I don’t need a crystal ball to predict that in 2020 cybersecurity attacks will accelerate and the tactics will evolve. We’ll continue to be hounded by greater volumes of the attacks that have threatened us for years and, as businesses adopt new innovations, new vulnerabilities to threats will surface.
You and your security team will be what stands between the threats and the data that’s most valuable to your business. But you won’t be alone. Imperva’s team of cybersecurity experts can arm you with the technologies, strategies, and insights that will help your business stay secure as it grows.
Our team benefits from a frontline view of the threats that plague businesses across all industries and all stages of growth. Our global research team, Imperva Labs, captures the world’s constantly changing threat landscape and measures the risks consistently over time.
Taking full advantage of our team’s expertise and mining insights from our global customer base, I’ve curated this list of the cybersecurity trends we expect to see in the coming year. These are my top five trends to prepare for in 2020:
Cloud Transformation Will Accelerate
Most mid-sized to large enterprises have already moved some of their infrastructure, data, and workloads into the cloud for better agility and efficiency. Nearly three-quarters of businesses are running a hybrid and/or multi-cloud strategy today, according to Forrester Research.
Cloud migrations are often part of larger corporate digital transformations that include the adoption of DevOps strategies, microservices, APIs, containers, and more. Security is rarely the driver — though it may be the most important passenger. To make cloud transformations as efficient and successful as possible, companies must remain secure and compliant throughout.
We learned some hard lessons about securing cloud migration last year. In August, Imperva discovered a security incident that stemmed from unauthorized use of an administrative API key in one of our production AWS accounts. This led to an exposure of a database snapshot containing emails and hashed & salted passwords.
Our investigation led us back to our own adoption of cloud technologies and migration to AWS Relational Database Service (RDS). Some key decisions made during the AWS evaluation process, taken together, allowed information to be exfiltrated from a database snapshot.
I blogged about the incident when we discovered it in August of 2019, and again in October of 2019, once our investigation was complete. I’m proud that our incident response was swift and transparent, and I believe that our investigation reveals insights that any organization can learn from.
Businesses Will Adopt Zero Trust
Zero trust is a concept that was introduced back in 2010 by the analyst firm Forrester, in collaboration with the National Institute of Standards and Technology (NIST). It is based on a framework of strict access controls that do not trust anyone by default, even those already inside the network perimeter.
According to a 2018 IDG Security Priorities Survey, “Seventy-one percent of security-focused IT decision-makers are aware of the zero trust model, and eight percent are already actively using it in their organizations, while another ten percent are piloting it. Thus, we’re still in the early stages of the hype cycle with adoption expected to rise even further in the years to come.”
In 2020, I believe that when we talk about data security, we’ll also talk about zero trust. Outdated, perimeter-based security defenses generally trusted insiders with (limited) access to enterprise data and focused on protecting the network perimeter from outsiders. Today, the perimeter is porous and indefensible. Zero trust offers a model that aligns with the contemporary IT landscape, where the distinction between insider and outsider is largely irrelevant.
Automated Attacks Will Increase
Automated attacks are a problem for every business with an online presence. Every website, mobile app, and the APIs that power them are attacked by bots around the clock.
According to Imperva’s 2019 Bad Bot Report, only 57.8 percent of web traffic comes from actual humans—the rest comes from bots. While some bots are welcomed by businesses (such as search engines) others are nefarious and dangerous. Bad bots comprise 21.8 percent of all web traffic today and are only expected to increase in 2020.
Companies in every industry are attacked by bad bots, but e-commerce companies are especially hard hit. That’s why we developed the first industry-specific report into e-commerce bots. In it, we analyzed 16.4 billion requests from 231 domains internationally to discover key findings such as:
- 30.8 percent of traffic to e-commerce sites are bots
- 17.7 percent of traffic to e-commerce sites comes from bad bots
- 23.5 percent of those bad bots are classified as sophisticated
To learn more about how to protect e-commerce businesses from bad-bot tactics such as price scraping, sneaker bots, grinch bots, and gift card stuffing, you can read the report, “How Bots Affect E-commerce,” here.
Non-Compliance Will Become Costly
The regulatory landscape is evolving, and with it, so are new compliance requirements. While the steps to achieving compliance can be resource and time-intensive, the cost of non-compliance is growing.
The annual cost of non-compliance to businesses now runs “an average of $14.8 million, a 45 percent increase since 2011,” according to the Ponemon Institute. “The cost of compliance, on the other hand, was found to average $5.5 million, up 43 percent from 2011.”
In 2020, businesses will incorporate security into software development lifecycles (SDLC) and continuous integration-continuous deployment (CICD) processes to reduce risk and make security more cost effective and scalable. With fully automated approaches, compliance will become more rapid and less expensive.
This will be especially true in the financial services industry (FSI), where traditional financial firms are rapidly becoming fin-tech firms. Customer expectations are being redefined by modern banking offerings from Google, Apple, and Amazon Pay. At the same time, regulations are becoming more complex and non-compliance penalties are steep. Consider the following penalties on organizations and executives:
- SOX Non-Compliance: SOX section 906 outlines penalties for certifying a misleading or fraudulent financial report. Under SOX 906, penalties can be much as $5M in fines and 20 years in prison.
- PCI DSS Non-Compliance: Payment card providers can levy fines ranging from $5,000 to $500,000 for non-compliance.
- EU GDPR Non-Compliance: Financial fines of up to 4 percent of annual worldwide revenue.
The new compliance standards FSIs are managing as they develop new offerings is pushing the industry to innovate. Quickly.
Businesses Will Buy Down Risk With Defense-in-Depth
As organizations embrace new digital transformation initiatives, they must grapple with conflicting requirements for speed, convenience, security, and risk.
According to the Marsh-Microsoft 2019 Global Cyber Risk Perception Survey, “twenty-three percent of organizations say that for most new technologies, the risk outweighs potential business benefits… And 79 percent of survey respondents ranked cyber risk as one of their top five business concerns.”
Fortunately, Imperva security experts have helped many businesses mitigate risk with defense-in-depth frameworks that buy-down risk in an ever-changing environment. We’ve developed five best practices that will help organizations buy-down risk including:
- Ensure executive alignment
- Secure applications at the edge
- Secure your applications by default
- Gain actionable insights
- Embrace automation and DevSecOps
To learn more about each of the best practices and how to implement them, read “Best Practices in Buying Down Risk.”
I recently co-hosted a webinar with Imperva CMO David Gee that delved deeper into these cybersecurity trends. In it, we spoke about the security threats and technologies that we’re preparing to tackle in 2020. You can watch it here.
We’ll also be blogging about the trends I discussed here throughout the end of the year. To follow the 2020 Trends blog series, subscribe to the Imperva blog here.
From all of us at Imperva, we wish you merry holidays and a happy (and secure) new year.