Back in April we asked 22 security experts whether we’re winning or losing the war against cybercriminals, and the consensus was almost unanimously negative. Not much has changed since then, and even the growing promise of artificial intelligence as a weapon has been blunted by the reality that criminals have access to the same tools.

With a skilled-worker shortage that’s estimated to range between 1.8 million and 3.5 million people worldwide, security practitioners are fighting with one hand behind their backs. Although many tools are available to help them, the overwhelming number and variety of options presents integration challenges. It’s unlikely that 2019 will see the task of securing enterprise networks become any easier, although attackers may shift their focus toward more governmental and political targets. Prepare for the long, slow struggle to continue.

With that dour premise, here are five predictions for the new year:

A year of consolidation

Formal estimates are hard to come by, but a quick calculation of Crunchbase reports indicates that security startups raised more than $6 billion in financing in 2018. The investment database also lists more than 3,000 companies that list “cybersecurity” in their market category. That’s a lot of choices.

Too many, in fact. IBM Corp. estimates that the average enterprise uses 80 different products from 40 providers. Simply piecing together such a wide range of information from disparate sources is a monumental task, the result being that organizations will tend to underuse all the features that are available to them.

If the late-2018 downturn in the stock market persists, many of these startups will start looking for an escape route. They will have plenty of prospective buyers to talk to, as companies such as Cisco Systems Inc. and IBM are ambitiously expanding their cybersecurity footprint. Although innovation may wane as a result of consolidation, buyers are likely to have fewer integration headaches to contend with.

How others see it

• “Some 53 percent of companies with 1,000 or more employees have deployed three or more disparate endpoint security networks across their network, according to Enterprise Strategy Group Research. This causes lots of waste…. In the coming year, the number of solution providers will decrease as the bigger players add startup technologies into their portfolios to create a broader product offering.” — Rick Grinnell, contributor, CSO Online
• “In 2019, there will be continued consolidation of companies in the security sector, especially for those that have developed technologies that relate to digital identities including on-boarding, authentication and the continual management of privileges and access.” — Todd Shollenbarger, chief global strategist, Veridium Ltd., quoted in Forbes
• “Next year, smaller security players will be snapped up for a variety of reasons [such as] talent, underlying technology and to boost sagging top-lines of legacy security or networking vendors. In addition, some traditional large public security vendors have stagnated due to their legacy on-premises architectures and are ripe for private equity firms gobbling them up.” — Sanjay Beri, founder and CEO of Netskope Inc., quoted in Inc.

Cloud attacks step up

Cloud computing providers have spent the last several years trying to convince customers that they offer world-class security. In 2019 they’ll be tested more than ever to prove that. The quickening migration of businesses of all kinds to the cloud makes those services increasingly attractive targets for bad actors.

Cloud providers will need to steel themselves not only against breaches but denial of service attacks and other activities that disrupt customers. They’ll also need to do a better job of educating customers about taking responsibility for their own data in order to prevent such recent incidents as the embarrassing disclosure of 119,000 documents left on an unprotected server by FedEx Corp. and a similar compromise of 37 million customer records by Panera Bread Co.

How others see it

• Everyone in the industry is seeing huge migrations to the cloud, but most companies are not doing anywhere near as much work as they need to be doing to protect the cloud the way they used to protect their data centers — and the bad guys know this. There is a reason why roughly 20 percent of the incident responses and breaches we are working involve the cloud. The bad guys go where the money is.” — Steven Booth, chief security officer, FireEye Inc., writing in the company’s annual predictions roundup
• “The ineffective username/password conundrum has plagued consumers and businesses for years. There are many solutions out there – asymmetric cryptography, biometrics, blockchain, hardware solutions, etc. – but so far, the cybersecurity industry has not been able to settle on a standard to fix the problem. In 2019, we will see a more concerted effort to replace passwords altogether.” – Malwarebytes Corp. Labs, writing on the company blog

Economic and political espionage will rise

With trade tensions at their highest level in recent memory and growing global instability, state-sponsored criminals have the potential to do more damage than ever, and the growing cadre of states and political groups willing to pay for their services. This year saw attackers target municipal infrastructure, airlines, hospitals and even newspaper distribution networks, in most cases with the intent of crippling services rather than stealing personal information.

The upcoming 2020 U.S. election in particular will be a tempting target. About the only positive thing to say is that criminals may be at least temporarily distracted from attacking their more traditional commercial targets.

How others see it

• “Last year, we observed at least five software supply chain compromises, a huge increase over what we had been seeing in the past. The supply chain can offer attackers access to multiple high value targets so that they can capture a wide range of information. Plus, if the threat actor is targeting deep enough in the supply chain, there’s a good chance that they can operate unnoticed.” — Sandra Joyce, head of global intelligence operations, FireEye Inc.
• “Attackers won’t just target AI systems, they will enlist AI techniques themselves to supercharge their own criminal activities. Automated systems powered by AI could probe networks and systems searching for undiscovered vulnerabilities [and] make phishing and other social engineering attacks even more sophisticated by creating extremely realistic video and audio or well-crafted emails designed to fool targeted individuals. AI could also be used to launch realistic disinformation campaigns. For example, imagine a fake AI-created, realistic video of a company CEO announcing a large financial loss, a major security breach, or other major news.” — Hugh Thompson, chief technology officer, and Steve Trilling, general manager of security analytics and research, Symantec Corp., writing on the company blog
• “Bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection. Such implementation is game changing in the threat landscape.” — McAfee Labs, in McAfee Inc.’s 2019 Threats Predictions Report

The year of privacy legislation

Europe’s General Data Protection Regulation was just the beginning. The year just ending was dominated by revelations of privacy lapses or abuses by web giants and a growing sense of alarm by consumers about how they are personal information is being used. Dozens of countries have introduced the new privacy laws or tightened existing rules and the state of California introduced privacy legislation that mirrors many of the provisions of GDPR. There’s plenty more to come on this story, and don’t be surprised to see privacy become an issue in the 2020 elections.

The good news is that companies that take a proactive and protective approach to privacy may find their policies to be a source of competitive advantage. Regulations provide an opportunity for organizations to invest in cleaning up their data stores, improving efficiency and reducing risk in the process. Those that can innovate new ways to personalize customer relationships without violating laws can steal a march on their lagging competitors.

How others see it

• “The initial work phase of complying with GDPR was for organizations to look at how they controlled data placement and privacy. Now, organizations will look to monetize that GDPR data in some way. The opportunity in 2019 is to aggregate the models, semantics and reporting of GDPR data and efforts and develop as a revenue source.” — Jack Norris, senior vice president of data and applications, MapR Technologies Inc.
• “Consumers will slowly but increasingly follow companies that take a leadership position around data privacy and care. The backlash is here and companies that take a leadership position will see economic advantage over those that do not.” — Laurent Bride, chief technology officer, Talend SA
• “Whether affected by GDPR or not (most are), companies should be looking to it as a framework, it’s a good starting point for those building out their processes.” — Adrian Moir, ‎senior consultant, product management, Quest Software Inc.
• “Any U.S. privacy law is as likely to push back on the GDPR as to be inspired by it. Privacy reform in the U.S. would therefore be more about taking the opportunity to create a counterweight model to the GDPR. On the other hand, getting it wrong in the U.S. could trigger more political backlash in Europe and greater problems for U.S. industry outside the country.” — Laura Sallstrom, head of global public policy, Access Partnership
• “Enterprises will increasingly adopt a ‘privacy first’ approach to data management.” — Don Foster, senior director of worldwide solutions marketing, Commvault Systems Inc.
• “While we’re almost certain to see upticks in legislative and regulatory actions to address security and privacy needs, there is a potential for some requirements to prove more counterproductive than helpful. For example, overly broad regulations might prohibit security companies from sharing even generic information in their efforts to identify and counter attacks. If poorly conceived, security and privacy regulations could create new vulnerabilities even as they close others.” – Thompson and Trilling, Symantec

Blockchain: Wait till next year

The promise of blockchain is tantalizing. Here’s an anonymous, distributed, encrypted and tamper-proof mechanism for validating data that can be used for everything from securing disk storage to powering stock exchanges. But a decade after its 2008 introduction, blockchain’s adoption has been frustrated by scalability problems, complexity and lack of understanding about its applications. That hasn’t stopped blockchain startups from raising billions in venture capital and even inventing their own funding mechanism called initial coin offerings.

Still, as we reported last month, the structural barriers to widespread adoption will take time to come down. This technology will break out at some point, but 2019 won’t be the year.

How others see it

• “Blockchain will slowly gain greater enterprise adoption but only after it distinguishes itself from the negative reputation of cryptocurrencies.” — Sri Raghavan, director of data science and advanced analytics product marketing, Teradata Corp.
• “Blockchain communities and open-source communities will see their lines blurred as the two become synonymous with one another. Open-source has garnered massive interest because of its ability to deliver security through transparency. Decentralization shares that same principle of transparency. A platform cannot be decentralized if it is proprietary, as the organization that owns the software code ultimately becomes the central point of failure.” — Ben Golub, executive chairman, Storj Labs Inc., quoted in Forbes
• “The term ‘blockchain’ has an entire set of issues which are believed to be one of the causes for its slow adoption. A lot of researchers believe another term should replace it, and this will likely be ‘distributed ledger technology.’ DLT is a more neutral term, which will separate this technology from crypto, ICOs and everything else that investors and developers find untrustworthy.” — Ali Raza, Global Coin Report

Photo: Unsplash