2020 is when cybersecurity gets even weirder, so get ready

AI-powered deepfakes, ransomware, IoT, and 5G all mean that protecting your data is about to get a lot harder.

Security is going to get weirder in 2020
4:37

If you thought cybersecurity was a challenging and often weird part of the tech industry, be prepared for it to get even odder.

The next couple of years will bring a new range of threats that will take tech security far beyond its traditional boundaries and will require a whole new set of skills and alliances. 

One example: tech analyst Forrester predicts that deepfakes could end up costing businesses a lot of money next year: as much as $250m. 

SEE: 10 tips for new cybersecurity pros (free PDF)    

That might happen in a couple of ways. There's the risk to your share price if someone creates a deepfake of your CEO apparently resigning from the company. 

Alternatively, a convincing deepfake of a celebrity well known for using your products seemingly being rude about your brand could easily hurt sales if it spreads widely.

But there's also the risk that deepfakes could be added to the toolkits used by phishing gangs.

There have already been a few cases of crooks using AI tools to fake the voices of CEOs to trick workers into transferring money to their accounts. The next step would be to create a convincing video of an executive asking for an emergency funds transfer. 

If employees are regularly tricked into handing money over to fraudsters on the strength of a bogus email (and they still are), imagine how easy it would be to be fooled by a deepfaked video chat with the CEO instead?  

The continued expansion of the Internet of Things will greatly increase the number of devices and applications that security teams will have to protect. That's hard for teams that have been used to protecting just PCs and servers and now have to worry about everything from smart air-conditioning units or vending machines in the canteen, right through to power plants and industrial machinery. 

Half the battle for tech is likely to be just finding the stuff other parts of the business have accidentally connected to the web without realising it. The gradual rise of 5G, which also brings a new set of threats, is going to make this a bigger problem because these devices might be spread across a vast geography.

As a result, tech teams may well find themselves spending less time at their desks and more time up ladders and poking around and playing find-the-unsecured-device than they are used to.

Ransomware is likely to get odder, too. This year has shown just how much effort criminal gangs are willing to put into catching out large organisations. The aim now is to score a huge payday by encrypting whole networks, not just a few PCs. 

But we're already seeing the emergence of a new trend. Rather than just pocketing the ransom, crooks may now start copying sensitive corporate data to sell it or extort even more money from companies that don't want their secrets exposed on the internet.

The security threats are weird and getting weirder: phoney CEOs, mysterious gadgets that you can't see but could be giving hackers easy access to your networks, and crooks looking to extort you for access to your own data. 

That's not even including the random threat of state-backed hackers who might want to attack your organisation as part of a bigger project that you've got little chance of comprehending. 

So how does tech deal with all of this? It's a big leap from deploying antivirus to battling deepfakes and it demands a new approach.

SEE: Training algorithms to recognize deep fakes

However, it's also important to remember that most security risks are still far more mundane: the weak password that the CFO hasn't changed; the software patch that should have been deployed months ago; and that badly configured cloud database. These are the things that need to be brought under control.

But then it's wise to think about these more esoteric risks, and to discuss them across the organisation. Understand the risks better and add them to your crisis response plan. Have a scenario for how to respond to a ransomware crisis, and at least an idea about what to do when that problematic deepfake goes viral.

That strategy will go beyond tech to marketing or public relations, and even HR. Having that written down will save you hours or days that you don't have when responding to a crisis. You can't build a firewall against all future threats, but if you've thought about them and planned in advance, you'll have a much better chance of coping with them. 

ZDNET'S MONDAY MORNING OPENER

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.