2017 will bring “year of creative cyber criminality and determined Government responses”

Privacy will dominate the corporate agenda in 2017. That’s the considered opinion of David Ferbrache, technical director in KPMG’s cyber security practice, who explained to Risk UK: “The European Union General Data Protection Regulation (GDPR) is less than 18 months away. Privacy has suddenly made it to the top of the corporate agenda, and not just in Europe. The GDPR tilts the scales in the direction of the European citizen, requiring explicit consent to process, store and transfer their personal information. Data breaches suddenly become more transparent with strict notification requirements and the potential for punitive fines of up to 4% of a company’s global turnover for the most serious events.”

According to Ferbrache, ‘Balkanisation of the Internet’ will gather pace. “More and more countries are regulating cyber space, often with conflicting and contrary approaches. Firms are struggling to keep up with restrictions on how data can be handled, what nations expect in the way of compliance and the limitations on cross-border transfers. Suddenly, Big Data seems less attractive without the metadata to ensure that legal and policy obligations around data handling can be respected. Data-centric security has never mattered more.”

Countries find themselves cyber targets and become more aggressive in defending their cyber space. “The Mirai botnet has shown just how damaging Distributed Denial of Service attacks can become,” stated Ferbrache. “We saw the largest-ever attacks in the autumn. Attacks of this scale risk destabilising the Internet and the infrastructure which supports it. Active defence has moved up Government agendas as countries work with telecommunication firms to provide more robust national defences against alleged state attacks and organised cyber crime, in turn heralding a new relationship between Government agencies and commerce. Takedowns and blocking operations aimed at cyber criminals will become more frequent and more rapid.”

Cyber crime is now becoming industrialised. On this point, Ferbrache explained: “Cyber crime has been big business for many years, but 2017 will see an industrialisation of cyber crime exploiting cheap labour and increasingly sophisticated tools for bespoke attacks. CEO frauds and business e-mail compromises will continue to dominate the landscape, but with increasingly sophisticated targeting of firms and their employees by criminals who scour social media for intelligence. Ransomware continues to make criminals money, and will become smarter and more targeted as the year progresses supported by a crime as a service underground economy.”

Looking for the weak points

Attackers are looking for the weak points within international financial systems. “The well-publicised Bank of Bangladesh attack has come and gone,” asserted Ferbrache. “Attackers are looking for weak points in our interconnected financial systems exploiting the trust between institutions to find ways to transfer funds and cash out. International financial institutions will try to raise the bar on bank security worldwide, but attackers will look for new targets, shifting their focus towards e-retail and new payment channels using Advanced Persistent Threat-style tactics. Cyber criminals are undoubtedly becoming ‘savvier’ about how they make their money.”

As far as Ferbrache is concerned, cloud security is now coming of age. “Cloud services have finally grown up and have recognised the need to provide clients with the functionality they require to implement effective security and compliance solutions. A well-managed cloud environment can offer levels of security and resilience which many organisations would struggle to replicate on an internal basis. Even in regulated industries, ‘cloud as the first choice’ has become the mantra.”

Executives are demanding certainty, and sometimes where there is none. “Cyber security programs have been well-established in the big corporates,” observed Ferbrache. “Executives are now holding their CISOs to account to explain what has been achieved by their investments, occasionally demanding unreasonable degrees of certainty. Suddenly, the challenge has become all about what money buys you when it comes to reducing the impact and, ideally, the likelihood of a cyber breach. Exactly where does cyber insurance figure in that decision calculus? Boards of Directors are realising that making sure the basics are right absolutely matters, but it must be said that so does being ready to respond to an increasingly inevitable cyber breach.”

Breaking down the barriers

Ferbrache feels there’s a need to break down the barriers in 2017. “More and more firms will realise that their internal stovepipes are not helping to tackle cyber crime. Fraud control and cyber security still seem poles apart. One deals with criminals, customers and money, the other with attackers, computers and data, but they’re the same in our digital world. Realisation arrives that, ultimately, it’s all about protecting the business. Cyber criminals are just another competitor. They’re ruthless and rational entrepreneurs in their own right.”

What about the ‘Internet of Insecure Things’? “We carry on ‘networking’ our world and being surprised about just how basic the security around some of the available devices really is,” said Ferbrache. “Expect 2017 to bring more and more examples of misconfigured devices, default passwords, obsolescent operating systems and ‘out of sight’ devices that people just don’t think of as being computers. While some of the cyber attacks perpetrated will be amusing and quirky, 2017 will bring a few examples which make us realise just how dependent our modern world has become on hidden computers.”

Will passwords be a thing of the past? Ferbrache believes so. “This year will hopefully be the year that blind reliance on passwords ends. The security community and the business community alike are starting to realise that they need a more sophisticated approach for authenticating people and their actions. It will be an approach which uses multi-factor authentication including biometrics, behavioural analysis and contextual information to make judgements on whether the user really is who they say they are and just how risky their attempted transaction really is.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts