There are four major trends to consider for your data security planning as the new decade begins.
Cyberattacks aren’t slowing down. In fact, both the number and the cost of attacks are increasing as the new decade dawns.
To combat these current and emerging threats, it’s worth looking back on the last 10 years. What technological advancements sparked the need for improved information security (infosec)? What’s next for attackers as defenses become more sophisticated? And which data security trends offer actionable “2020 insight”?
According to Kim Albarella, Senior Director of Security Advocacy for ADP, significant cybersecurity shifts came about in the wake of events like Y2K and 9/11. “Companies started to get nervous that systems wouldn’t function properly,” she says.
Ten years ago, server and mainframe protection were top priorities. “While there were Blackberries, not everyone had one. iPads were just breaking out. Mobile was remote, but not widespread,” Albarella says. “Infosec was just starting with firewall protection, server protection and physical protection of data centers.”
But existing server protections began to fail. From whistleblowers to commercial breaches to widespread development of ransomware tools, changing conditions made data the battleground of enterprise IT. Attackers were always one step ahead and always finding new ways to enter systems. Businesses deployed intelligent, adaptable tools capable of detecting malicious resource use and network access, and in response, malicious actors leveraged fileless malware. Users moved to mobile, and cybercriminals followed with SMS threats and fake applications. At scale, organizations moved to the cloud, using increased resource availability to boost total security and enhanced connectivity to drive mobile adoption.
Now, experts predict greater personalization of attacks as protected data is leveraged to modify user behavior. More blunt-force breaches are likely as well, as hackers are now seeking simple routes through the increasingly complex Internet of Things (IoT) and other perpetually connected systems.
The last decade made it clear that change drives IT’s advantages and adversaries. With the benefit of “2020 vision,” we can observe four consistent data security trends from these years and move into the future of IT innovation with an informed perspective.
1. Handling the Human Factor
Human error remains the leading cause of data breaches, reports Kaspersky Lab. As Albarella points out, “We’re social computers, easily hacked.” Psychology matters as much as physical or digital data defenses, and if hackers can tap into our knowledge of critical network services, corporate email lists or personnel files, all it takes is “one trick, one click” for hackers to compromise key systems.
Ten years ago, this often took the form of easily identifiable scam emails offering large sums of money to unsuspecting staff members in exchange for seemingly innocuous information. Today, many of these messages are seemingly sent from the C-suite; as Albarella notes, “It’s going to get much worse with deep fake videos that are nearly perfect.”
But it’s not all bad news. Humans can act as both protectors and points of compromise. Albarella recommends investing in regular online and on-site training to help staff recognize potential threats and respond accordingly.
2. Getting Back to Basics
In the decade of databases, patching was priority No. 1. By applying patches to all connected systems, organizations could deliver security at scale to combat potential attacks. Today, the rise of remote workers and third-party providers means there’s no way to ensure all endpoints are equally well-defended, which creates a golden opportunity for hackers.
Here, Albarella recommends getting back to basics. “Don’t focus on what you can’t control or the most remote scenarios. Focus on the doing the rights things with the most impact today,” she says. But what does that look like in practice?
Patch everything — You may not get to every desktop and device, but the broader your updates are, the better your defenses stand to be.
Deploy the right tools — These should include advanced firewalls that can handle both cloud and local traffic and respond automatically to suspicious events.
Implement multi-factor authentication (MFA) — With mobile devices now being an essential part of business operations, MFA can frustrate front-line attackers without negatively affecting staff productivity.
3. Jumping the Generation Gap
Social media has become a driving force for business success. Albarella sees the “social paring of all functions creating another attack surface.” From Facebook to Twitter to LinkedIn to purpose-built, in-house social networks, “Employers must integrate social media — just like the cloud or big data — but they need to defend it.”
This requires policies and procedures capable of jumping the generational gap. While older employees may not understand how to use new tools like TikTok or Instagram, younger staff may not recognize their inherent risks. With social sites now being mined for data by attackers, organizations can’t overlook the need for clear directives and detailed best practices.
For example, it’s worth describing exactly what is permissible both on and off the clock. From posting on corporate accounts to sharing files for collaboration, be clear about your guidelines and the specific consequences for failing to comply with social policies in order to defuse potential attacks before they begin.
4. Developing a Disaster Plan
Finally, Albarella points to the need for resiliency plans that answer key questions, including, “Where’s my data? Who can access it? When? How?” Since pressing cybersecurity concerns are cropping up in real time, organizations need disaster recovery plans that can address the impact of attacks at scale but also focus on specific outcomes, such as recovery time objectives that get local resources back up and running.
Bonus Round: Small Businesses
Big corporate breaches regularly make the news; smaller businesses are often ignored. But as Albarella notes, the majority of cyberattacks are aimed at small businesses. SMBs need procedures in place to notify both staff and compliance agencies of any potential breaches, and they must account for the disparate nature of their networks: How do they secure remote workers? Public Wi-Fi connections? Portable hardware and Google docs?
While the same four data security trends apply, the best-case scenario for small businesses often lies with outsourcing: Finding trusted third parties to improve data defense without breaking budgets.
The last decade saw technology — and attack vectors — advance at breakneck speeds. While the next 10 years will naturally offer their own unique challenges, the trends outlined here will remain foundational elements of 2020 infosec success.