A new year brings new threats: Here’s what cyber lawyers and technologists expect to be the big cybersecurity stories of 2020

LaptopThis article originally appeared in Legaltech News on Jan. 3.

It’s not a secret any longer: The legal profession is a target. More than 100 law firms have reported data breaches, and that’s just the number that have disclosed them in a select number of states. It’s possible—though hopefully not likely—that the actual number of firms that have been breached is measured in the thousands, especially considering the crucial personal and business data law firms hold.

One unique aspect of cybersecurity is that it’s constantly shifting, as hackers try to stay one step ahead of those protecting information. That inherently makes predictions very tough to make. Still, Legaltech News spoke with attorneys and technologists brave enough to try: Here’s what they said to watch for this upcoming year in the security race.

This is the fourth in a six-part series of 2020 predictions from Legaltech News. Earlier this week, we ran experts’ predictions for e-discovery, the CCPA and privacy in 2020. Check back next week for our predictions for artificial intelligence and other innovative technologies in 2020. The quotes below are in alphabetical order by name, and some have been edited for length.

Amanda Fennell, CSO, Relativity: “’The End of a Normal SOC Mentality’: This has been developing for several years that as the adversaries automate, so must we. No longer can we equal out how many alerts translate into how many hours of an analysts time. SOAR [security orchestration, automation and response] will play a stronger role in allowing security teams to focus more on the tier two alerts and less on the commodity or automated response alerts.”

Daniel Fortune, partner, Bradley Arant Boult Cummings: “Managed service providers (MSPs) will be targeted more frequently. … All MSPs have contracts with their various companies and, in 2020, companies will give more consideration to the obligations of their MSPs … including increased negotiations of the contractual obligations and cyber insurance. Companies will make the datanappers successfully hack at least two completely separate networks and make sure MSPs are implementing reasonable cybersecurity measures … before considering paying the ransom.”

Deborah Golden, U.S. Cyber Risk Services leader, Deloitte: “Policy and governance on election issues will reach a crisis level. 2020 will bring a need for guidance on how to transcend governance across local, state and federal. Even if we collectively lack resources, together, state and local governments can do basic back-up hygiene and extend cyber awareness training, working off of a stronger probability at federal funding. After 9/11, federal governments were funding local governments directly for Homeland Security protections, so maybe this time around, cyber resilient funding could be triggered.”

Ken Kulawiak, VP, information security and technology, HBR Consulting: “Law firms are extensions of their client organizations, who will therefore continue to push data security and privacy compliance mandates onto firms. Firms will continue to feel this pressure and seek outside expertise in the form of third-party vendors that specialize in delivering technical solutions and reducing overhead and internal burden. This risk transference itself creates another type of risk, related to how well firms will manage their third-party vendors and what oversight measures they will implement to ensure the continued security of the data these third-party vendors maintain or have access to.”

Tibi Popp, co-founder and CTO, Archive360: “IT executives have shared widespread concerns with the current state of SaaS cloud security, data access, control, and privacy. Our recent research shows that nearly two-thirds of organizations are so troubled by these issues that they intend to retire applications that do not provide the level of independent security and control they want. Looking at the data, I expect we’ll see a significant shakeout emerge in the SaaS industry in the coming year. As enterprises apply more stringent and necessary security controls, and optimize their digital transformation projects, SaaS vendors will find themselves under scrutiny.”

Matthew Rhoda, project manager, Innovative Computing Systems: “Despite decades of cinematic cautions regarding the potential unchecked risk of artificial intelligence (AI) computer programs, users continue to integrate newer, smarter versions of AI tools in both private and business life. In September 2019, news surfaced about a breach made possible by AI deepfake voice software which faked a CEO’s voice and ordered a subordinate to transfer $243,000 to the scammer’s account. This type of attack is poised to become one of the leading threats to businesses in the second half of 2020 leading into 2021. Google’s Tacotron project can already synthesize deepfake voices with only five seconds of reference speech. Relative to ransomware attacks, however, AI deepfake voice technology isn’t commonly available today. The key limiter to deepfake voice scams will be the perceived ROI on executing such an attack versus ransomware attacks.”

Dan Roffman, senior managing director, FTI Technology: “Security and privacy will play into every new technology that comes out in the next year. While that is a good thing for consumers and individuals, computer forensic investigators are going to run up against some obstacles in how these changes impact their ability to collect data for investigations. Trusted technologies for preserving digital evidence will need to be revamped and rethought. Companies need to keep this in mind as it will impact what data they can copy from mobile devices, social media sites and a wide array of other sources.”

Mark Sangster, vice president and industry security strategist, eSentire: “Phishing emails related to common industry tools or masquerading as trusted sources will be a common attack vector for stealing credentials and sensitive information. For example, phishing lures unique to the legal industry will use avenues, including cloud services, from vendors such as Adobe … to gain short-term access to personal and/or company credit accounts. Access to personal or organization emails can lead to the theft of sensitive information. It can also aid attackers in crafting more familiar and friendly-looking lures for spear (targeted) phishing. As this trend towards microtargeting continues, organizations need to ensure they have technical controls in place to detect these threats and also ensure they have a robust security education program in place for their employees.”

Aaron Simpson, partner, Hunton Andrews Kurth: “The continued expansion of notification requirements in the context of data breach events beyond the U.S., particularly in the European Union, will cause businesses to take further proactive steps to ensure they are ready to address significant events. This will include both substantive breach readiness steps, such as tabletop exercises and the development of sophisticated incident response plans, and also the continued investment in cyber insurance. These steps have been commonplace in the U.S. for close to a decade, but more and more companies outside of the U.S., and particularly in the EU, will begin to invest more earnestly in cyber-readiness.”

Tomas Suros, chief solutions architect, AbacusNext: “When the [California Consumer Privacy Act] goes into effect on Jan. 1, 2020 (enforcement starting July 1), companies will face a new and substantial risk of litigation after a data breach or data compromise event. Unlike [General Data Protection Regulation], CCPA provides consumers with a private right of action and statutory damages when their personal information is compromised. Without a doubt, we’ll see an increase in data breach class action litigation in 2020. Negative headlines, reputation cost, and the prospective costs of responding to litigation will spur the laggards into action on CCPA compliance and personal data protection programs.”

David Trepp, partner, BPM LLP: “2020 could be remembered as the year deepfakes became a global issue. The already difficult challenge of distinguishing between what’s real and what’s computer-generated is about to get a lot worse. With the aid of AI machine learning algorithms, deepfake voices, images, videos and even mannerisms will further feed the current dystopian inability to discern truth from lies. Deepfakes will be used in attacks of all scales, from invoicing fraud at small companies to global cyberwarfare misinformation campaigns. Constant vigilance and the use of AI to combat deepfakes will sorely challenge both security engineers, and the general public, in 2020.”

Miriam Wugmeister, co-chair of global privacy and data security group, Morrison & Foerster: “I predict we will see an uptick in the number and volume of cyberattacks. Ransomware attacks in particular are likely to increase as paying ransom appears to be spreading and thus bad actors have more incentive to attack. In addition, we will likely see an increase in the number of attacks relating to intellectual property and trade secrets as the trade wars with various countries show little sign of abating.”

Mike Wyatt, principal, Deloitte Cyber: “Cloud service provider (CSP) identity services will start to overtake the use of traditional identity management COTS [commercial off-the-shelf] products. We are seeing significant investment by the CSPs to grow the identity management capabilities beyond managing CSP infrastructure services and towards providing core application identity capabilities. As the center of gravity moves from the data center to cloud, the importance and adoption of these services will skyrocket.”