Security technology experts are viewing cyber defenses with concern as a new year approaches. They say that cyber attacks and data breaches continue to increase in both frequency and intensity, and organizations can expect more of the same in 2019. Here are 10 trends that are putting organizations at greatest risk.
What’s driving the growing investments in data security?
Organizations are increasingly under attack when it comes to their data and systems, whether from outside forces or internal sources. Data security threats seem to be always one step ahead, and most organizations say they don’t feel confident in the ability to prevent cyberattacks. Ian Kilpatrick, executive vice president of cyber security at Nuvias Group, discusses the top 10 trends that will impact cybersecurity in the year ahead.
Increase in crime, espionage and sabotage by rogue nation-states
“With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand,” Kilpatrick writes. “Clearly, most organizations are simply not structured to defend against such attacks, which will succeed in penetrating defenses. Cybersecurity teams will need to rely on breach detection techniques.”
GDPR: Tthe pain still to come
“The 25th of May, 2018 has come and gone, with many organizations breathing a sigh of relief that it was fairly painless,” Kilpatrick says. “They’ve put security processes in progress and can say that they are en route to a secure situation. So everything is OK? We are still awaiting the first big GDPR penalty. When it arrives, organizations are suddenly going to start looking seriously at what they really need to do. Facebook, BA, Cathay Pacific and others have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the May 25th deadline they sit. So GDPR will still have a big impact in 2019.”
Cloud insecurity: It’s your head on the block
“Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019,” according to Kilpatrick. “Increasing amounts of data are being deployed from disparate parts of organizations, with more and more of that data ending up unsecured. Despite the continual publicity around repeated breaches, the majority of organizations do not have good housekeeping deployed and enforced across their whole data estate in the cloud.”
Single factor passwords: The dark ages
“As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by failure to manage network privileges once breached),” Kilpatrick explains. “Simple passwords are the key tool for attack vectors, from novice hackers right the way up to nation-state players. And yet they still remain the go-to security protection for the majority of organizations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.”
Malware: Protect or fail
“Ransomware, cryptomining, banking Trojans and VPN filters are some of the key malware challenges that continue to threaten businesses and consumers,” Kilpatrick says. “Live monitoring by Malwarebytes, Kaspersky and others has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019. Increasing sophistication will be seen in some areas such as ransomware, alongside new malware approaches and increased volumes of malware in other areas.”
Shift in attack vectors will drive cyber hygiene growth
“The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security,” according to Kilpatrick. “Driven partly by the shift in boardroom awareness, and partly by GDPR, many organizations are recognizing, perhaps belatedly, that their users are their weakest link. Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there is also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organizations will take the form of cyber education, coupled with testing, measuring, and monitoring staff cyber behavior.”
IOT: The challenge will only increase
“We’ve already seen some of the security challenges raised by IoT, but 2019 will significantly demonstrate the upward trend in this area,” Kilpatrick explains. “Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organizations, with minimal thought by many as to the security risks and potential consequences. Because some IoT deployments are well away from the main network areas, they have slipped in under the radar. In the absence of a standard or indeed, a perceived need for security, IoT will continue to be deployed, creating insecurity in areas that were previously secure.”
Increasing risks with shadow IT systems and bad housekeeping
“Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications,” Kilpatrick says. “In the case of shadow IT systems, these are indefensible as they are, and in the case of increasing applications and access points, if they relate to old or abandoned applications, they are difficult to identify and defend. In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges, and were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.”
DDoS: Usually unseen, but still a nightmare
“DDoS is the dirty secret for many organizations, and attacks will continue to grow in 2019, alongside the cost of defending against them,” Kilpatrick says. “Nevertheless, DDoS attacks aren’t generally newsworthy, unless a big name organization is involved or the site is down for a long time. And, of course, the victim does not want to draw attention to their lack of defense. That’s not good for customers or for share prices. The cost of launching an attack is comparatively low, often shockingly low, and the rewards are quick–the victim pays for it to go away.”
Cybersecurity in the boardroom
“A decade, perhaps two decades, late for some organizations, cybersecurity is now considered a key business risk by the board,” Kilpatrick notes. “2019 will see this trend accelerate, as boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role and was not really a major topic for the boardroom. The financial, reputational and indeed C-suite employment risks of cyber breach will continue to drive board focus on cybersecurity up the agenda.”
Date: December 18, 2018