5 cybersecurity threats you should prepare for in 2020

As 2020 edges closer, the preparedness of Australian businesses for cyber attacks and data breaches remains a concern. Reported incidents of security breaches have increased by more than 700% since February last year, costing the country $7.8 billion — and threats will only continue to evolve with time. According to AustCyber, Australia has become a malicious software ‘testing ground’ for hackers, partly because it has been slow to prioritise cybersecurity.

It’s vital that government and business organisations begin to map out their strategies for a stronger defence in the New Year — and that means knowing what to expect. So what sort of new cybersecurity threats are predicted to develop or emerge in 2020? And how can you best protect your business, your data and your customer information from a breach?

To help you identify your key security priorities and adjust your strategy accordingly, ESET has identified five of the top cybersecurity threats likely to face your business in 2020 — and they might surprise you. Rather than worrying about ultra-advanced, futuristic threats, businesses should, in fact, be getting back to basics to build a strong foundation for the long term.

1. Data leaks

Data leakage is regarded as one of the most pressing security threats for businesses going into 2020. According to the 2018/2019 BDO and AusCERT Cyber Security Survey, data loss and the theft of confidential information increased by almost 79% in 2018 compared to 2017 — and will only continue to rise. Respondents expect data loss and theft to be the most prevalent threat for the rest of 2019 and beyond, predicting attacks will come from activists (80%), insiders (68%) and foreign nationals (10%).

The cause of such incidents is not always malicious in nature; it’s often due to individual users making poor decisions about which apps are able to access and transfer their information. It can be something as small as an employee transferring company files onto a public cloud storage service, or forwarding an email to an unintended recipient, that opens a company up to data loss or theft.

Heading into 2020, all sectors should increase their focus on employee cybersecurity training and awareness — as well as a robust security defence to prevent any attacks. A recent Customer Loyalty 2018 Report by Gemalto found that over 70% of Australian consumers would walk away from a company that experiences a breach — so it’s vital your company makes data protection a top priority.

2. Out-of-date devices

By now you’re likely familiar with the emerging trends surrounding the Internet of Things (IoT) — the ever-increasing plethora of (mostly) smaller devices connected to wireless networks, from industrial sensors to smart locks and security cameras — but you may not be across the potential security threats they bring with them.

IoT and endpoint devices pose an increasing threat to business security, as they are often non-standardised, lack built-in security and are difficult to update — but have just enough capability to be hacked and used to access wider company networks and data.

These devices are commonly designed and supported by manufacturers with little or no network and operating system expertise or security awareness. As a result, off-the-shelf parts and embedded systems are commonly used and generally chosen based on price. Hence, even very recently designed, entirely new-to-market IoT devices will ship today, tomorrow and next week with gross insecurities, due to poor configuration, the inclusion of months — even years — old operating systems (OS) and application versions that are rife with known vulnerabilities.

Few of these devices are built with OSs or applications configured to check for updates, monthly security patches and so on. Many IoT gadgets that can pose a significant risk and can be updated may have such limited computing power or connectivity (such as smart lighting controllers and/or light bulbs) that updating them requires considerable effort on the part of their owners, making them far from the set-and-forget helpful gadget you thought you were buying. In just one example of what can go wrong with these IoT devices, one of the biggest internet stability incidents of recent years was due to the Mirai botnet, which breached internet-connected CCTV cameras and digital video recorders.

Keeping devices up to date where possible is a good place to start in protecting your company and employee devices.

3. Social engineering

Social engineering tactics — those that trick users into giving up sensitive information or passwords, clicking dangerous links or downloading malicious attachments — have been around for a long time now, but they’re not going away anytime soon.

Phishing remains the most common vehicle for cyber attacks, accounting for 20% of all security incidents in 2018. As well as email, phishing has been increasingly deployed via text messages, in-game messaging, and social media apps like Facebook Messenger and WhatsApp. Mobile users are at the highest risk of falling victim via email, largely due to the way many mobile email apps display a sender’s name — making it easier for a person to mistakenly think an email is from someone they trust.

The best defence is, again, employee education, combined with mobile security solutions such as multifactor authentication. According to a recent study conducted by Google, New York University and UC San Diego, even a simple on-device authentication can prevent 99% of bulk phishing attacks and 90% of targeted attacks.

4. Collaboration app security

Collaboration, planning and file-sharing tools are becoming increasingly popular amongst small and big businesses alike. But as more teams turn to these apps to help coordinate, manage and work on projects of all kinds, organisations risk losing track of what company data is shared, where and with whom.

Apps like Slack, Asana, SharePoint, Dropbox and Google Docs are great for productivity, but they can also open businesses up to cybersecurity risks — increasing the number of channels that hackers can distribute malicious content or steal confidential data from. Because many of these tools are web- or cloud-based and are often installed by individual employees or teams without proper IT vetting, they tend to fly under the cybersecurity radar, creating hidden vulnerabilities.

To ensure your employees can benefit from collaboration apps while staying secure, it’s important for IT and cybersecurity teams to work with other departments. Agree on a collection of trustworthy apps that can be vetted and monitored and ensure best practice and security policies are communicated to all users — and enforced.

5. Credential stuffing

Do you use the same password for multiple accounts? A lot of people do, which means a lot of your users do. Cybercriminals rely on this for credential stuffing. Credential stuffing is a cyber attack in which credentials from a data breach at one service — such as an ecommerce store — are then used to attempt to log into other, unrelated services — such as online banking and popular social media accounts. These log-in attempts are usually large scale and automated, testing multiple credentials across multiple websites at once.

Because cyber attackers are counting on the fact that many of us use the same username (commonly either your full email address or the ‘username’ part of it) and password on multiple sites, it’s vital you and your employees maintain a best practice approach — don’t use the same password across multiple accounts and be sure each password is strong, hard to guess and not already compromised. Further, wherever possible, implement two-factor authentication so your system’s security is not dependent on a known weak point in security practices.

Be proactive and master the basics

While you may have been expecting the biggest threats of 2020 to be cutting-edge, never-before-seen cybercrime, more often than not it’s the simple things, the smallest gaps, which are the biggest vulnerabilities in a company’s posture. Next year, it’s all about mastering the basics — and Australia still has a long way to go.

Having said that, awareness is on the rise, as is the appetite for action. Recent compliance regulations have helped to boost data breach notification numbers and, according to the 2018/2019 BDO and AusCERT Cyber Security Survey, nearly 85% of organisations plan to implement regular cybersecurity risk assessments.

Going into 2020, many Australian organisations will still lack the capability to detect a breach or respond in a way that minimises cost and reputational damage. That’s reality. But by focusing on best practices — such as employee training, password policies, patching and inventory management — you can build a strong foundation for the long term. For additional layers of security, a bundled solution such as ESET Secure Business can help keep your company prepared and protected — so you can feel confident in your defence, no matter what threats 2020 brings.

Image credit: ©stock.adobe.com/au/tashatuvango