As 2018 winds down, we’re starting to look ahead to 2019 and the changes, developments, and trends the coming year will bring to the cyber security industry. To help you prepare for 2019, we recently sat down to talk to six Barracuda executives, each with their own perspective and predictions about what next year has in store and what businesses need to be aware of to stay secure.
Government and security companies will improve regulation in 2019
BJ Jenkins, President & CEO, Barracuda Networks
A big trend I think will come into play over the next year is government and security companies starting to work together to improve regulations to protect companies and individuals. Time after time, organizations have shown they cannot be trusted with users’ data because it is not secured properly and ends up available to be exploited easily by attackers.
GDPR went into effect in the EU earlier this year, and I believe other countries will follow suit in 2019. California is starting to explore regulations similar to GDPR, and it’s just a question of whether regulations will come at the state level or federal level. Email-borne attacks on individuals will increase in the coming year and this will continue to put increasing pressure on social networks and other platforms, as individuals attempt to gain more control over the information available about them online. The response has to include better articulation and a choice upfront about what an individual chooses to expose.
Governments will begin to regulate exactly how many personal details organizations can request from individuals, reducing the risk of attacks such as account takeover by cutting back on the amount of data being collected.'A big trend I think will come into play over the next year is government and security companies starting to work together to improve regulations to protect companies and individuals.' -BJ Jenkins Click To Tweet
Automation will improve security awareness training in 2019
Dennis Dillman, VP, Product Management – PhishLine, Barracuda Networks
In 2019, I believe we’ll see security awareness training solutions evolve to provide further automation. This will go beyond making it possible for customers to download everything they need for a single campaign. Organizations need to build a comprehensive security awareness program that addresses the most important security topics your users need to deal with, using campaigns that are tightly correlated and build on each other as part of a well-designed program.
Automation would make that easy, allowing program administrators to simply select a complete program from a library after indicating the type of program and number of campaigns they want, and then everything would be automatically set up and scheduled for the year. Ultimately, this will make it possible for organizations to get their annual security awareness program taken care of in a meaningful, well thought-out way and will allow administrators to focus more on using the data from the results of the campaigns to build a risk profile of the organization.'Organizations need to build a comprehensive security awareness program that addresses the most important security topics your users need to deal with ....' -Dennis DillmanClick To Tweet
SD-WAN and device recognition in the network
Klaus Gheri, Vice President & General Manager Network Security, Barracuda Networks
Migration to the cloud has become a megatrend. This has led to new requirements in terms of securing services and the required infrastructure. In particular, star-shaped WAN topologies with central Internet access must be redesigned with regard to their compatibility with increasing use of cloud services — keyword SD-WAN.
The Internet of Things and Industry 4.0 also open up new areas of attack. Companies should increasingly think about device recognition in the network in order to segment out smart devices accordingly.
Even if it is a truism, e-mail remains the primary gateway for malware. Users can now protect themselves much better against this with intelligent email security products. There is still a lot of catching up to do here. Therefore, all necessary security technologies should always be preceded by a well-founded education of the employees. Companies must develop a comprehensive security awareness program that addresses the most important security issues. The solutions will continue to evolve towards automation in 2019.'Companies should increasingly think about device recognition in the network in order to segment out smart devices accordingly.' -Klaus GheriClick To Tweet
Cyber security skills gap will reach a tipping point in 2019
Michael Flouton, VP, Product Ops and Security Strategy, Barracuda Networks
While it’s long been known that the cyber security industry has a significant skills gap problem, what’s lesser known is that this gap is also increasing. In October 2018, (ISC)2 revealed that the global cyber skills gap now stands at three million, with 63 percent of businesses lacking the cyber skills to actually keep threats at bay.
The balance between the resource, skills and expertise of the ‘good guys’ who are fighting attacks and the ‘bad guys’ who are launching the attacks in the first place is a very delicate one.
In 2019, get ready for a skills gap tipping point. As cyber attackers’ tactics become ever more sophisticated and, more importantly, harder to spot, they are needing ever more hours of the good guys’ time to identify and stop.
A recent example of a new style attack that takes way more work to detect, investigate and clean up are the account takeover incidents that we’ve observed. They involve attackers stealing the email credentials of employees and using them to send emails from the user's real account. Because the attackers cover their tracks, for example by deleting sent emails, often the only way people know they’ve been breached is when they get mysterious out-of-office responses.
Added to this, many organisations are finding it harder and harder to recruit and retain cyber specialists to help them keep the bad guys at bay. Which means they’re relying on fewer people with the skills and expertise needed to protect their organisation. These decreasing human resources will come to a head in 2019, where I predict that organisations will stop being able to keep up with investigating these ‘stealth’ cyber attacks.The global cyber skills gap now stands at 3 million, with 63 percent of businesses lacking the cyber skills to keep threats at bay.Click To Tweet
Account takeover will get more personalized in 2019
Asaf Cidon, VP Email Security, Barracuda Networks
Account takeover is one of the biggest threat vectors in the cybersecurity industry today. More and more organizations are getting hit, and the attacks are getting more and more targeted. Attackers are moving away from the relatively standard phishing email, as they are finding that strategically targeting business executive accounts is much more lucrative.
In 2019, the level of personalization in these attacks will reach new heights. Specific tactics that are beginning to gain traction include:
- An attacker will know when an executive is on flight and won’t be on email that day, and will choose that time frame to target one of their subordinates by impersonating the executive.
- An attacker will know that their target is going to make a big purchase, so they will jump in right before the transaction takes place to redirect the funds or change the order information.
These are just a few examples of how attackers will up the ante by making account takeovers and email attacks so personalized that even the most savvy of targets can be fooled.
In that vein, a big problem in cybersecurity that will grow even bigger is that of identity — how do we know if someone is really who they say they are? This challenge will be exacerbated as more organizations continue to move to the cloud and remote logins becomes more common.'In 2019, the level of personalization in account takeover attacks will reach new heights.' -Asaf CidonClick To Tweet
Attackers will get better at avoiding detection in the public cloud
Tim Jefferson, VP, Public Cloud, Barracuda Networks
The public cloud market is maturing, and we expect to see a huge appetite for cloud security in 2019. Businesses aren’t just experimenting with the public cloud anymore, and now that more customers have critical infrastructure and workloads on platforms like AWS and Microsoft Azure, they’re realizing they need purpose-built cloud security solutions to help them protect workloads moving to these platforms.
As workload migration accelerates to the public cloud, security risk professionals will need to get more actively involved in their DevOps team’s processes, so they can automate the application of governance and compliance controls. It’s not about dictating what tools the team uses, but verifying that controls are being met and helping the builders build securely. After all, configuration errors can be easy to make as people try to use new cloud services they might not fully understand. That’s why I expect to see more teams embracing automation to continuously monitor cloud security and remediate problems automatically.
Providing these types of automated cloud security controls will be more important than ever in the year ahead because cyber criminals are getting better at finding compromised credentials or access keys and exploiting them. In fact, Gartner predicts that by 2020, 80 percent of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, not cloud provider vulnerabilities. Cyber criminals will also get more clever at using compromised accounts in ways that will be difficult to detect. Instead of using a massive amount of new resources for cryptomining, which causes a noticeable spike in usage, they’re starting to use already-approved resources and stealing some cycles from those instead, which is easier to hide. I expect to see more attacks like that in 2019.'Cyber criminals will get more clever at using compromised accounts in ways that will be difficult to detect.' -Tim JeffersonClick To Tweet
Anne Campbell is the public relations manager for Barracuda. She's been with the organization since 2014, working on content and public relations for Barracuda MSP, the MSP-dedicated business unit of Barracuda. She started her career in newspaper and magazine journalism, and she brings that editorial point of view to the work she does, using it to help craft compelling stories.