Ian Kilpatrick, executive vice-president of cyber security at the Nuvias Group, has outlined the company’s Top Ten Cyber Security Predictions for 2019. Among them are an increase in crime, espionage and sabotage conducted by rogue Nation States, cloud insecurity, a shift in terms of attack vectors and an increasing challenge in terms of the Internet of Things.
(1) Increase in crime, espionage and sabotage by rogue Nation States
With the ongoing failure of significant national, international or UN-level response and repercussion, Nation State-sponsored espionage, cyber crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cyber security teams will need to rely on breach detection techniques.
(2) General Data Protection Regulation: the pain still to come
The 25 May 2018 has come and gone, with many organisations breathing a sigh of relief that it was fairly painless. They’ve put security processes in progress and can say that they are en route to a secure situation… so everything is OK? We are still awaiting the first big GDPR penalty. When it arrives, organisations are suddenly going to start looking seriously at what they really need to do. Facebook, British Airways and Cathay Pacific, etc have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the 25 May deadline they sit. Undoubtedly, the GDPR will still have a big impact in 2019.
(3) Cloud insecurity: it’s your head on the block
Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019. Increasing amounts of data are being deployed from disparate parts of organisations, with more and more of that data ending up unsecured. Despite the continual publicity around repeated breaches, the majority of organisations don’t have good housekeeping deployed and enforced across their whole data estate in the cloud. To give an idea of the scale, Skyhigh Networks’ research indicated that 7% of S3 buckets are publicly accessible and 35% are unencrypted.
(4) Single-factor passwords: The Dark Ages
As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by any failure to manage network privileges once breached). Simple passwords are the key tool for attack vectors, from novice hackers right the way up to Nation State players. Yet they still remain the ‘go-to’ security protection for the majority of organisations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.
(5) Malware: protect or fail
Ransomware, cryptomining, banking Trojans and VPN filters are some of the key malware challenges that continue to threaten businesses and consumers. Live monitoring by Malwarebytes, Kaspersky Labs and others has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019.
Increasing sophistication will be seen in some areas (such as ransomware) alongside new malware approaches and increased volumes of malware in other areas. Traditional AV will not provide sufficient protection. Solutions that have a direct malware focus are essential for organisations, alongside the tracking of network activity (both in and out of the network). With Cyber Security Ventures predicting that ransomware damage costs will exceed $11.5 billion by 2019, it certainly won’t be going away. Oh yes, and make sure that your back-up plan is working and tested.
(6) Shift in attack vectors will drive cyber hygiene growth
The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security. Driven partly by the shift in Boardroom awareness, and partly by the GDPR, many organisations are recognising, perhaps belatedly, that their users are their weakest link.
Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there’s also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organisations will take the form of cyber education coupled with testing, measuring and monitoring of staff cyber behaviour. Increasingly, Entity and User Behaviour Analytics systems will be adopted alongside training programmes and automated testing, such as simulated phishing and social engineering attacks.
(7) IoT: the challenge will only increase
We’ve already seen some of the security challenges raised by the Internet of Things (IoT), but 2019 will significantly demonstrate the upward trend in this area. Driven by the convenience and benefits that the IoT can deliver, the technology is being increasingly deployed by many organisations, with minimal thought by many as to the security risks and potential consequences.
Due to the fact that some IoT deployments are well away from the main network areas, thev’ve often slipped in under the radar. In the absence of a standard, or indeed a perceived need for security, the IoT will continue to be deployed, creating insecurity in areas that were previously secure. For the greatest percentage of IoT deployments, it’s incredibly difficult or impossible to back-fit security. This means that any failure to segment on the network will further exacerbate the challenges created by the IoT in 2019 and beyond.
(8) Increasing risks with shadow IT systems and bad housekeeping
Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications. In the case of shadow IT systems, these are indefensible as they are. In the case of increasing applications and access points, if they relate to old or abandoned applications then they are difficult to identify and defend.
In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges. They were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.
(9) DDoS: usually unseen, but still a nightmare
DDoS is the dirty secret for many organisations and attacks will continue to grow in 2019, alongside the cost of defending against them. Nevertheless, DDoS attacks are not generally newsworthy unless a big name organisation is involved or the site involved is down for a long time. Of course, the victim doesn’t want to draw attention to their lack of defence. That’s not good for custom or for share prices.
The cost of launching an attack is comparatively low. Indeed, often shockingly low. The rewards are quick – the victim pays for it to go away. Additionally, cryptocurrencies have aided the money transfer in this scenario. Yet the cost for the victim is much higher than the ransom, as it involves system analysis, reconstruction and, naturally, defending against the next attack.
(10) Cyber security in the Boardroom
A decade, perhaps two decades, late for some organisations, cyber security is now considered a key business risk by the Board. 2019 will see this trend accelerate as Boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role, and was not really a major topic for the Boardroom.
The financial, reputational and indeed C-Suite employment risks of cyber breach will continue to drive Board focus on cyber security upwards on the corporate agenda.