---
title: "Top 5 Cybersecurity Predictions for 2019"
description: "How the economy, kubernetes vulnerabilities, and consumer complacency could equal more regulation."
authors:
- name: "Jenny O'Brien"
url: "https://auth0.com/blog/authors/jenny-o'brien/"
date: "Jan 7, 2019"
category: "Identity & Security,Security,Vulnerabilities"
tags: ["cybersecurity", "trends", "kubernetes", "info-sec", "information-security", "gdpr", "privacy", "cybercrime", "regulation", "data"]
url: "https://auth0.com/blog/top-5-cybersecurity-predictions-for-2019/"
---
# Top 5 Cybersecurity Predictions for 2019
Some argue that the [_number of reported data breaches in 2018_](https://www.forbes.com/sites/kateoflahertyuk/2018/12/19/breaking-down-five-2018-breaches-and-what-they-mean-for-security-in-2019/#735992841c4f) is the result of [_GDPR_](https://auth0.com/gdpr/)’s requirements. Still, the cascade of recent breach reports suggests that 2019 might be a tough year for cybersecurity. I asked our [_CISO/VP of Operations Joan Pepin_](https://www.linkedin.com/in/joanpepin/) and [_Security & Engineering Operations Director Duncan Godfrey_](https://twitter.com/duncangodfrey) about what we might expect.
## 1. Reduced Security Spend Will Lead to Economically Motivated Cybercrime
[_Economic indicators in the US and globally do not look good_](https://www.theguardian.com/business/2018/sep/13/recession-2020-financial-crisis-nouriel-roubini), with tech companies having borne the brunt of recent market corrections, says Auth0 CISO/VP of Operations Joan Pepin. “I predict that 2019 will be a difficult year for security funding, and companies across the spectrum will freeze or reduce Information Security spending. An increase in economic hardship and a reduced defensive posture will therefore probably lead to more economically motivated cybercrime in 2019.”
## 2. Information Warfare to Target U.S. Companies, Specifically Defense and Communications
“[_We may be entering a new cold war with China_](https://www.washingtonpost.com/opinions/the-us-and-china-are-on-the-brink-of-cold-war-20-this-is-how-to-avoid-it/2018/11/29/24105fb6-f409-11e8-aeea-b85fd44449f5_story.html), as the trade war continues, now inflamed by actions taken against Huawei by Canada and the US,” says Joan. “I expect this to lead to increased cyber activity by the already rather active Chinese government, which may expand its operations to include more Russian-style disinformation and [_information warfare_](https://auth0.com/blog/information-warfare-offensive/). Look for major U.S. companies, especially large defense and communications providers to be the targets of this activity in 2019.”
## 3. Kubernetes Vulnerabilities Lead to the Year of the ‘Big Container Escape’
When [_ZDNet reported a major security vulnerability with Kubernetes containers_](https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/) early in December 2018, they noted that “[_Kubernetes_](https://kubernetes.io/) has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered.”
That nothing in software is perfect is accepted news for devs and enterprises, but it’s also becoming an accepted thing for consumers (see prediction #4).
The Kubernetes privilege escalation flaw is a big deal, but it’s only the latest in the system’s [_discovered flaws_](https://www.twistlock.com/labs-blog/deep-dive-severe-kubernetes-vulnerability-date-cve-2017-1002101/), says Auth0 Security & Engineering Operations Director Duncan Godfrey. “Continued vulnerabilities to be found in Kubernetes infrastructure and the big one in 2019 is the Year of the Container Escape.”
## 4. Cybercrime Accepted as ‘Cost of Doing Business’ by Consumers
Despite multiple open investigations into [_Facebook’s series of breaches and sharing of personal data with other corporations without users’ permission_](https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html), Joan doesn’t predict a permanent impact for the company — because consumers are reacting more like businesses (and Facebook’s attorneys will do their jobs).
Joan offered an example from her years as an outsourced security provider for an incident response company for Fortune 100 and Fortune 500 companies.
A major investment bank was having a massive issue of being dossed and having public-facing servers being breached. While on a conference call with all their vendors, including Cisco and Checkpoint and 30 bank vice presidents, the bank’s CTO said he had one question: “Is this happening to anybody else?”
Before Joan answered, she asked if he was going to divert the team to answer the question and if the answer was “yes,” what did he plan to do differently? He said if the answer was “yes,” he would “feel better” — a prime example of an enterprise settling into the cost of doing business online (although whether or not he needed to accept that particular cost could be debated).
“Having your identity stolen is horrifying for the individual, but my observation is that it’s perceived differently when lots of people are affected. After a breach, people don’t change their habits. People still shop at Target, stay at Marriott, and share information on Facebook. I’m not a psychologist or neuroscientist, but these facts lead me to believe that the trend of consumers accepting cybercrime as a cost of being online will continue into 2019.”
Because companies are not economically motivated to change and consumers may not feel empowered (let’s face it, [_the tiny payout from a class-action lawsuit_](https://www.consumerreports.org/data-theft/class-action-lawsuits-against-marriott-data-breach/) won’t pay for the damage and heartache of having your identity stolen), Joan expects regulators to step in, which leads us to Prediction #5.
## 5. Expect More Data Privacy Regulation
Shortly after the [_Marriott Mega Breach_](https://auth0.com/blog/marriot-starwood-data-breach-5-steps-to-protect-your-data/), the [_UK, the FBI, and three U.S. states opened investigations_](https://www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million-hack-came-after-a-string-of-security-breaches/#13788844546f). The Marriott stock dip identified in many news stories, parallels that of the U.S. stock market, says Joan. Fines can function as a partial deterrent, but investigation and regulation move at a much slower pace than the agile tech lifecycle — the business consequence often lags far behind the technological changes needed.
GDPR is delivering an increase in reported breaches, but not clearly within the regulation’s [_72-hour breach-reporting requirements_](https://www.cnbc.com/2018/10/02/facebooks-muddy-account-breach-response-could-be-the-new-norm.html) and recent regulation in Australia demonstrates more than a sync problem — the way that [_Australia’s new backdoor requirements_](https://www.wired.com/story/australia-encryption-law-global-impact/) are written cripple tech’s ability to function securely, says Joan. [_Recent U.S. Senate hearings_](https://thehill.com/policy/technology/420838-google-ceo-responds-to-steve-king-concerns-about-granddaughters-iphone) demonstrate that many of the legislators in charge of regulating tech require greater understanding and education.
The answer, says Joan, would be for the tech industry to have greater input into educating those in charge of the regulations, followed by rational debate, and empowered law enforcement.
Regardless of whether or not the tech industry can influence these ideal conditions, [_all signs suggest we should expect greater regulation in the U.S. in 2019_](https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/12/03/the-cybersecurity-202-senators-call-for-data-breach-penalties-tougher-privacy-laws-after-marriott-hack/5c0436431b326b60d12800d2/?utm_term=.e0c757791fde).