As companies plan their data security strategy for 2019, they’re faced with a particularly challenging set of unknowns. On top of shifts in the market and political uncertainties, businesses must operate in an ever-changing threat landscape as they make decisions about how best to protect their most valuable asset: their data.
We gathered members of the Code42 security team for a roundtable discussion to get their cybersecurity predictions for 2019. The upshot: Employee behavior and need for collaboration will challenge security teams as they face an increasingly hostile threat landscape and tightened regulations.
Employee behavior and corporate practices will be front-and-center for data security strategies.
Chrysa Freeman, senior analyst, security awareness and training: Security awareness isn’t always a hot topic, but we’re going to see a lot of change in this space in 2019. Annual compliance trainings and e-learnings will be replaced by interactive, short, frequent trainings to increase employee engagement and retention of the content. Companies will start using humor instead of the somber, scare-your-socks-off tone of years past because they’ll recognize they’ll be more successful when trainings are engaging and to the point.
Jeremy Thimmesch, senior information security analyst: We will continue to see organizations struggling with the basics: patching, asset management, access control and data management. Vulnerabilities in operating systems, applications and infrastructure will go unpatched due to IT constraints, leadership priorities, and poorly implemented vulnerability and risk management programs. As a result, we will continue to see breaches from the usual suspects: phishing, lack of user awareness and poor patch management.
Use of two-factor authentication and password managers will increase.
Jeff Holschuh, manager of identity: 2019 will be the year of two-factor authentication for consumer websites. With the huge number of compromised username/password combinations currently for sale on the dark web, the number of banks and e-commerce sites that allow a second authentication factor will increase substantially.
Chris Way, senior security engineer: As breaches continue to become more commonplace, more users will embrace password managers. They are timesavers when the alternative is having to manually update your passwords across the board
The regulatory environment will tighten, but companies may not change anything.
Chris Ulrich, senior information security analyst: 2019 will be the beginning of the “Data Responsibility” movement, partly because of GDPR and partly because people are tired of having their data spilled all over the Internet with little to no recourse for the responsible party. Most breaches are a result of vulnerability and carelessness. I’m always hearing people ask, “What could security have done better?” But not once have I heard, “Why did we have this data in the first place?”
Nathan Hunstad, director of security: I’m a bit more pessimistic: nothing will change. Systems will continue to go unpatched; and as a result, avoidable exploits will not be avoided. People will click on links. There will be at least one breach with more than 100 million records lost. GDPR will increase the fines for some of these breaches, but not enough to motivate companies to approach security differently; the recent fine of Google for €50 million is pocket change to such a company. Instead, we will see companies just leave the EU market to avoid regulatory burden.
Cyber warfare will escalate and create more mistrust in our digital world.
Andrew Moravec, security architect: 2019 will be the year when cyber warfare moves further out of the shadows. We’ll see nations actively spying on foreign citizens and bugging officials and executives via their own gadgets and technology. We’ll see foreign leaders and states use hacks and cyberattacks against global corporations as a form of extortion for political influence. With successful attacks, we’ll see bravado — “Big deal, what are you going to do about it?” — and fewer denials.
There will also be a resurgence of troubled and misguided attempts to regulate and monitor social networks and calls to ban VPNs and limit civilian cryptography, which is currently the case in Australia.
You will see a cable or DSL network go down for a prolonged period of time, perhaps for days. It will be unclear if this is an attack or the result of poor management or overwhelmed staff. The result will be a conversation on how dependent we are on computer networks for day-to-day life, and just who do we trust with our link to the world.
Despite the increasing challenges, security teams will need to allow employee collaboration—and be collaborators themselves.
Michelle Killian, senior manager of security and risk compliance: I’d love to see security get better at real information sharing and collaboration in 2019. The DevOps community is awesome at sharing their failures as much as their wins, which allows the community to benefit. Security is, understandably, a bit more tight-lipped about our failures. But I think we’re only hurting ourselves and making adversaries out of what should be great security partners.
Byron Enos, senior security engineer: In 2019, security teams will be forced to become more agile to keep up with business demands. They will start moving away from big gates and bars, and instead gravitate towards automation and providing “security as a service” to internal business partners.