Cybercrime in 2020 and beyond: preparing for a more insecure world

Predicting the future business environment is arguably about as easy as guessing the content of US President Donald Trump’s next Tweet. But nearly all companies are in agreement on one thing: cybercrime is here to stay and its threat is only likely to intensify which will have significant ramifications for corporate reputations and senior decision-makers.

If we start to speculate about future cyber threats, by 2020 the most likely scenario is that businesses will face a much tougher environment, where cybercrime is the norm and incidents, such as the global WannaCry ransomware attack in May, do not cause shockwaves.

A key driver behind this increased threat is that 20.4 billion connected ‘things’ (devices or other touch points) will be in use worldwide in 2020, up 143% from 2017, according to research by Gartner.

That this proliferation in devices, including smart phones, voice activated home-hubs, watches, TVs, and fitness trackers, will be exploited by cyber criminals to collect more information to extort money from organisations or employees is not surprising.

But it is possible to go beyond this to make three predictions about why the business environment will be less secure in 2020:  the impact of predictive technology; the ‘internet of things’ (IoT); and the use of voice data and emotional and fitness sensors to increase data security threats.

Predictive analytics technology is already becoming scarily accurate in identifying when, where and how a person will undertake a specific action and the growth in artificial intelligence capabilites will only take this to new levels, delivering yet more valuable data to criminals.

IoT could leave companies open to attack from a far wider variety of touch points. For instance, the US retail chain Target’s systems were attacked by a criminal who gained access via a refrigeration and air conditioning supplier in 2014. This entrenchment of IoT in daily lives could easily lead to ransomware demands and hackers being able to open a company’s doors or starting up vehicles in its carpark.

By 2020 wearable devices will focus far more on a person’s real-time emotional state than simple cardiovascular metrics which could lead to criminals targeting individuals with data about emotion, either directly or via their insurance companies, for example. While Apple, for example, is putting in anonymous identifiers and encryption for its HomePod, this could still have serious implications for senior corporate decision makers if their data is hacked.

If, as expected, the next few years bring even greater data insecurity, then it is possible that by 2020 individuals may have the default assumption that data on the internet is just not secure.

The key question is what can companies do today to prepare for this future world? There are three areas to consider.

First, boards and decision makers need to get a better grip of the issue and be able to demonstrate professionalism to investors and customers. Companies should make cyber threats a standing item at board level. They need to understand what is at risk – what are their data assets actually are  and how to secure them.  The arrival of GDPR next year makes some of this a regulatory necessity but it needs to be cultural too.

Another key requirement will be to regularly map out their customers, staff and suppliers to identify any weak points.  In tandem, businesses will have to think what data they have that would really generate interest if it was leaked or hacked.

This will require a broad-based team inputting into how cyber risk is managed not just by IT but also legal, HR and communications and cyber experts.

It is also be critical for companies to understand and account for the human element, notably by providing crisis and simulation training that will help to educate staff, customers and suppliers.

Second, companies should consider communicating clearly the steps being taken. Much like Corporate Social Responsibility several years ago, by 2020 listed companies will be expected to publicly say how they are handing data and demonstrate that they are taking appropriate steps, such as levels of encryption and handling data appropriately.

Third, businesses will need to be ready to react quickly in the event of a crisis that hits external audiences. The first few hours are critical – the speed of response is essential, so firms do not leave a vacuum but also avoid saying anything they don’t know unless it is 100% accurate.

If a data security breach does occur, companies need to know their stakeholders and legal obligations – such as who is a priority to communicate with among customers, regulators, investors or other stakeholders.

Ultimately, this matters because companies that fail to demonstrate they are taking the right steps on cyber security will lose brand value, be punished by investors and may in extreme cases lose their license to operate.

Now is the time for companies to reconsider all aspects of their data security strategy, as it is a safe prediction that hackers and criminals are already plotting more sophisticated attacks.

The International Fraud Group Panel Discussion from Mishcon de Reya.