It’s that time of year again when we look back on the year past and contemplate the year ahead. 2017 has been another year of massive data breaches and this trend is not set to slow down in 2018 and beyond. Looking forward to the year ahead we see a variety of trends and predictions forecast by security experts. Here are 7 top security predictions for 2018 from around the web.
#1 Ransomware & Cyber-Extortion Continues
Global ransomware damage costs are predicted to exceed $5 billion by the end of this year according to Cybersecurity Ventures. Compare this to just two years ago where it was $325 million. Cybercrime is not going away anytime soon, and it continues to be a lucrative avenue until companies and individuals have their security in place and refuse to pay the extortionists.
According to Cisco in its 2017 Cybersecurity Annual Report, Ransomware is growing at a staggering annual rate of 350%. Criminals will continue to follow the money as long as companies and individuals give in to their demands. Old vulnerabilities will continue to be exploited as companies still need to master the basics of security hygiene.
Hackers will continue to target end-users with more sophisticated phishing and targeted malware to penetrate unpatched environments by leveraging known vulnerabilities.
Regardless of whether it is a case of too many client privileges, lack of resources, or operational priorities, this is sure to continue until organizations get the security basics right.
#2 Fake Social Media “News” on the Rise
Fake news will continue to run rampant and fake social media will be the next “guerrilla marketing tactic” according to Beyond Trust. Further to the use of fake news in hacktivism, foreign and domestic lobbying and politics, criminals will be exploiting “fake news” for commercial gain. Media organizations and retailers have been frequent targets of planted fake news stories. Due to the wide reach and viral nature of social media, fake news originators know that if they plant an interesting story, it will be shared regardless of whether or not it’s factual.
Criminals can and will profit from using fake news to influence decisions, such as stock purchases using pump and dump schemes. In addition, more entities are expected to use social media to hack and influence public opinion for political and commercial marketing and crowdsourcing purposes.
#3 GDPR Means Big Changes to Data Handling Processes
The General Data Protection Regulation (GDPR) is a huge change to consumer data privacy regulation and will impact companies worldwide in their approach to, and handling of, private data. The regulation, which will be enforced from 25 May 2018, is “designed to harmonize data privacy laws across Europe to protect and empower all EU citizens data privacy”. The EU has given organizations over 2 years after GDPR passed into law (27th April 2016) to become GDPR compliant.
GDPR applies to any company that collects or processes data on a person based in any one of the 28 European Union Member Countries and compliance requires implementation and documentation of a variety of security controls. There will be major security processes changes in the wake of the GDPR.
Regardless of where a business is headquartered, the GDPR applies to all companies that offer goods or services to, or process and hold personal data of EU citizens. It also applies to organizations that monitor the behavior of EU citizens.
Doing business with any of the following 28 EU countries?
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK.
If yes, then GDPR regulation applies to you.
Despite the 2-year transition phase, it is expected that many U.S. companies subject to the GDPR will not be ready for the May 25 compliance deadline. For some, it has been put in the “too hard” basket. For others, they don’t feel it necessary to take any action given they are directly impacted. Companies are vulnerable to fines if there is a breach or if EU citizens file complaints.
Companies should demonstrate and document good-faith efforts to comply with the regulation or face potentially massive penalties and be subject to class action lawsuits from countries and people in the event of a data breach.
The penalty for non-compliance following a data breach is the greater of “a fine up to 20,000,000 EUR ($23.7 million US Dollars) or up to 4% of the annual worldwide turnover of the preceding financial year.”
Regardless of whether GDPR impacts your company directly, the GDPR will certainly change the way companies approach data privacy and there will be an expectation that companies are quick to detect, respond to and mitigate breaches.
The GDPR gives companies within 3 days of a breach occurring to notify each of the company representatives in the corresponding country, then are expected to immediately provide details as to which citizens data were impacted by the breach.
Compare this short time imposed by the new rules to how companies have handle breaches to date, where it often takes months to investigate and get to the bottom of the breach. The new regulation will completely change the way that companies and security teams handle data, and redefine internal and external security processes when it comes to breach detection, investigation, and reporting.
With significant financial and reputation losses at stake, companies will likely change their data handling and security processes and may also hire Data Privacy Officers (DPOs) to manage crises and be the public face of the company in the event of a breach.
#4 Security Focus & Spend Shifts to Detect and Respond
With the near daily reports of data breaches, organizations are beginning to accept the inevitable and realize that it is not a matter of if a breach will occur, but when. While security spend has traditionally focused on prevention, security budgets are expected to shift from entirely preventing breaches to quickly detecting them once they have occurred and limiting the impact of the breaches.
This change in focus to breach detection and response will be largely driven by the impending roll-out of the General Data Protection regulation, which has strict time frames for notification and responses to breaches and imposes heavy fines for non-compliance.
In addition to this, companies are also aware that inadequate responses and actions to mitigate and remediate data and privacy breaches are a major cause of reputation damage and public distrust.
#5 Rise in Biometrics and Multi-Factor Authentication Adoption
In 2017, most hacking-related breaches involved stolen or weak credentials. This being the case, it is expected that there will be a move from traditional passwords to two-factor authentication techniques and further to Multi-Factor Authentication (MFA), involving biometric solutions for business and consumers.
Biometrics authentication is now commonplace as a form of identification and access control. Look no further than your iPhones and Android devices where you can unlock your device using facial scans, fingerprint readers, and voice control. To safeguard systems and access, businesses and enterprise will move their security beyond two-factor authentication to Multi-Factor Authentication (MFA).
With the continued growth of SaaS and smartphones and improvements in the accuracy and reliability of a variety of biometrics that can make authentication of third parties safer and more convenient, MFA implementation and adoption will increase.
For consumers, Apple’s iPhone Face ID will represent possibly the largest adoption of facial recognition technology in history and signifies an age where consumers are becoming more comfortable with the technology.
As the increased uptake of biometric authentication continues, so too will it bring new challenges in the way of attacks against biometric technology. These new technologies won’t be immune to hackers and protecting biometric data will be a top priority for security vendors.
#6 Goodbye SSN, Hello Electronic ID Card
2018 is expected to be the turning point for doing away with the social security number. Following the Equifax breach resulting in the compromise of 143 million Social Security numbers (SSNs) companies and lawmakers are considering an alternative solution to the use of SSNs as a primary identifier.
A number of countries have already implemented electronic national ID cards to replace static numerical identifiers with digital certificates. These can be dynamic in nature and can be revoked or replaced as needed in the event of a breach.
Countries including Belgium, Finland, Italy, the Netherlands, Germany, Spain, and Sweden are some of the countries that have planned or already deployed electronic national ID (e-ID) cards. Some countries are implementing e-IDs that also include biometrics, and the ability to digitally sign documents.
Citizens can use their e-IDs for standard uses, like getting a driver’s license or a passport, or benefits from the government. The e-ID cards also allow citizens to access more secure Government applications electronically, for purposes such as filing taxes, banking, and even voting.
Though it’s likely that it will take a while for a decision to be made on this, discussions are on the way in 2018 and it is expected that federal legislation will commence a move towards dispensing of the traditional SSNs in favor of e-ID cards.
#6 Greater IoT Vulnerabilities
With the growing use and connectedness of devices, it is predicted that IoT vulnerabilities will continue to be exploited, including hacks on digital assistants and collaborative smart devices.
Digital assistants like Alexa, Siri, and Cortana embodied as smart speakers (Amazon Echo, Apple HomePod) are now commonplace. Designed for convenience, digital assistants can trigger actions that drive other smart devices or applications, and so too can some smart devices trigger other smart devices.
With a greater variety of devices being connected and varying security controls come challenges with secured communication across devices. Although individually some devices may have strong security controls, those same controls can be ineffective when combined with other products.
This will present security challenges for communications across connected devices within the smart home infrastructure. For example, smart speakers do not necessarily have strong security controls and these linked devices can unintentionally set off a chain of events triggered by some external variable.
Vulnerabilities can be intentionally exploited as in the case of Burger King taking advantage of the “OK Google” phrase by planting it in a TV commercial to intentionally trigger Google Home smart speakers voice assistants.
For some time now this phrase used in commercials, news anchors, and other voices on TV have triggered the Google Home, and Amazon’s Alexa. There was even a reported case where a news report led to Alexa ordering dollhouses.
Some technology vendors such as Apple (Homekit), Google (Nest) and Samsung (SmartThings) are meshing the smart home ecosystem and are imposing differing restrictions on smart device vendors.
#7 AI Attacks
Advancements in Artificial Intelligence (AI) will be front and center in 2018. AI will be used as a tool for both attackers and defenders. In fact, currently 87% of cybersecurity professionals in the US report that their organizations already use AI as part of their cybersecurity strategy and 91% of cybersecurity professionals fear hackers will use AI to attack their company.
Beyond its practical applications in security, job automation, data processing and other applications, AI has evolved to the point where it will be used in cyberattacks.
While AI can do a lot of good for organizations, including customized content delivery, combining machine learning and big data for fresh insights, and automated tools to analyze threats and suspicious behavior in social media networks, it is predicted that there will be a malware attack engineered with artificial intelligence (AI) in 2018.
Ransomware was prolific in 2017 with major assaults from Locky to NotPetya and BadRabbit. The first mass malware campaign will leverage social engineering driven by an AI engine, not humans according to Zscaler.
2018: New Year, New Threats and Challenges
The new year will bring with it new threats and challenges, and what we can take away from these predictions is that while companies should continue to take necessary measures to prevent breaches, their focus and budget needs to be on detection and response tools, systems and processes.
In order to protect themselves, businesses and organizations will need to have multiple layers of protection and security solutions will need to evolve with new threats and advances in technology, and with changes in rules and regulations.
As businesses continue the deployment of enterprise IT and cybersecurity and with the persistent cybersecurity skills shortage, companies can turn to cybersecurity advisory companies like our to fill their cybersecurity needs gaps.
Now is a good time to consider whether you have the tools readily in place to quickly identify and respond to a breach, mitigate damage, and assess your exposure. If you need help getting closer to GDPR compliance, or need an assessment of your security ecosystem, contact Ascension Global Technology today. We can help you identify security gaps in your business systems and set you up with the right security tools and processes for your needs.
Further reading and resources
Gov.uk, Countries in the EU and EEA
Forbes, 51 Artificial Intelligence (AI) Predictions For 2018
Crowdstrike, Severe Cybersecurity Attacks Need Stronger Response Plans
Zscaler, 2018 Security Predictions
CSO Online, Our top 7 cyber security predictions for 2018
CSO Online, Preparing for GDPR compliance: Where you need to be now and how to get there
CSO Online, Top 5 cybersecurity concerns for 2018
CSO Online, General Data Protection Regulation (GDPR) requirements, deadlines and facts
Forbes, 60 Cybersecurity Predictions For 2018
Beyond Trust, Cybersecurity Predictions for 2018 (+ 5-Year Predictions, too!)
Techrepublic, 91% of cybersecurity pros fear hackers will use AI to attack their company
The Verge, Burger King’s new ad forces Google Home to advertise the Whopper