 across all industry sectors including finance, the public sector, transportation, food, and healthcare. Organizations need to prioritize and address their cyber and regulatory efforts this year and opt for a deeper level of assurance across the board at all levels. Doing so will ensure that everyone has a greater understanding of the cybersecurity landscape and that their information resilience is enhanced across the organization.”
The BSI Cybersecurity and Information Resilience team provides a range of solutions to help organizations address their information challenges covering cybersecurity, information management and privacy, security awareness, compliance, and testing. For more information visit: bsigroup.com/cyber-us.
View the full whitepaper here.
*LastPass Global Password Security Report Link here.
BSI is the business improvement company that enables organizations to turn standards of best practice into habits of excellence. For over a century BSI has championed what good looks like and driven best practice in organizations around the world. Working with 84,000 clients across 193 countries, it is a truly international business with skills and experience across a number of sectors including aerospace, automotive, built environment, food, and healthcare. Through its expertise in Standards Development and Knowledge Solutions, Assurance, Regulatory Services and Professional Services, BSI improves business performance to help clients grow sustainably, manage risk and ultimately be more resilient. To learn more, please visit: bsigroup.com
About BSI Cybersecurity and Information Resilience center of excellence
The BSI Cybersecurity and Information Resilience center of excellence is based in Sandyford, Dublin, where it manages and secures corporate information for BSI’s global clients. The company provides expertise to clients on the identification, protection, compliance, and management of their information assets through a combination of consultancy, technology, research, and training. Its mission is to help clients achieve Information Resilience - an environment where infrastructure is protected and secure, regulatory and compliance obligations are met, people are safe, and reputation and trust are maintained. The company’s highly qualified consultants’ experience and expertise cover the entire Information Governance landscape.
The company’s credentials are enhanced by adherence to internationally-recognized accreditations and certifications (CREST / Cyber Essentials / Payment Card Industry Data Security Standard Qualified Security Assessor). BSI is the originator of the ISO/IEC 27000 series of Information Security Standards and the global leader in providing training and certification to the ISO/IEC 27000 series. For more information visit: bsigroup.com/cyber-us.
Name: Chad Quinn
Public Relations Manager, Americas
Email : email@example.com