5 Cybersecurity Predictions for 2020
2019 is coming to a close, so it’s time to take a look forward to 2020. What will the new year bring in terms of cybersecurity trends? XMedius executive VP and general manager of data solutions, Sebastien Boire-Lavigne, shares five predictions based on what he sees on the horizon.
Security is now as Important as Usability
I wrote about the security risks of the Internet of Things (IoT) heading into 2019. To recap: being able to tell your house to turn on the lights is convenient…but saving that extra 20 seconds of your time shouldn’t require you to install security backdoors throughout your home.
It’s not that there’s anything inherently wrong with smart home technologies, but device producers need to include solid security. We’re seeing hackers targeting smart features in medical devices in ways that are potentially lethal. These things need to be protected.
Heading into 2020, I now think the problem of sacrificing security for convenience and usability has proven to be more endemic, stretching from IoT to software and website design. Timesaving features and ease of use are major drivers for change and sales, they’re good things, but we must lock the door behind us as we move forward.
However, designers need to understand that poor usability can poke holes in security
That said, there still needs to be more of a conversation about balancing security with ease of use. Unwieldy design can equal either higher mistakes or lower adoption (with staff going around it with shadow IT solutions). Even when everybody toes the line, sometimes the lost productivity of bad security practices is more expensive than the breaches they try to block.
Security is more than a buzzword. People are looking for proof.
There used to be room in the market for companies who said their stuff was secure, without putting forth the time and effort to prove it. That’s no longer the case. More and more security laws are making protecting user data non-negotiable.
Security features and certifications developers trumpet in their sales materials are now being thoroughly scrutinized. A lot of sales conversations we’re having with customers now begin with certification and compliance questions from them, not the nitty-gritty of what we can do. If the product isn’t PCI DSS-compliant, for example, as far as they’re concerned there’s no point in continuing the discussion.
This is great, because it means companies like XMedius, who has had security at its core since the beginning, are getting more credit for the work they do. Offering products that are properly secured and maintaining certifications that require audits aren’t easy. It’s nice to see this work being considered more valuable in the enterprise and SMB markets.
Organizations are Still Going to Be Working to “Axe the Fax”
Given how frustrating, unreliable, and expensive they are, it’s amazing that there are still so many traditional fax machines out there in the world, even at leading hospitals. 2020 is going to continue to bring targeted initiatives to phase them out.
When the UK’s National Health Service (NHS) dramatically announced an “Axe the Fax” campaign at the end of 2018, the goal was to remove the archaic traditional fax machines endemic to the organization’s offices and hospitals by an April 2020 deadline. While it appears likely that they’ll miss that deadline, the impulse is spot on. It’s past time to cull fax machines from the herd, no matter the industry (but particularly in healthcare).
However, the reason why these machines are so hard to dislodge is that they continue (through gritted teeth) to provide a critical service: secure communications for very private documents. Getting rid of them means coming up with a replacement solution, and there are many options.
What’s the alternative?
Believe it or not, many organizations ultimately end up coming right back around to fax…but a different kind of fax. A lot of regulations were written with fax in mind; it’s simple and effective. The key is that they’re not going back to the machines. Fax as a communications tool has evolved. It’s no longer a machine, it’s medium.
More and more organizations are realizing they can get rid of the devices they hate while keeping the functionality they need with software Fax over IP or Cloud fax solutions. We continue to see significant increases in adoption worldwide (and I expect them to continue to grow), despite all the predictions of fax’s demise.
Of course, there’s also an evolving world of file exchange solutions that promise to one day replace fax. Many are unwieldy, and as I mentioned above, that’s a problem. Speaking as someone who helped design it, I happen to think ours is the perfect blend of security and ease-of-use.
We’re also starting to see an increase in use of secure direct-messaging apps in the US for HIPAA-compliant communications and file exchanging (it’s worth noting that these solutions don’t fit the bill completely), but that requires people on both sides of the conversation to have installed the software, built accounts, and formally connected. Will this be the wave of the future? Time will tell.
Targeted Financial Cyber Fraud is Going to Rise
Ransomware continues to dominate cybersecurity headlines, but there’s a new tactic starting to gain traction. While more and more bad actors are utilizing readymade ransomware packages (aka Ransomware as a Service or RaaS) to profit from unsophisticated attacks, the top tier criminals are shifting towards a more patient, calculated strategy.
We’re starting to see hackers invade organizations and then…do nothing. Once they’ve got their foot in the door, they lie in wait, learning important employees’ email and linguistic habits, waiting for the perfect moment to strike. When that moment comes, like when major purchases are going through, or they see an opening for major executive fraud, they’re prepared to step in, via the hacked email account, to submit alternate bank routing information through a message the other end of the conversation will assume is legitimate. Real estate started to get hit with this around 2018, but it’s spreading.
The rewards for these sorts of Business Email Compromise (BEC) attacks can be a lot higher for the hackers than a simple ransomware attack, and victims are finding it hard to get their insurance policies to cover the damage.
It’s spreading beyond email too. Deepfake technology is allowing the most sophisticated attackers to mimic CEOs’ voices and speech patterns in order to do the similar things with the phone.
The best defense isn’t just about having the right tools, it’s about training a vigilant staff and constructing policies to catch potential lapses before money’s out the door. You can read more about preparing for BEC attacks in our earlier post about Executive Fraud.
2FA is Going to be Less of a Guarantee
Two-Factor Authentication (2FA) is still an outstanding low effort, high-reward security strategy that every organization should have in place. However, its essential to remember that cybersecurity is a multi-ingredient recipe, not a single solution.
Hackers are adapting to try to work around 2FA. This first started being publicized in cybersecurity circles back in 2018, but as more and more organizations have brought 2FA online in the intervening time, more and more hackers are trying to beat it.
2FA-enabled solution providers need to update their products to improve one-time password (OTP) proxy detection, add IPs/location-based extra challenges (the hacker will likely not be logging in from the same area as the target), and increase suspicious activity notifications.
I know I sound like a broken record here, but it really can’t be emphasized enough – IT staff on the ground also need to continue to do anti-phishing training. The best locks in the world don’t help if people hold the door open for their attackers.
Formal Data Governance is Going to Become Mandatory
Data governance, the codification of an organization’s data collection, use, and management systems is going to be a key consideration in 2020. It’s become an integral part of the CIO’s role, and most organizations are either working on or planning to establish data governance.
Why? Because it’s becoming more and more necessary to protect an organization’s interests. Laws like GDPR and CCPA are putting everyone on notice that they’re no longer allowed to be sloppy with private information. You need a plan, a system for what comes in, what’s done with it, and what goes out. If you don’t, you stand to get hit with fines, bad press (and thus lost business), and lawsuits.
Get Ready for 2020 with the Right File Communications
No single solution is going to make you compliant with all regulations and perfectly secure in 2020…but the right solution can be a big help. XM Fax, the XMedius FoIP solution, and XM SendSecure, our secure file exchange system, can help streamline a comprehensive compliance and security strategy. Both products have been carefully designed to be as easy to use as email, while delivering the results regulations and your organization demand.
If you’d like to learn more about what XMedius can do for your organization’s communications, reach out to us for more information.