Security manager on the top trends, challenges and risks in the new year – focus on technology debts, credential stuffing and access control
Richmond, Surrey, Großbritannien, 8. Januar 2020 – Das dritte Jahrzehnt des 21. Jahrhunderts bricht an, und die Infosecurity Europe – die Nummer Eins unter den Veranstaltungen zum Thema Informationssicherheit in Europa, die dieses Jahr zum 25. Mal stattfinden wird – hat seine Community von C-Level-Sicherheitsexperten zu ihren Prognosen für das neue Jahr befragt. Heraus kam eine Liste mit Herausforderungen, Chancen und Trends bezüglich Technologien, Geschäftswelt und Alltag.
Viele der befragten CISOs erwähnten Risiken aufgrund neu entstehender Technologien, die 2020 voraussichtlich zunehmend eingeführt werden. Peter Gooch vom Cyber-Risiko-Partner Deloitte hierzu: „Im Jahr 2020 wird die Implementierung von Sicherheitsautomatisierungstools zunehmen. Wird diese erfolgreich durchgeführt, können Unternehmen sich rasch an sich ändernde Angriffstaktiken anpassen. Bei einer mangelhaften Implementierung wird die Lage komplizierter sein.“
„Die Nachfrage nach mehr Transparenz bei Cloud-Diensten wird steigen. Anbieter müssen hierfür mehr Daten und Events für SIEM-Tools bereitstellen und Sicherheitspraktiken und -funktionen in nahezu Echtzeit bieten. Hacker haben es zunehmend auf unstrukturierte Daten abgesehen, um Angriffe zu verbergen und zu starten. Die Priorität liegt deshalb auf der Implementierung einer robusten Governance.“
„Mehr als 100 Unternehmen auf der ganzen Welt werden bis Ende 2020 mit dem Test von privatem 5G begonnen haben. Dies könnte die Angriffsoberfläche vergrößern und ein Verfolgen von Datenflüssen sowie die Arbeit derjenigen, die für deren Sicherheit zuständig sind, erschweren.”
Mark D. Nicholls, Leiter für Information Security & Governance der Wohnungsbaugesellschaft Peabody, hebt Schwachstellen bei künstlicher Intelligenz (KI) und dem Internet der Dinge hervor. „Maschinelles Lernen hat sich 2019 etabliert, und 2020 werden wir uns in Richtung echter KI bewegen. Dabei muss man allerdings bedenken, dass alle diese Technologien auch von Kriminellen verwendet werden können. Stellen Sie sich nur einmal einen DDOS-Angriff vor, hinter dem eine echte KI steckt“, warnt er.
„Da Verbraucher eine intelligentere, besser vernetzte Welt wollen, werden wir mehr Angriffe erleben, deren Ziel vernetzte Geräte sind. Das ist zwar nichts Neues, aber die Angriffsfläche wird größer sein. Wir müssen unsere Aufklärungsbemühungen fortsetzen, damit der Nutzer unsere stärkste Verteidigungslinie darstellt.“
Ein weiteres häufig angesprochenes Thema waren Angriffsvektoren, die 2020 eine Rolle spielen werden. Becky Pinkard, CISO der preisgekrönten Bank Aldermore, geht davon aus, dass die Zahl der Angriffe aufgrund technischer Schulden zunehmen wird. „Um mit der Kundennachfrage und den technischen Möglichkeiten Schritt zu halten, häuft die Industrie mehr technische Schulden an, als sie zurückzahlt. Ich gehe davon aus, dass wir aufgrund dieser wachsenden Schulden und den damit einhergehenden Schattenrisiken mehr Schlagzeilen über erfolgreiche Angriffe sehen werden. Die Zuwendung hin zu Open Banking bei Finanzdiensten, das Einbinden von APIs, Distributed-Ledger-Technologien und KI in schneller Folge sowie der Fokus darauf, als Erster die Aufmerksamkeit des Kunden zu wecken, führen häufig dazu, dass das Thema Sicherheit bei der Bereitstellung in den Hintergrund rückt.“
„Credential stuffing is on the rise, and it could get worse as there are more and more usernames and passwords,“ said Troy Hunt, Microsoft regional director and founder of Have I Been Pwned, who was included in the 2019 Infosecurity Europe Hall of Fame has been. “Or maybe we are reaching a turning point where companies come to the conclusion that they should block login attempts that have the correct username and password, but are not from the right person. In the United States, there are already criminal prosecutions for “corporate victims” of credential stuffing. This development will either get worse or the companies will have to adjust. ”
Regarding security approaches that mitigate the risks that will prevail in 2020, David Boda, Head of Information Security at the Camelot Group believes that the Back to the Basics motto is probably the best. “A focus on robust and timely access control and patching still provide the greatest risk mitigation for most companies across all sectors. Providers, consultants, and end-user organizations should talk about these two areas. ”
Killian Faughnan, Group-CISO at William Hill, also believes that access control will be important – especially in the next generation workplace. “It is difficult to implement access control that is neither too restrictive nor too permissive. When you consider that by 2020 around 25 percent of our workforce will be made up of millennials, we have to find the right balance that works for this generation. ”
Some CISOs believe that solutions come from closer industry collaboration. „In my opinion, we will see a stronger collaboration between security companies, which I hope will lead to better end-to-end security,“ said Mark Nicholls.
Peter Gooch believes that convergence will be an important trend: “2020 could be a year of a series of high-profile mergers and acquisitions as well as an expansion and formalization of providers in a world that is growing closer together. This will likely be similar to the ERP revolution that transformed the way financial and operations teams work, and could mean a more efficient operating model for cyber players. ”
Two topics that still played a central role in 2018/2019 are not predominant for CISOs this year. One of them is the shortage of skilled workers. „While this will continue to be an issue, I think we have reached a critical point where more and more companies will start recruiting from pools of potential security experts rather than looking for qualified experts,“ explains Killian Faughnan. „It’s easier to teach a developer how to become an application security expert than the other way around.“
There was also less focus on the GDPR. This is probably due to the fact that the regulation and its effects are now widely known. Paul Watts, CISO of Dominos Pizza for the UK and Ireland, has seen signs of „apathy“ about data breaches and wonders if this trend will continue in 2020: „Political factors may have distracted here, but I wonder if the public is simply less interested in it despite the more common occurrences in industry. I’m not sure yet whether that will prove to be a curse or a blessing for CISOs at the beginning of the next decade. ”
A question that is frequently asked at this time of year is whether we will experience a „mega data breach“ that will even outshine security incidents like Equifax’s. „What we can never predict is whether there will be a huge data breach that will rock the world again,“ said Troy Hunt. “If there is another incident like Ashley Madison or Equifax that affects dozens of millions of people, it will make headlines that will stay with us for a long time. But this is extremely difficult to predict. ”
Nicole Mills, Senior Exhibition Director of the Infosecurity Group, says: “In 2020 there will be a continuation of some long-standing trends, challenges and security risks. A number of technologies that have been talked about for a long time will continue to spread and we must prepare to implement, use and protect them appropriately. ”
„While there is less focus on the skills shortage and the GDPR in our CISOs‘ forecasts this year, we must not forget that these challenges have not disappeared. The talent gap continues to grow and we need to work together in the industry to find solutions. And even if the GDPR is no longer the big issue as last year, companies cannot rest on their laurels. You must maintain compliance. It’s not just about fines – the brand image and reputation of the company can suffer for years. ”
Mills adds: “Threats and hacking have driven the evolution of the cybersecurity industry over the past 25 years and are likely to always do. The most important thing for the future is data loss. Data is still the main focus and will probably be the main target of cyberattacks. We should think carefully about where the next big attack will take place and whether we should do more now to prevent it. The whole industry must continue to work hard to stay one step ahead of the attackers. ”
At Infosecurity Europe 2020, visitors have numerous opportunities to promote their cyber security skills and strategies and to learn about leading innovations and providers. The event includes the FutureSec series, a series of events and meetings that cover the future of the information security industry with a focus on people and innovations, an extensive keynote program with lectures on strategies and technologies, innovation presentations and a series of special events about the three-day conference and exhibition.
Infosecurity Europe is now in its 25th year and will take place from June 2 to 4, 2020 in Olympia, Hammersmith, London. There will be more than 19,500 unique information security experts from every sector of the industry and over 400 exhibitors with their products and services, as well as industry analysts, press representatives from all over the world and strategy specialists. More than 200 industry representatives will take part in the free conference, seminar and workshop program. For more information, go to https://www.infosecurityeurope.com.