The new year is here! What does the future of cyber security hold for us in 2020? Will it be more of the same? This is the second part of a two-part series discussing what could be making big news in 2020. More government and industry regulation Californians woke up on January 1, 2020 to a new privacy law taking affect in their state. While the new California Consumer Privacy Act (CCPA) doesn’t go as far as GDPR, many larger US companies are reworking their compliance policies across the board, as it may only be a matter of time before the US federal government also comes up with their own privacy law. Canada introduced stronger privacy laws in November 2018, but privacy and security were issues that came up during the 2019 Canadian Election. You can expect that Canada will likely make an update to PIPEDA in the new future. In addition to governments, the financial and communication industries have seen many breaches in 2019, so you can expect there might be more regulation coming to those industries. 2019 saw major breaches at Capital One and Desjardins. The end of 2019 also saw communications regulators in Canada and the US (CRTC and FCC respectively) call out telecom providers for failing to protect consumers from telephone scammers. In 2019, the CRTC mandated that all “nuisance calls” needed to be blocked by December 19, 2019. In addition, telecom providers in Canada have until September 20, 2020 to combat called ID spoofing. US Congress was also working late in 2019 to pass a law banning robocalls. It would allow the FCC to impose fine of up to $10,000 on violators. Ransomware and phishing still to be news Don’t expect ransomware and phishing to go anywhere in 2020. Both of these types of hacks have proved very lucrative for hackers, so why would they stop? Limor Kessem, of IBM Security, predicts that hackers will continue to target smaller organizations that are “easier to anonymize, easier to launder, and [require] less sharing of illicit profits with street gangs that launder bank fraud proceeds,” Kessem also predicts that hackers will not just demand payment for data, but rather demand that if payment is not received, the data will be leaked. As for phishing, in part one of this blog, we talked about AI being used to make attacks more difficult to detect, and also being used as a tool to better detect phishing attempts. As corporate email becomes more secure, mobile devices may also now become a target for phishers. Personal email on mobile devices, social networks, and mobile centric messaging platforms such as secure messaging apps and SMS/MMS are also prone to phishing attacks. As most of us don’t invest in securing our personal mobile devices the same way corporations secure their systems, look for more phishing attempts to come through mobile devices. Focus on cloud by business means hackers will focus on the cloud too In Kaspersky’s security predictions for 2020,, they predict that now that more companies are relying more on cloud services, so to will hackers. Kaspersky predicts: “It will become more difficult for attackers to separate the resources of the targeted company from those of cloud providers. At the same time, it will be much more difficult for companies to detect an attack on their resources in the initial stages.” The reputation of the cloud services providers is at a great risk, as their resources will be used in large-scale malicious activity. To avoid this, cloud services providers will have to consider reviewing their security procedures and change their service policies and infrastructure. It is recommended that those who plan to deploy cloud infrastructure in 2020 need to talk in advance with their cloud provider about their security infrastructure, and what communications plan they have in the event of an incident. Time is of the essence when it comes to security incidents, the quicker a cloud provider can detect a problem and communicate it, the better. It’s very important to discuss what data is logged, and how to back it up. Lack of clarity on such information can lead to complications or even make successful incident investigation impossible. Expect more hackers to attack cloud services providers. Insider threats will grow As larger businesses spend more money on technology to prevent cyber attacks, look to attackers to invest more time in social engineering and the insider threats. As people remain the weak link in security, look for threat actors to try and trick their way into systems. In addition to people unknowingly giving up key information, insiders lured by money or fame will also cause several security breaches. 2019 saw both Capital One and Desjardins breached by insiders. Kaspersky predicts in some cases, attackers will also offer money to insiders for proprietary information. One of the many keys in 2020 to enhancing your organizations cyber security is ensuring your workforce is trained to not fall for social engineering tricks, and also to not be in a situation where they are easily bribed/blackmailed by outside attackers.