David Ferbrache, chief technology officer in KPMG’s cyber security practice, has highlighted the Top Ten cyber security trends we can expect to see in 2019. Those trends include a lack of consensus when it comes to cyber law, the proliferation of fake news (and the implications of that), privacy driving transparency, the growing risks around supply networks and developments in social engineering.
(1) Coming of cyber warfare
Countries will continue to invest in attack infrastructure as they have over the past few years. The most recent US intelligence worldwide threat assessment suggests that 33 countries now have cyber attack capabilities, which is up from just 14 in 2012. It would seem, then, that cyber forces and commands have become an integral part of any nation’s armed forces, not just their intelligence apparatus.
Sadly, we may see these tools trialled and occasionally used in anger as geopolitical tensions continue to rise, as well as a shift towards open attribution of such attacks as part of the political and diplomatic response to these activities.
(2) Lack of consensus on cyber law
Consensus over international norms of behaviour in cyber space will remain elusive with countries creating more intrusive regulatory and legal frameworks to address cyber security concerns. ‘Balkanisation’ of the Internet will continue and global firms will become increasingly frustrated. The Paris call for trust and security in cyber space was a step in the right direction, but it didn’t win universal support with many countries holding very different views on what constitutes the core of their national cyber security.
(3) Proliferation of ‘fake news’
The battle for cyber space isn’t just about disruption of infrastructure, although that will be a concern for many nations. It’s also about the battle for hearts and minds. We expect to see more attention being paid to ‘fake news’ and to the censorship and removal of inappropriate content, however it’s defined. We will also see more automated targeting of individuals and specific interest groups through social media, whether that be tailored advertising, trolling or spear phishing. The political debates about the appropriateness of such activities will continue into 2019 and beyond, but so will the build out of the tools and infrastructure required to detect and take down such content.
(4) The future is in the clouds
New business models are emerging to exploit the flexibility offered by cloud solutions as firms continue to migrate legacy services while occasionally beginning to question the long-term economics of doing so. Regulators will agonise over the systemic risk that dependency on cloud providers creates while simultaneously recognising the inevitability of that move. Organised crime groups will, however, find creative ways of identifying ill-configured cloud instances and exploit the information and computing power that such access provides.
We can expect to see at least one major cloud security breach.
(5) Ransomware or cryptocurrency mining: the market decides
Cyber crime remains big business: a $600 billion per annum transnational entrepreneurial business, in fact, depending on what you include in the definition. There’s no better illustration than the rise in exploitation of cryptocurrencies over the last two years, with cryptocurrency mining on compromised systems proving more lucrative than the old staple of ransomware for extortion.
Ransomware will not go away, though, and we can expect more tailored attacks, greater attention to the best way of extorting payments from organisations and creative blackmail threats using threatened disclosure of information.
(6) Privacy drives transparency… but many await the first fines
The General Data Protection Regulation arrived last year and triggered a flurry of activity in order for organisations to be compliant. The process resulted in many firms realising that they have more fundamental issues over legacy systems and information architectures which would be both costly and time-consuming to address.
In 2019, firms will have their eyes peeled for the first tranche of regulatory fines and sanctions and then ask themselves just how severe an infraction would need to be to justify the 4% of global turnover maximum fine.
Nonetheless, we can expect to see more transparency around cyber security incidents, but with that also more class action litigation and political demands for action by firms to improve their security.
(7) E-Commerce is in the cross-hairs
2018 brought waves of cyber attacks against e-commerce websites (the so-called ‘Magecart’ attacks). These attacks will continue into 2019 with organised crime increasingly targeting poorly configured and secured websites to collect customer credentials and payment card details. Millions of payment cards will need to be re-issued by banks as a result of these attacks, forcing them to explore alternative fraud controls.
The mobile phone will play an even greater role in our lives as a key authenticator and payment mechanism, but we can expect organised crime to show a growing interest in compromising and intercepting such traffic and the telecommunications companies racing to block attacks.
(8) Supply networks are seen as a growing risk
Security is improving, while endpoints are far more secure than before in terms of operating system robustness, dynamic patching and more sophisticated anti-virus and anti-malware security. A well-managed IT estate can provide a challenge to many attackers, but that means a change in tactics towards growing attacks on the supply chain.
Supplier security has become big business with many firms trying to drive their suppliers to improve security through increasingly demanding contract terms and inspection visits. Firms are looking for new ways to risk score suppliers, whether by monitoring their Internet activities and data breaches or by independent assurance.
Those risk scores are beginning to influence credit ratings and insurance costs as the market begins to price-in cyber risk as part of the overall equation. Expect more supply network breaches in 2019 as the web of corporate dependencies becomes increasingly complex.
(9) Social engineering now more and more creative
Expect more creative social engineering as technical attacks becoming harder. Business e-mail compromise and CEO frauds continue to prove lucrative, and we can expect these cyber-enabled confidence tricks to continue in 2019 at scale through transnational networks of Call Centres demanding international law enforcement collaboration.
We also expect to see more use of data analytics and Artificial Intelligence (AI) by criminals in finding targets for these frauds and running operations efficiently. Countering this threat will require much closer links between the cyber security and fraud communities, but those divisions are disappearing in any event as cyber crime becomes a growing component of fraud.
(10) Agility matters more and more
We will continue to see technology firms working with Governments and broader commerce to take down criminal infrastructure. Security vendors update anti-virus and e-mail block lists more frequently, the dynamic patching of systems closes off vulnerabilities and more and more people use DNS services which offer automated checking against blacklisted domains.
Active defence by Governments has become the order of the day with closer links to telecommunication firms to block and tackle cyber criminals, recognising the insidious nature of low-level cyber crime and its impact on our economy and digital lifestyle.
For thier part, organised criminals have become expert at spinning up new attack infrastructure, obfuscating and modifying attack code and learning to exploit their brief window of advantage to the best effect.
Looking towards the longer term, AI is creeping into many industries and augmenting human decision-making, as well as automating processes and data analysis. With AI comes new challenges over data integrity, the malicious manipulation of algorithms and the complexity of scrutinising decision logic. We can expect organised crime to find some creative ways in which to play AI to their advantage.