As 2020 gets underway, we’re looking ahead to the changes, developments, and trends the coming year will bring to the cybersecurity industry. To help you prepare for 2020, we recently sat down to talk to four Barracuda executives, each with their own perspective and predictions about what the next 12 months have in store and what businesses need to be aware of to stay secure.

Privacy and compliance laws will proliferate

Hatem Naguib, COO, Barracuda

Going into 2020, CISOs will need to understand the proliferation of privacy and compliance laws that are being proposed and implemented globally. GDPR was just the beginning, and executives need to be prepared to adapt as similar regulations are introduced. The implications of these types of rules can be far-reaching, and they’re bound to get more complex, particularly as organizations try to navigate potential overlap. CISOs also need to continue to make sure they are effective at driving support for key security initiatives with the CEO and board members, capitalizing on the attention raised by increasing security concerns to get the resources they need to address new challenges. It will be increasingly important for security executives to focus on how to integrate security into company culture so everyone in the organization understands the roles they play in keeping the company secure.

Highly targeted attacks, conversation hijacking and deep fakes of people’s voices will proliferate as mechanisms for business email compromise attacks, making these highly targeted threats even more convincing, and ultimately more costly. Recent Barracuda research showed that BEC makes up only 7 percent of spear-phishing attacks, but the price for successful attacks can be steep. According to the FBI, businesses have lost $26 billion in the past four years due to BEC attacks, and with new tactics like this, I expect to see that number grow even faster. It’s also a major election year so we should expect to see nation states using the Russian playbook to influence elections at both a local and national level, and government organizations need to be prepared to defend against these attacks. IoT-based security attacks will gain more prominence as cybercriminals find new ways to exploit IoT security vulnerabilities.”

Attackers will target cloud misconfigurations

Fleming Shi, CTO, Barracuda

I believe the biggest security threat in 2020 will be attackers going after misconfigured cloud infrastructures and stealing compute and storage resources. These attacks can be led by insiders as well as by external cyber criminals. The ultimate damage will be data leakage and loss of mission-critical data. These infrastructure breaches will also lead to or enrich other types attacks ranging from social-engineered targeted attacks to botnet-enabled volumetric attacks. I think ransomware and spear-phishing attacks will continue to cause serious damage, but I sincerely believe as public cloud infrastructure adoption continues to increase rapidly, the attackers’ interest will be drawn by the potentially awesome available “firepower.”

I think the trend of ransomware attacks against state and local governments will continue to increase in 2020. I also expect to see cybercriminals adapt by finding the critical times to make these demands, when government agencies will be under pressure to respond quickly. Now with so many aspects of our elections handled electronically, the bad guys can demand attack and demand ransom at a critical point in our political process, which will get them the most payout and damage our democracy. That might be the worst-case scenario, but I genuinely feel that’s the direction these attacks are headed.

Risk management and more state-sponsored cyberattacks

Don MacLennan, SVP, Email Protection, Engineering and Product Management, Barracuda

In 2020, organizations will need to get better at compliance and risk management. Neither is a binary state, they are inherently gray. Regulators don’t tell you how to comply, so security teams have to make calculated decisions and prioritize what issues need to be addressed. Security teams need to learn to talk to the board and the CEO about these topics, and that is something they currently struggle with today. But business risk and cybersecurity risk have become one in the same, and businesses need to adapt to that reality in the coming year.

In 2020, cybercriminals will follow the money and pursue industries where the payout is the biggest. Trends in email security show that cybercriminals are finding new ways to make money that they did before, opting for account takeover and business email compromise attacks, which allow them to make money by tricking end-users into making payments rather than trying to seeing stolen information. The exception will be state-sponsored attacks, which will target industries with valuable intellectual property, such as aerospace, defense, technology, manufacturing and pharmaceuticals, and industries where they can cause disruption, such as utilities and transportation. Expect to see even more of these types of state-sponsored attacks as we move into an election year.

5G will bring new dangers

Klaus Gheri, VP Network Security

In 2020 the biggest security threats in this area will be created by the network’s continuing proliferation, movement to the cloud and extension to critical infrastructure and industrial control systems. To make matters worse, the advent of 5G will allow attackers to siphon data out of compromised devices at a speed not imaginable before. All of the above will push the cyber security skills gap beyond a threshold that is acceptable to business operations. Not solving this serious issue will have a deeply profound impact on the business bottom line.

The most serious threat which we envisage proliferating in 2020 is a completely new one. It has emerged as a side effect of moving to the public cloud, as more and more companies are embracing serverless platforms to integrate cloud applications and reduce costs. Going serverless does not automatically solve inherent security issues. In fact, our customers reported that the use of outdated libraries and especially human misconfigurations are a major threat to cloud deployments.  To solve this issue, we envisage a shift towards cloud automation and cloud-based compliance posture automation.