When setting priorities for the new year, consider incorporating cybersecurity predictions for 2020 into your overall business planning.

Distributors working to differentiate and transform digital processes and services face a growing number of threats from cybercriminals looking to capitalize on pressures to innovate in areas such as artificial intelligence, cloud computing and mobile device optimization.

What’s Trending: More Hackers are 

Eyeing the Cloud

Countering the risk starts with knowing the latest threats. Thought leaders in the cybersecurity world are dispatching their forecasts for the new decade, covering budding trends, potential targets and possible solutions. The consensus from Trend Micro, WatchGuard and other leading security firms: The cloud is the new frontier for cybercriminals. Expect to see more ransomware tailored to seize on the platform’s vulnerabilities, i.e., the troves of stored data and connectivity; the potential for unsecure third-party involvement, and users’ proclivity toward configuration errors similar to the one that led to a Capital One data breach involving a misconfigured web application firewall. Thus, say security experts, 2020 will be the year of cloud anxiety, resulting in a bump in information security spending on the corporate level. One other prediction: Thanks to the Marriott International breach, reportedly triggered by its acquisition of Starwood Hotels, look for cloud services audits to play a more prominent role in the M&A process, says cloud access security broker (CASB) Bitglass.

What You Can Do

• Enable logging so that IT can keep an eye on server activity and monitor automatic alerts;
• Strengthen credentials by requiring multiple layers for access;
• Restrict access to data/storage, avoiding common missteps such as leaving controls on the “authenticated users” setting, which can expose storage buckets to public access;
• and consider the “cloud smart/cloud dumb” dichotomy coined by cybersecurity company Forcepoint. According to its Chief Security Strategist Duncan Brown, companies will become increasingly savvy in their use of the cloud because the need to innovate demands it — but will lag in cloud safety and security.

Deepfakes Will Lead to More Fraud

After scammers defrauded a U.K.-based energy firm of $243,000 using AI-generated voice software to impersonate a CEO in the spring of 2019, cybersecurity experts believe others will be emboldened to leverage the technology for financial gain and are urging business owners to step up prevention efforts, starting with making sure employees are aware of the risks and how to counter them. Many are predicting that more deepfakes — audio or video software — will surface in ransomware and vishing schemes. Short for voice phishing, vishing is a form of social engineering that targets unsuspecting victims over the phone in hopes of persuading them to transfer funds or divulge sensitive information.

What You Can Do

• Teach employees how to recognize phishing and vishing scams and stress that the act usually involves a request for account information or passwords;
• establish procedures detailing how to respond to deepfakes;
• institute countermeasures such as a companywide ban on providing passwords and account information over the phone;
• and require a multifactor authentication for systems access. In its report, A Simplified Approach to Staying Secure in 2020, WatchGuard predicts that multifactor authentication (MFA) will become the standard for midsize companies due to a spike in malicious acts and data breaches.

A Plan for Managing Risk 

Ransomware generates more than $25 million in revenue for hackers each year, according to Business Insider, and Forrester estimates that costs associated with deepfake scams could exceed $250 million in 2020. Conceding that managing the risk can be overwhelming, particularly for companies without an existing cybersecurity strategy, risk management specialist Tom Held often advises taking a big-picture approach to prevention, starting with inventorying devices connected to the network and recording the location of all company data before turning the focus to establishing a plan for how to address the most pressing threats in manageable chunks.

“When you’re evaluating risk, you’re evaluating exposure and part of that is determining how much you have to worry,” says Held, who heads security consulting firm Oakland Group. “During my years as a CTO, part of my role was setting new goals for the year. Ideally, there should be a process in place in your company dedicated to a specific effort in cyber risk management for every month, so every year my team would dig deeper in that area, for that month. For example, we might tackle end-point management (e.g., smartphones, tablets, laptops, etc.) and tighten down controls or safeguards on those devices. The next month, we might address our cloud data assets, refresh that data asset and consider new controls or, if necessary, new policies on cloud data storage (e.g., limiting or not allowing personal Dropbox accounts).”

Groups such as the Payment Card Industry Security Standards Council and the Center for Internet Security (CIS) both offer a list of standards/controls that can serve as a good starting point for distributors interested in developing a cybersecurity plan for the new year. To help pinpoint pockets of vulnerability, Herd recommends annually reviewing CIS’ list of Top 20 Critical Controls — whether or not you already have a plan in place or are in the process of developing a new one.

Below is an example of a basic four-month template illustrating how he helps clients begin the process of both sizing up and managing the risk. Based on strengths, weaknesses and the implementation of continuous improvements, the plan should change from year to year.

January: Inventory Your Assets   

Maintaining a list of all the devices on your network — and who they belong to — is one of the most basic steps in curtailing cyberattacks, but it also has become one of the most challenging, as the use of mobile devices has grown in popularity and carried the bring your own device (BYOD) movement with it. Seventy-one percent of employees spend more than two hours a week accessing company information on their mobile devices, according to research firm Fierce Mobile IT. This is why mobile app security firm Blue Cedar is predicting that more organizations will invest in controls (like application-specific security, as opposed to only device-level) to support BYOD policies and keep personal and work data unhitched and secure.

There’s also the issue of human nature to contend with, says Held. “Typically, when I ask a client if there have been any recent changes regarding their data or devices, they say nothing has changed. But they’re not thinking about the Dropbox account that was recently opened or the manager who got a new mobile device and occasionally uses it to access sensitive work-related data from different locations.”

What You Can Do

Have IT — or the team of employees you assemble to address cybersecurity — create a questionnaire with a mix of prompts that will help determine the breadth of devices connected to your network. A few examples: “Did you open a Dropbox account?” “Are you storing company files in the cloud and, if so, where?” and “How many thumb drives do you have?”

If supervisors provide oversight and stress the importance of the information in protecting both the company’s and employees’ data and devices, it should take one to two weeks to distribute and collect the forms, says Held. “It also helps to pass along the demand to a higher authority,” he adds. “When you’re in a bank and you say something is required by the FDIC, all the employees understand that because they are there when the audit happens.”

After forms are collected, the remaining two weeks of the month should be spent organizing and prioritizing the information.

February: Catalog Safeguards on Inventoried Items

Control gaps often surface once devices are inventoried and the process turns toward how each are equipped to deter threats. Take the sales rep that uses a smartphone to access customer data or transmit sensitive information while traveling.

“The device has antivirus on it, but if it has work material on it, you want to protect it against someone gaining access to that data, so what you really need is a password on the phone and possibly encrypted data,” says Held. “The difference between what you have and what you need is a control gap.”

What You Can Do

After cataloging safeguards on inventoried devices, determine if additional protection is needed such as mobile device management software for personal smartphones. IT can use it to prevent unapproved software installs, receive alerts if agreed upon policies are not followed, and minimize the risk of breaches if phones are lost.

March: Implement Safeguards on Devices 

Safety-proofing devices with additional safeguards is a big task and may stretch into a second month, says Held. For companies that already have a change management process in place to ensure that new tech and components are always audited throughout the year (a cybersecurity best practice), another potential area of focus for a month-long review is the cloud. With a majority of predictions pointing toward an increase in cloud-inspired ransomware, and “little missteps leading to big breaches,” taking precautions such as researching your cloud service provider and periodically evaluating services can improve your chances of protecting your data.

What You Can Do 

Start with these questions:

• Is your provider outsourcing your data to another location?
• What types of barriers does it have in place to secure your data?
• Are there limits to its data encryption services?
• Is your data encrypted before it’s uploaded to the cloud as well as after it is stored in the cloud?

Cloud service providers can have breaches, too, so it’s important to do your due diligence, says Held.

April: Review Policies and Procedures

It’s not uncommon for companies to feel overwhelmed after going through the process of inventorying their devices and data, particularly after coming to terms with the number of vulnerabilities nestled in their networks. That’s when policy comes into play. Think about what needs to change to make managing the risk easier, says Held. After learning a few employees have work-related files in a Dropbox account, should you open a corporate Dropbox account or consider another option — Sync, pCloud, MEGA, for example — and create a new policy requiring employees to store all work-related files there?

What You Can Do

Develop a cybersecurity team to incorporate employees’ ideas before creating new policies. Document everything — and pace yourself, says Held, who suggests tackling cybersecurity in stages. “Companies often shy away from investing in cybersecurity because they think it’s going to take a lot of time and be a huge expense,” he says. “Taking it one step at a time and focusing on the most pressing risks makes the process more manageable.”