2018 Cybersecurity Trends
The cybersecurity threat landscape has been on an upward swing for the last decade and 2017 was no exception. We saw some of the largest, most secure companies like HBO, Verizon, Sonic, Uber and Equifax all experience massive customer data breaches. Government wasn’t even spared as US Air Force’s security clearances, confidential CIA documents and the records of California voters were all leaked. Even cybersecurity guru, John McAfee had his twitter account hacked.
In one year we saw the emergence of new ransomware variants like Wanna Cry, Not Petya, Locky, GoldenEye, and Jigsaw, spread around the world at a bewildering speed. Safest to say, that we can expect 2018 to be an eventful year for cybersecurity.
David Ferbrache, CTO in KPMG’s cybersecurity practice set out 10 trends we can expect to see in 2018:
1. Expect zero regulatory tolerance when GDPR comes into force
The General Data Protection Regulation (GDPR) comes into force across the EU – including the UK – from 25th of May. It will reshape data protection laws and stiffen penalties for breaches. While most firms are reviewing the regulation and making inroads into compliance, many will not be ready. While it’s difficult to predict how sanctions under the GDPR will be applied by the various regulators, expect a few high profile examples to be made right out of the gate.
David Ferbrache: “Privacy rights are on the agenda, and we can expect zero regulatory tolerance for the long delays in notification of major breaches seen recently.”
2. Criminals will continue to innovate and expose new vulnerabilities
Cybercrime exists because it pays, and it pays very well – enough to fund an ever escalating cycle of investment into new technologies, techniques and ways to circumvent existing cybersecurity.
David Ferbrache: “Organised crime groups are on the hunt for new ways to monetise stolen information and access to systems, and in a post-Bank of Bangladesh world they will be increasingly creative in how they do this.”
(Some $81 million was lost from accounts at Bangladesh Bank in just hours following a hack.)
“We can expect more attempts to initiate fraudulent payment transactions (often with a social engineering elements), as well as ongoing interest in our core financial infrastructure including payment and trading platform gateways. Growing demands are being placed on fraud control and anti-money laundering systems to catch these transactions, while customers demand instantaneous financial transfers. If these controls fail, expect to see a $100 million pay-out from a cyber-attack”.
3. Governments to prioritise collaboration and intelligence sharing
In a globalized, interconnected world where Cybercriminals are unconstrained by national borders, individual cybersecurity efforts will be futile. To truly be effective, the response must be coordinated and global.
David Ferbrache: “As criminals industrialise cyber-attacks using crime as a service model to rent attack tools and ransomware, governments are increasingly looking for ways to disrupt the infrastructure used by criminals. Closer links with telcos and service providers are being built along with the operational processes needs to block sites hosting malware, detect and counter phishing attacks. Trusted DNS services and Domain-based Message Authentication, Reporting and Conformance (DMARC) will be rolled out at scale across the community by both the National Cyber Security Centre and by organisations such as the Global Cyber Alliance. These community measures linked to improved intelligence sharing will start to make a difference.”
4. A new model of cyber security will emerge
The rise of the cloud is prompting a shift in the role of organisations in what and how they protect.
David Ferbrache: “As firms invest more in cloud computing, a new model for cyber security is emerging. Increasingly, firms can look to cloud providers to embed good IT security, but firms still own the problem of setting their requirements and determining just who can access what. The shift towards DevOps and agile development, build on these more flexible infrastructures also demands new ways of embedding security into the development lifecycle and an equally agile test regime. Security can no longer engage at the end of development cycles, and if it does, it risks being seen as a blocker rather than an enabler.”
5. Expect to see more automation of controls and compliance
The sheer scale and complexity of threats means that monitoring and maintenance by human personnel cannot possibly stem the tide. As more Cybersecurity and Compliance platforms come online, it will be easier to implement turnkey solutions. As the costs fall, it will also become harder for IT to make the case to “Build” vs “Buy”.
David Ferbrache: “Firms are coming under pressure to contain their burgeoning cybersecurity budgets. Manpower intensive compliance processes are beginning to give way to continuous testing and controls monitoring, helping firms build a more accurate picture of their IT estate – helping the CIO as well as the CISO.”
6. Digital channels will demand customer centric security
Digital transformation is changing customer expectations and driving a much more integrated and federated online experience. Open APIs, which make this experience possible, will create new vulnerabilities, which must be plugged with customer-centric solutions
David Ferbrache: “Digital channels are becoming more and more sophisticated demanding new consumer identity and access management approaches, dynamic transaction risk scoring and fraud controls, and an emphasis on usable non-intrusive security measures which don’t impact the consumer’s experience. Open Banking and the arrival of Payment Services Directive 2 will drive richer interactions between a new ecosystem of payment service providers and the banks who handle our money. A new world of open API is on the horizon, but concerns over criminal exploitation of these rich interfaces abound.”
7. Endemic poor security in the internet of things continues in 2018
The internet of things comprises a wide array of devices, in whose development security was little more than an afterthought. With more than eight billion connected ‘things’ already in operation and that number set to rise to more than 20 billion by 2020, this is going to be a tricky problem to tackle. Don’t expect the international community to get a strong handle on it this year, warns Ferbrache.
David Ferbrache: “Criminal groups continue to exploit insecure ‘internet of things’ devices as sources of attack traffic for denial of service attacks, leading to more and more extortion attacks but also an increasingly sophisticated response from the international community involving telcos, content delivery networks and Distributed Denial of Service (DDoS) mitigation firms. Unfortunately, this response won’t be consistent globally, and many nations may find themselves vulnerable to these attacks which will cause major disruption in 2018.”
8. State-directed cyber threats continue to evolve and intensify
Amid the ongoing FBI investigation into allegations over Russian interference in the US Presidential Election, 2018 promises to be another eventful year in terms of state-directed espionage and disruptive attacks.
David Ferbrache: “Expect more evidence of industrial control system attack tools being tested”
David Ferbrache: “As countries invest to develop their cyber espionage and offensive capabilities, we will see more signs of their activities. Disclosures of high end techniques used by nations will continue, fuelling the opportunistic repurposing of these vulnerabilities by less sophisticated states and organised crime groups. Expect more evidence of industrial control system attack tools being tested as states explore the potential of this new form of warfare.”
9. Challenges ahead for regulatory alignment
Geopolitics as ever will make it fiendishly difficult to achieve cross-border regulatory consistency.
David Ferbrache: “States continue to intervene to protect their national security interests in cyberspace, risking an increasingly complex framework of international regulation and controls around the supply chain for critical infrastructure firms. While there will be some moves to align regulation across the global financial sector around the G7 fundamental elements of cyber security, this will take time and effort to achieve.”
10. Resilience will be prioritised
There’s a widespread acceptance that however well the world hones its defences against the cyber threat, it cannot hope to stamp out the menace altogether. Breaches are a fact of life and organisations can only strive to keep the risk of falling prey to a minimum.
With this in mind, reducing the impact of successful attacks is as big a priority as preventing them from happening in the first place.
David Ferbrache: “Regulators are focusing on resilience – the ability of an organisation to anticipate, absorb and adapt to disruptive events – whether cyber-attack, technology failure, physical events or collapse of a key supplier. Exercises and playbooks are in fashion as firms try to build the muscle memory they need to respond to a cyber-attack quickly and confidently, while cyber insurance is finding its place not just as a means of cost reimbursement but as a channel for access to specialist support in a crisis.”