As we look back across 2019, organizations saw a tremendous increase in not only the use of cloud for business, but the valuation of the data and applications hosted in the cloud. According to Oracle and KPMG’s annual Cloud Threat Report for 2019, seven out of 10 respondents indicated they use more business-critical cloud services than in 2018.
Businesses have been utilizing cloud services in their business for years, but only recently have we seen growth in the use of cloud for business-critical data and services. While this is great for organizations that seek to reduce their costs and increase their capabilities for customers and employees, the fast-paced nature of some cloud initiatives is creating unnecessary risk combined with the real-world challenges of today’s business.
With the increase in cyber threats on the one hand, and the use of cloud for mission-critical applications and data storage on the other, I see the following five things playing out in the market this year.
Prediction No. 1: The Increasing frequency of incidents will drive change in the boardroom.
With less than half of global companies sufficiently prepared for a cyberattack, according to PricewaterhouseCooper, business leaders are looking within the boardroom to better understand how cyber-risk, privacy and data protection is becoming a “distributed responsibility” for the c-suite. CEOs now play a central part in ensuring that the entire C-suite is playing a role in reducing risk and ensuring data/privacy protections. No longer is it solely the domain and responsibility of the CISO or the IT department. In fact, more and more businesses are using BISOs (Business Information Security Officers) as a business focused leader with an eye for security and privacy within the line of business.
Prediction No. 2: The top at-risk industries will see a disproportionate frequency in cyber-attacks.
While other industries see more attacks on an annual basis, some industries are less prepared and have higher-value data–which increases their risk. Health care tops out the list, followed by manufacturing, finance, government and utilities. It is expected that the health-care industry will see a 4x increase in ransomware attacks from 2017 to 2020, according to Cybersecurity Ventures. Manufacturing risk is centered on compromised supply chains, while finance is dealing with increased cases of financial fraud and theft. The utilities industry invests less than 0.2 percent of its revenue in cybersecurity, putting the country at risk for infrastructure outages. Some industries are fighting back with increased investments in cyber resiliency programs. The U.S. now spends more on cybersecurity activities ($15 billion) than the overall defense spending of Norway and North Korea combined.
Prediction No. 3: Supply and demand shortages for cybersecurity positions will reach a critical mass.
Oracle predicts there will be nearly 3 million unfilled security positions in 2020, and that number is climbing. Cybersecurity has held the title of zero-percent unemployment since 2011, according to Monster.com, and Oracle sees no change on the horizon. Some markets are ripe with talent, as seen in the D.C. area, where the cyber workforce is three-and-a-half times larger than the rest of the country combined. While this bodes well for the D.C.-based businesses, it also highlights the challenges outside of D.C. One of the many drivers of organizations shifting services to the cloud is to overcome this obvious talent shortfall. Complicating things further, cyber-analysts can earn up to three-and-a-half times more per year as “bug hunters” than as employees working to defend against the flaw. While many will struggle to fill their reqs with qualified staff, others will take advantage of cloud service providers to fill these gaps.
Prediction No. 4: Every employee will be personally attacked in an effort to exploit corporations.
Ninety-one percent of cyberattacks in 2019 used a phishing attack on the front end of the attack chain, according to cybersecurity firm FireEye. Attackers target employees by scouring public career pages to understand reporting structures and roles, and then perform targeted phishing attacks (spear-phishing) to exploit application/data owners or even executive management. Attackers are finding numerous ways to exploit privileged users, and to exploit financial, HR and supply chain systems. This includes theft of credentials directly via cloned business services, or the repurposing of stolen consumer credentials.
Prediction No. 5: Rate of cloud adoption will drive new strategic imperatives to mitigate risk.
In war, you can’t easily defend the sky with ground troops. Same in IT, as cloud defense takes a different approach than on-prem data centers. Most businesses have shifted to cloud with only a bare foundation of security controls, such as identity management, and lack the overlapping layers of security that must be carried into the cloud. According to the Oracle and KPMG Cloud Threat Report, only 10% of organizations are able to collect, analyze and respond to the majority of their security event telemetry. Ninety-three percent are dealing with cloud application use that is not in line with corporate guidelines and policies with regards to sensitive business data.
Security teams are up against hundreds of cloud services that are either free or acquired via a credit card. These can be used to process sensitive business data–without the security and risk teams having any knowledge or awareness of them. This ability to deploy cloud faster than organizations can implement security and risk programs creates a strategic imperative around risk.
These predictions highlight what many organizations will experience in 2020 when they focus only on secure strategies, and do not place more focus on developing a more security-minded culture.
Greg Jensen is a security and risk leader for Oracle Cloud with 25 years of experience in security. He is also the senior editor of the Oracle and KPMG Cloud Threat Report, and a contributing writer for Dark Reading and the Cloud Security Alliance. Jensen is a regular presenter at conferences such as RSA, Oracle OpenWorld and Cloud Security Days. He can be followed on LinkedIn or Twitter: @gregjensen10
