CDOs have a lot on their plates. In 2020, they can expect security to play a big role as they continue to drive the digital vision of their companies.
Many see this as the job of the CISO. But in the new year, they will need to start beefing up their knowledge and know how as threat actors become more sophisticated and new emerging technologies expose new vulnerabilities.
Below are some areas that CDOs need to be aware of in the next 12 months.
It’s a Plane…
Drones are considered mainstream business tools and are used from surveillance and delivery to agriculture and mining.
In 2020, we will see hackers trying to find out what drones know, said Lavi Lazarovitz, group research manager at CyberArk. This information can be vital for intelligence gathering, government control, corporate espionage, and more. It also means CDOs need to consider a security framework when introducing devices like drones from the onset.
“Organizations need to consider who has the ability to control the drone’s activities, what information the drone is storing, how access to that information is being managed and monitored, and ultimately who owns responsibility for securing it,” Lazarovitz explained.
Ransomware grows up
You cannot deny the devastating impact ransomware has had on corporate security. It is also creating a market of its own.
“On the dark web, ransomware is fueling the rise of a burgeoning market that makes it quick and easy for cybercriminals to gain remote access to corporate systems,” said Ravi Rajendran, vice president and managing director of Asia South Region at Veritas.
It will only get worse in 2020. Rajendran noted that threat actors will widen their attacks to include outside contractors, freelancers, partners, and approved vendors. This makes it a CDO problem as many are involved in building "frictionless" business infrastructures.
“Very soon, data responsibility won’t just be for internal consumption." – Ravi Rajendran, Veritas
Governments are offering some help. In Singapore, the high-level Public Sector Data Security Review Committee (PSDSRC) recommended the annual publication of policies and standards for personal data protection to improve transparency.
It makes personal data protection a CDO responsibility. “Very soon, data responsibility won’t just be for internal consumption. It will be how organizations do business and choose who they work with,” said Rajendran, who lauded the government move.
CDOs also need to care about how well their organization restores backup data. “What we are seeing is interest in restore success, and especially restore speed,” said Dave Russell, vice president for enterprise strategy at Veeam.
Why? The reason is that companies need to be prepared to restore 100% of their data quickly during a ransomware attack. In the past, a typical company only restored 2-3% of their backup data.
CyberArk’s Lazarovitz saw a “butterfly effect” with ransomware, impacting every environment that CDOs work in.
“Wanting access to a greater diversity of systems, including cloud environments and containers, we’ll begin to see innovation in ransomware that focuses more on Linux to take broader advantage of digital transformation trends,” he forecasted.
Cyber insurance will see a boom as companies look to mitigate financial loss. But Lazarovitz noted that this may play into the hands of threat actors.
“Attackers will target organizations with cyber insurance because of the high likelihood of getting paid. This is because insurance companies weighing the cost benefits of a payout will often choose to do so if the cost of the ransom is less than the cost of downtime needed to rebuild a network,” he explained.
Meanwhile, legacy technology will be back in fashion as ransomware creators attack backup data to increase the chances of being paid. Veeam’s Russell already see legacy tapes being used to store backup data as they are “portable, air-gapped and ejectable.”
Biometrics bubble bursts
2019 was the year biometric authentication became ubiquitous. Consumers are getting comfortable with using face scans and thumbprints for purchases and accessing data. But there is a catch.
“While it's true that biometric authentication is more secure than traditional, key-based authentication methods, attackers typically aren't after fingerprints, facial data, or retinal scans. Today, they want the access that lies behind secure authentication methods,” Lazarovitz commented.
For CDOs, this reframes authentication into their problem. For example, if a threat actor can steal the network authentication token, all bets are off.
“Today, [biometric attackers] want the access that lies behind secure authentication methods." – Lavi Lazarovitz, CyberArk
“That token, if compromised by attackers, can allow them to blaze a trail across the network, potentially gaining administrative access and privileged credentials to accomplish their goals – all while masquerading as a legitimate, authenticated employee,” Lazarovitz added.
Quantum decryption and 5G hacks
CDOs may be looking forward to a quantum computing reality, but threat actors may be the ones celebrating first. It is because quantum computing will make many of our current encryption techniques obsolete, making current encrypted data vulnerable.
It is the reason why industry observers predict that there will be an increase in encrypted data theft in the new year. “2020 will see increases in encrypted communications and encrypted data stolen by hackers as they stockpile information waiting for the tools to unlock it. So, in effect, quantum breaches will have already happened, long before the computing power comes to fruition,” said Rana Gupta, APAC vice president for cloud protection and licensing activity at Thales.
The new year will also see large-scale 5G deployments. “However, in their rush to beat the competition, security will be an afterthought as opposed to being a forethought. The end result will see 2020 as a record-breaking year for cyberattacks on connected devices and recognition for privacy and security regulations at the federal level,” said Gupta.
CDOs will need to increase their scrutiny over how their development teams handle data, as they start to insource development, build a DevOps team or drive innovation within their companies. “You need to be constantly scrubbing or using data masking on personally identifiable information," Veeam’s Russell said. He added that such processes may sometimes slow down data access but CDOs need to balance rapid innovation with data security.
"Security becomes everyone’s responsibility." – Dave Russell, Veeam
The shift toward faster and more agile development may also unearth hidden vulnerabilities. For example, Russell argued that the shift toward an agile methodology for development means “we lose some of the institutional learning or best practices that have been hardened over multiple decades.”
“Then, having the right Scrum Masters becomes critical,” said Russell. But, as CDOs know, finding them is a neverending struggle.
Everyone is a CISO
These trends make security a CDO responsibility, especially from 2020 onwards.
“It is like building a house. You can get contractors who will get subcontractors. But the person who is ultimately impacted by the decisions is the owner. So, security becomes everyone’s responsibility. It may not be in your title or your job description, but if you have anything to do with the data, it is in your purview,” said Veeam’s Russell.
Photo credit: iStockphoto/DEPROS