As 2018 ends, it’s crucial to step back and reflect on some cybersecurity realities. Hackers have become more industrious and have become adept at circumventing the security processes put in place by government cybersecurity teams. Those teams do their best to keep up, but lack of time and tight budgets make it difficult to respond to the evolving threat vector. Meanwhile, the attack surface has broadened due to the amount of connected devices and data flowing through organizations--devices and data that many employees need access to in order to get on with their jobs.

Things are probably only to get more complicated in 2019, when the issue of trust will be thrust to the forefront of agencies’ cybersecurity challenges. In 2019, more government agencies will be placing trust in cloud providers to protect their data. They’ll also be placing trust in the individuals that access and manage their data, even as the security of personal biometric data comes into question.

Let’s take a closer look at each of these trends and how they’ll impact federal agencies in the new year.

An industrial-sized risk

In 2019, the Internet of Things is going to be among the most challenging area of security. Recent surveys showed that 81 percent of Forcepoint customers identified an IoT disruption as an important security issue for their organizations, while 76 percent said they were concerned about the security of IoT devices or infrastructure within their companies and supply chains. The risk is growing, too, as more devices get connected and as network connectivity moves further to the edge.

In particular, connected devices within manufacturing environments—i.e., the Industrial Internet of Things (IIoT)—are extremely desirable targets for attackers, as they offer access to the underlying systems of multi-tenanted, multi-customer environments. As control systems evolve, they are patched, maintained, and managed through cloud service providers. Since processor speed is critical to performance for IIoT, it’s chosen more often over security. But many cloud providers simply don’t offer strong enough isolation for a multi-tenant architecture or multi-customer applications, leaving IIoT devices vulnerable.

When such devices are exploited through cloud infrastructure, the result is significant disruptions for governments deploying smart cities and using networks for everything from public transit to disaster management. To protect against this threat, agencies will need to move from visibility to control where their IT and operational technology networks converge.

Save face in 2019

Protecting credentials will continue to be an ongoing challenge in 2019, particularly as biometric and facial recognition software become prime targets for hackers. It’s been clear for some time that email addresses, passwords, and personalized questions are no longer sufficient to protect identities online, but even two-factor authentication and biometric authentication may not be enough.

The latter is especially surprising, because it uses unique data such as fingerprints, movements, and iris recognition. Facial recognition especially has gone mainstream thanks to the Apple iPhone X, but even this seemingly secure technology has serious vulnerabilities. In 2016, specialists from the University of North Carolina were able to break into facial recognition systems using publicly available photos from the Internet along with mobile VR technology.

To combat this, federal agencies should use behavioral biometrics, which provide a continuous authentication layer. Behavioral biometrics recognize identifiers such as mouse movement and scroll speed, which are far harder to mimic, and can be paired with facial recognition or other security measures for layered protection.

The bottom line

These aren’t the only looming risks on the horizon, but they’re two that every government agency should have on its radar. While we’ve outlined some big-picture approaches to patching these security holes, it’s also important to note that having visibility into the cyber behavior of end users is also crucial to reacting quickly to threats—and to correctly identifying what’s a threat and what’s an employee legitimately trying to get their job done. Such attention to detail could be the difference between secure and insecure cloud infrastructure—and between an agency’s success or failure.

George Kamis is the chief technology officer for global governments and critical infrastructure at Forcepoint, an Austin, Texas-based cybersecurity company.