Jon Fielding (managing director for EMEA at Apricorn), Sam Humphries (senior product marketing manager for global markets and compliance with Rapid7), Deral Heiland (Internet of Things research lead at Rapid7) and Jose Miguel Esparza (head of threat intelligence at Blueliv) have all voiced detailed and thought-provoking opinions on their security predictions for 2019.
“Whatever the future holds in term of new and advancing technologies,” said Fielding, “the questions we need to answer are the same: what are the security implications and how do we manage them? Everyone has a view on this, but the overarching response should always be to revert to basic security Best Practice.”
Fielding continued: “The biggest threats to enterprise data assets are the same ones we were worried about last year and even a decade ago. Ultimately, our goals remain unchanged: data protection, compliance, breach avoidance and – in the worse case scenario – incident response and remediation.”
He added: “Many security breaches are still down to something as simple as choosing a weak password, using non-encrypted portable devices/hardware, clicking on a link from an untrusted source, a lack of software and systems updates or poor employee education. To avoid putting data at risk and to ensure compliance next year, and indeed every year, organisations must create user-friendly policies and procedures and build a maximum level of education and awareness, in turn ensuring that sensitive and valuable data remains encrypted at all times.”
Offering a further perspective or two on security in the New Year, Sam Humphries observed: “2019 will see the General Data Protection Regulation (GDPR) really cut its teeth, both from a fining perspective and from a court case point of view. Supervisory authorities such as the Information Commissioner’s Office, who have the power to audit, investigate and fine organisations for non-compliance, have already begun issuing fines and enforcement notices under the GDPR, and we expect to see this activity increase significantly during next year. There’s a strong likelihood that we’ll see a maximum fine (20 million Euros or 4% of total revenue, whichever is the greater) dealt to an organisation, given some of the investigations that are currently ongoing.”
The Internet of Things in focus
Deral Heiland has been focusing his attentions on the Internet of Things (IoT). “With the ever-growing influx of new IoT products, I expect we will see an increase in physical injuries directly related to the IoT enablement of devices. These devices, on their own, have a risk of physical injury, but with remote and voice-enabled functions they become potentially more dangerous.”
Heiland also outlined: “With the number of IoT technologies in the workplace beginning to outnumber conventional IT assets, there’s an ever-increasing probability that these devices will be used as entry points by malicious actors to further compromise corporations for data breaches. In 2019, expect to see this become a reality and news of several breaches directly tied to installed IoT technology.”
Continuing this theme, Jose Miguel Esparza explained: “Gartner predicts that, by 2020, there will be over 20 billion connected devices and many of them remain currently comparatively easy to compromise. Indeed, the growth in devices will very likely mirror the growth in IoT-based malware and has already been evidenced in recent years by the likes of Mirai, IoTroop/Reaper and, more recently, Sharebot attacking routers. Simply put, the pace of innovation and deployment of network-connected systems has outstripped the necessary safeguarding measures. Even more worrying is the fact that it’s often very difficult to retrofit cyber security to some of these IoT devices. It’s fair to say that risk will remain at a high level in 2019.”
GDPR and ‘ransom-hacking’
Barely a week goes by without another breach reported, and while the GDPR is already in force, both companies and regulators have been testing the waters regarding its implementation. Jose Miguel Esparza said: “Last year, we predicted the rise of a phenomenon which has recently been named ‘ransom-hacking.’ In the event of a breach, it has been suggested that some companies would rather pay a ransom to the cyber criminals to recover their data, rather than admit the attack to the regulator and be hit with a penalty. We expect that 2019 will see both heavier implementation of the regulation and a rise in ransom-hacking as well.”
Cyber security is finally receiving the attention it deserves in the Boardroom. Major attacks on the likes of Facebook and British Airways (to name just two) have made international headlines, encouraging members of the C-Suite to start asking questions of their own security posture.
Meanwhile, the threat of GDPR non-compliance has added an extra fear factor. The potential financial, reputational and business costs mean that 2019 will see CEOs, CFOs and legal breaking down silos within companies and assessing how integral cyber security is to their business strategy.
From the other direction, CIOs, CISOs and CTOs will encourage both their peers and the rest of the company to understand the importance of a robust security posture.
Barrier to entry much lower than before
The barrier to entry for cyber criminals is lower than it has ever been before. It’s no longer the reserve of a seasoned hacker to launch an attack on an enterprise, nor is it difficult to access the tools needed to commit cyber crime. For example, Agent Tesla is openly sold as Malware-as-a-Service directly from its ‘official’ website for prices ranging between $9 to $15 per month, depending on the length of the subscription, and with the advantage of receiving updates and 24/7 support. It remains a popular choice among cyber criminals due to its price and availability, but according to Jose Miguel Esparza, it’s likely that access to malicious programs will be even easier next year.
Cyber criminals are constantly evolving their techniques to exploit the enterprise, developing new methods to attack and exfiltrate data. However, older unpatched vulnerabilities continue to be exploited to devastating effect. For example, old drivers that are not patched enable certain strains of malware to escape sandbox detection, providing an entry point to attackers that might not have been considered by the usual threat detection methods.
Advanced Persistent Threats and targeted attacks continue to rocket
Currently, there has been a failure at the international level to respond to organised crime and clear state-sponsored cyber attacks. Many enterprises and institutions have demonstrated an inability to defend against such attacks, and therefore Blueliv expects to witness a continued uplift and increased technical sophistication as APTs grow in both confidence and scope.
In addition, non-nation state targeted attacks, carried out by groups such as Cobalt Gang or Anunak/Carbanak, are also likely to see an increase.