The cyber-risk landscape is constantly facing new threats like botnets and cryptocurrency mining hacks.

Understanding IT security trends is not only important for tackling these new security challenges as they crop up; it’s vital for appropriating sufficient funds to your cybersecurity budget in 2019.

Our research suggests that more companies are investing in security technology solutions to protect their businesses against cyberattacks. Cybercrimes, such as targeted ransomware attacks, spear phishing, and crypto jacking, are expected to increase in 2019, costing businesses billions of dollars in lost revenue, ransom payments, and damage control.

To minimize data breach costs and grow the trust of their customers and business partners, small businesses must understand how the threat landscape, data protection technologies, and security-related regulations are changing.

In 2019, we expect to see IoT risks become more pronounced, investments in cloud data protection and active threat detection technologies to increase, and security to grow in importance as a business function.

In this article, we’ll discuss four IT security trends that small businesses must be cognizant of and the steps they must take to prepare their organizations.

Key IT security predictions for 2019

predictions for IT security in 2019


Investment in cloud data protection technologies will increase substantially

In 2019, small businesses will invest more in securing cloud data using encryption, data loss prevention, authorization, and other similar technologies. Many small businesses will partner with trusted, reliable third-party providers for managing customer data because of their own limited data security expertise.

According to the Gartner report “Predicts 2018: Security Solutions” (full content available to clients), by 2020 more than 60 percent of businesses will invest in multiple data security tools, up from 35 percent in 2017.

Our survey of small and midsize businesses (SMBs) also indicates that 47 percent of small businesses are budgeting for data protection technologies in 2019.

Factors leading to increased cloud data security spending include:

  • Stricter implementation of data protection rules. New regulations, such as the GDPR and California Data Privacy Law, as well as the fear of huge fines expected to be levied on defaulters, will force many small businesses to invest in data protection tools.

    These new regulations provide customers with more direct control over how their data is collected, stored, and used. This will force businesses to invest in the necessary data protection technologies to avoid noncompliance.
  • Majority of data stored in cloud. With most small businesses storing their data on the cloud, securing cloud infrastructure and services will also be critical to ensuring data security. Sixty-two percent of small businesses store customers’ financial data in the cloud, while 54 percent store key medical records on the cloud, often without adequate security controls.

Recommended actions

  1. Adopt data protection technologies. Small businesses must ensure that confidential data stored in the cloud is well-protected using a variety of technologies such as encryption (both at rest and while in transit), multifactor authentication, and access controls. Small businesses using cloud services should also look at investing in cloud access security brokers (CASBs) to improve security of data stored in the cloud.
  2. Have a data backup and recovery plan. Small businesses must not overlook the importance of backing up data regularly. Continuous data backup tools help you store and retrieve your work when needed. You must also invest in disaster recovery and business continuity tools that help you resume work on your backed up data in case of any disasters or natural calamities.
  3. Prepare for regulatory developments in advance. Data protection regulations are continuously evolving with new rules added and the existing ones amended. You must prepare your business to comply with these regulations before the deadline. For example, the California Consumer Privacy Act will go into effect at the start of 2020. You need to understand now whether it applies to you and prepare your business to take necessary steps (such as the ability to delete customer data when requested) to ensure compliance and avoid penalties.

IoT security challenges will continue to grow through 2019 and 2020

In 2019, we expect the number of IoT attacks to increase to 300,000 and to account for more than 30 percent of all cyberattacks.

Fifty-thousand cyberattacks in 2017 targeted IoT devices, an increase of 600 percent from the previous year. The number of IoT-driven malware attacks have already surpassed 121,000 in 2018.

With more unprotected IoT devices connecting to IT networks, we will potentially see more pronounced and larger scale cyberattacks driven by IoT botnets.

IoT devices owners are becoming more aware of the threats posed by unsecured IoT devices. In the next few years, we expect consumers and manufacturers to take steps to implement security controls such as authentication, encryption, and anti-malware in IoT devices.

Factors that help to visualize this trend include:

  • Rapid proliferation of (unprotected) IoT devices. Gartner estimates that more than 20 billion IoT devices will be connected to the internet by 2020. Small businesses connect many unprotected physical objects to their IT networks such as smart locks, smart lighting, HVAC systems, barcode readers, security cameras, and more.

    This poses serious security risks, especially related to hijacked IoT devices that are used to spread malware or create massive distributed denial of service (DDoS) attacks. Yet, 54 percent of users have no security measures (e.g., passwords or encryption) added to their IoT devices.
  • Improvements in IoT security capabilities. Many software vendors are adding advanced features such as analytics and artificial intelligence (AI) to IoT security technologies. They are also including security capabilities to IoT devices while designing or manufacturing them. Other technologies such as network protection, authentication, patch management, and system development mechanisms needed to address IoT security issues are also being improved to meet the emerging security challenges.

Recommended actions

  1. Prepare an IoT security plan. Assess your IoT network and prepare a plan or strategy for securing your IoT systems. You must take into account technology solutions such as smart firewalls and authentication systems as well as standard procedures/processes for installation of connected devices. Shortlist IoT security software vendors that offer solutions that are suitable now, along with upgrade/update plans as their solution evolves.
  2. Incorporate security in the IoT design and implementation phase. IoT devices come in different shapes and sizes and often are difficult to identify because they can be any physical device. You may not think of the fact that a toaster or a lightbulb can pose security risks to your network. Therefore, when planning to install IoT devices, discuss their security features with experts and make necessary provisions such as adding a firewall or anti-malware software right at the stage of design and implementation.
  3. Use software solutions to secure your existing IoT devices. Small businesses must consider using existing security technologies such as advanced antivirus solutions, smart firewalls, privileged access controls, and anti-malware on connected devices. They may also look at investing in IoT security technology solutions with features like device discovery and brute force prevention to secure their IoT and other endpoint devices.

More small businesses will invest in active security measures that help detect threats

“Prevention is better than cure” will be the motto when it comes to security incidents in 2019. Small businesses will invest in active security technologies such as threat detection to respond and mitigate risks in the early stages.

Small businesses with limited IT staff will look at partnering with third-party managed detection and response (MDR) providers that analyze network data to detect anomalies and help respond to threats.

Passive vs. active security

Passive security is the starting point for your security structure and involve the use of technologies such as antivirus, anti-spam, and firewalls to monitor and control the usage of your applications and network.

Active security, on the other hand, detects anomalies in your IT system and responds and prevents cyberattacks before they become full-fledged. It also includes the involvement of expert security professionals who gather intelligence to prevent future attacks by putting adequate defense mechanisms at vulnerable points.

Market conditions driving this trend include:

  • The need to ward off threats before they cause a breach. The average cost of a data breach for a small business in North America is $117,000. Such high costs can put many small businesses out of business.
     
    Small businesses are increasingly adopting active security measures including threat detection services and technologies to reduce the number of security incidents.
  • Growth of threat detection software market. According to Marketsandmarkets, the market for threat detection systems is expected to grow from $48 billion in 2015 to $119 billion by 2022. Gartner expects investments in threat detection and response capabilities to be a key priority of buyers through 2020.

    The shift to detection and response approaches spans people, process and technology elements and will drive a majority of security market growth over the next five years.
    – Sid Deshpande, principal research analyst, Gartner

  • Recommended actions

    1. Adopt active security technologies. Invest in technologies that identify and respond to threats ahead of time, because the cost of reacting to a security breach is much higher—not to mention the business downtime and reputation damage it causes. Security technology products that help improve your active defense mechanism include SIEM, intrusion prevention systems, and security analytics tools. You can also check out threat detection tools that offer AI and machine learning capabilities, though they are still emerging and yet to be widely adopted.
    2. Train your staff/hire skilled security analysts. Active security structure not only involves using technologies but also having trained security personnel actively monitor and train systems to identify threats and mitigate them. You can either upskill some of your own IT team members in threat detection methods or hire qualified professionals, depending on your budget.

    Increased weight given to security posture when shortlisting business partners and M&A targets

    In 2019 and forward, we’ll see businesses seeking stricter security controls from partner firms including suppliers and other intermediaries. Security ratings that are objective indicators of an organization’s security posture, as well as security assessments, will be used by businesses to measure the security capabilities of potential vendors, merger and acquisition (M&A) targets, and immediate clients in the market value chain.

    Market conditions that favor this trend include:

    • Hackers targeting smaller firms to gain access to bigger vendor partners. Small businesses are a juicy target for hackers to get access to their larger business partners and less secured confidential data.

      Here are some infamous big business security breaches that were caused due to inadequate security measures at vendor partners:

      • The breach at retail giant Target happened when a hacker exploited access details of an HVAC contractor associated with the retailer.
      • Confidential information of Lowe’s drivers including SSNs and license numbers were breached when a safety vendor firm unintentionally backed up data to an unsecured internet-facing server.
      • Home Depot’s point-of-sale system was hacked and credit card details of customers stolen by hackers using a third-party vendor’s access details.
    • Emergence and growth of security rating services. The concept of rating the security posture of a business, similar to credit scores rating your financial stability, is growing.

      According to the Gartner report, “Innovation Insight for Security Rating Service” (content available to clients):

      By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships.”

      Gartner further states that over the next six years, cybersecurity ratings will become a mandatory precondition for engaging in business relationships and will even have an impact on the cost of your cyber insurance.

    Recommended actions

    1. Partner with MSSPs if you are unsure about your security strategy. You should seek the services of managed security service providers (MSSPs) if you have implemented limited security measures and are not sure how to improve or assess your security posture. MSSPs are third-party service providers that help to monitor and manage your security functions such as threat monitoring, risk assessments, technology solution deployments, and intrusion management. Choose MSSPs that are reputed and have experience servicing small business clients in your industry.
    2. Conduct regular security assessments and penetration tests. Regular security assessments (conducted by internal teams or external parties) will help you identify new vulnerabilities and address them more quickly. Security assessments and penetration tests provide a complete picture of your business security posture. Learn more about how to conduct a security assessment.
    3. Market your security prowess. When talking with potential clients, showcase your security capabilities to convince them that you can ensure the confidentiality and integrity of their data. You must also be compliant with all major regulations. This helps build trust with the clients and business partners.

    Resolve to improve your security posture in 2019

    Security will be a key issue for all businesses as hackers use new-age technologies such as AI and botnets to target organizations, regardless of their size. Governments across the globe are also introducing stricter data protection and cybersecurity regulations to protect users.

    Small businesses must, therefore, increase their investments in IT security and consider it a strategic business function, whose nonperformance or under-performance could result in the shutting down of the business.

    Businesses must be aware of these IT security trends in 2019 and take necessary action if they want to grow

    Prediction Summary Recommendation
    Cloud data protection to be a key priority Cloud data protection investments will rise driven by the need to maintain regulatory compliance. Invest in data protection technologies like encryption, authentication, CASBs, data backup, and disaster recovery.
    IoT security threats to grow bigger The increase in IoT devices will necessitate improving their security to prevent massive DDoS and malware attacks. Prepare an IoT security plan and invest in IoT security during the implementation phase to reduce costs and complications.
    Adoption of threat detection and response technologies to increase Active security measures that detect and respond to threats early will help reduce costs and prevent cyberattacks. Use security analytics, AI-based threat detection tools, and security experts to improve response time.
    Security to gain prominence as a business function Security will be a key metric considered for business partnerships and acquisitions. Showcase your security prowess through security assessments and partnerships with MSSPs.

    Additional resources to help you stay on top of IT security trends:

    Visit our IT security directory for a complete list of antivirus solutions, anti-spam, cloud security, encryption, and more software products. Read reviews and compare products to make the best purchase decisions.


    Our primary research was conducted online between July and September 2018 among 715 small business leaders in the U.S. Respondents held a position of manager or above, and were screened for their involvement in purchasing decisions regarding technology for their organization. Companies were screened for company size ranging from 2 to 249 employees and revenue less than $100 million.