While many are making their resolutions for the upcoming year, organizations of all types must resolve to increase their cybersecurity and vigilance in the face of new and expanding threats. Here are my top 10 cybersecurity predictions for the new year.

  1. Leveraging cybersecurity experts will be a growing necessity

Cybersecurity organizations will become much more involved in risk functions throughout the business, specifically third-party risk management (TPRM). While progressive businesses have had cybersecurity as part of their risk organizations for quite some time, others will elevate these security organizations to have a seat at the executive “risk table.”

In terms of TPRM, the expertise available from cybersecurity experts can greatly expand the visibility into risk profiles of third parties trusted with company and customer information. Whereas general risk has been the focus over the last several years/decades, cyber risk will be elevated to become one of the more prominent focus areas of any progressive business.

2. Organizations will experience more focused DDoS attacks

There will be an increase in Layer 7 DDoS attacks. Attacks of the past have mostly focused on OSI Model Layers 3 and 4 (Network and Transport). Layer 7 (application-targeted) attacks will increase as the sophistication of attackers continues to mature and the impacts of Layer 7 attacks remain much more difficult to mitigate. Additionally, actual compromises or theft of data are more likely to accompany application-targeting attacks, as opposed to those that focus on the infrastructure.

3. Weaknesses in the supply chain armor will be exploited

There will be noteworthy increases in supply chain attacks. Given the potentially devastating impacts of recent supply chain attacks (such as Solarwinds) and the speed with which these types of attacks propagate, they will become more prevalent in the coming year. While they may be difficult to orchestrate, attackers today have the knowledge, skills, abilities and motivation to develop extremely effective campaigns.

4. Customers (and regulators) will finally say “enough is enough”

Customer/consumer tolerance for privacy-related data breaches will reach a level of “enough is enough.” While breaches and compromises of personal data are commonplace these days, victims are annoyed by the complacency often associated with these events. The costs (financial and emotional) to consumers of recovering from impacts of PII breaches will sway the masses toward an attitude of intolerance. Driven by demands from consumers, regulatory organizations and government legislative entities will increase their scrutiny on breaches involving PII — and the resulting sanctions will become much more severe.

5. Cyber insurance will become table stakes

Breaches are so commonplace now that increased numbers of corporate victims are activating their cyber insurance policies to offset breach costs. Similar to homeowners’ insurance in hurricane-prone coastal areas, cyber insurance premiums will skyrocket, and many insurers will begin cancelling policies or dropping customers completely. Continued cyber insurance coverage will bring much more demanding control structures and protection mechanisms to be implemented by companies wanting to retain their insurance coverage. Consequently, we will see significant increases in security-to-revenue spending ratios.  

6. Security talent will flow to the highest bidder

There will be a shortage of cybersecurity talent. Despite all the training programs in place across the globe to develop cyber talent, there will be tremendous shortages of highly experienced cybersecurity professionals; those with real-world (“I’ve owned the problem”) experience who think in terms of business risk. There will be shortages of those with the skills to successfully manage today’s cyber organizations and provide enterprise-grade value to their organizations. Lucrative incentives for these individuals will make them difficult to hire and retain.

7. Social media will become weaponized

Social media attacks will become much more prevalent and significantly more sophisticated. Social media, in all of its forms, allows for us to be connected to everyone all the time. But it also provides a forum that’s inviting to attackers, since so many users are focused more on “connecting with others” than with securing their interactions. Social media sites are already ideal forums for conducting reconnaissance on potential targets. People inherently share too much information, and more information means more opportunities to leverage that data for sophisticated and targeted attacks.

8. Cyber directors will be in high demand

Cybersecurity will become a much more prominent area of focus for BODs — and future boards will include directors who are cybersecurity and cyber risk experts. Given the risks to companies and board members themselves of inadequate or insufficient cyber controls, boards will scramble to find members who are knowledgeable in these areas and who are skilled at ensuring the board and the company are adequately protected.

9. Virtual wealth will become a real problem

Cryptocurrencies will explode in popularity — for both the good guys and the bad guys. Many organizations that refused to deal with cryptocurrencies in the past are now embracing them as potential avenues of revenue. While no specific cyber threats have currently resulted from this crypto proliferation, it will open the doors for malicious individuals to craft new attack vectors associated with the increased use and acceptance of cryptocurrencies. Technologies and awareness campaigns to instill public trust in cryptocurrencies will become much more prominent into the new year.

10. Everyday people must protect that phone or iPad

Mobile devices will become much more prominent attack targets. Social engineering remains one of the most successful “attack vectors” for malicious individuals; and what better way to leverage an attack than through a device that’s always on, always within reach of its owner and owned by virtually every human on the planet. Recent increases in targeted SMS/text attacks indicate that the bad guys see mobile devices as a lucrative, target-rich environment and these attacks will grow exponentially over the coming year, especially as many companies are expanding remote work options for their employees.

Download the latest ACI Speedpay Pulse Trend Report to learn more about how today’s consumers view bill payments security. Learn more about accepting bill payments while maintaining compliance with PCI and other security standards.

Chief Information Security Officer at ACI

Gene Scriven is an information protection veteran with almost four decades of information security and data protection experience across a wide spectrum of industries. A proven leader in information security, risk management and compliance, he has driven security for the U.S. Government, the U.S. Intelligence community and multiple global companies. As chief information security officer (CISO) at ACI, he is dedicated to protecting customer and company information around the world. He is also an active advisory board member for the University of Phoenix Cybersecurity and Security Operations (CSO) Institute.