More Regulations, More Ransomware & More to Keep You Up at Night
If you thought 2017 was a tough year for cyber security with ransomware, state-sponsored attacks, malware and phishing scams, you might want to brace yourself for 2018. It is going to be another record-breaking year for network break-ins and data theft, with new regulations and the rising value of Bitcoin throwing more uncertainty into an already nerve-wracking state of security.
Here are my predictions for the security winners and the losers in the coming year…
Prediction #1: Ransomware attacks will get more personal.
We’ve already seen ransomware evolve beyond straightforward money-for-data exchanges to more sinister purposes such as state-sponsored attacks (e.g., NotPetya). What we haven’t seen yet is criminals leverage the personal data they’ve already stolen, such as healthcare records, for personal blackmail purposes. In 2018, it is safe to assume cyber criminals will leverage the personal data they’ve stolen, such as medical records or information on medical treatments, to extort money from individuals and celebrities.
Prediction #2: Expect some big losers in the new regulatory requirements for New York and Europe.
2018 kicks off with important new regulations that will govern how financial and insurance companies sell services to New York State residents. The New York Department of Financial Services’ 23 NYCRR Part 500 Cybersecurity Regulation significantly changes the security landscape by requiring companies to have a dedicated Chief Security Officer, multifactor authentication and encryption for data at rest. Companies that don’t comply could face criminal charges against their chairman of the board (!). Also in 2018, Europe will launch its General Data Protection Regulation (GDPR) to protect the privacy of EU residents. Look for both regulatory agencies to set a serious tone early on with some big-name fines and possible criminal charges, particularly in the U.S. and the U.K.
Prediction #3: Multifactor authentication goes fully mainstream.
“Password-protected” is fast becoming an oxymoron. When you consider how many sites and applications have been compromised to date, and how often we re-use the same passwords, it’s clear that passwords alone are not sufficient to keep our data safe. In 2018, we’ll continue to see more organizations and applications make use of multifactor authentication methods to verify identify. Look for simple, creative solutions that take advantage of intelligent devices, such as shaking your smartphone or performing an on-screen finger swipe. Many of these exist today, but adoption has been limited. Pervasive players like Google, Facebook and Microsoft are also in the multifactor authentication mix, offering to federate and manage identities for their customers.
Prediction #4: The state of state-sponsored attacks worsens.
Last year saw a rise in state-sponsored cyberattacks from China, North Korea and other regions. These attacks will continue to rise in 2018 until the U.N. or other international enforcement agencies begin to treat cyberespionage and cybercrime as more than just a “soft” attack. Expect to see more state-sponsored cybercrime, particularly for nations needing to generate cash flow around international embargos.
Prediction #5: 2018 is the year that IoT attacks (finally) go big.
For years, pundits have been predicting that IoT attacks will go mainstream, and it hasn’t really happened yet. So what makes 2018 different? For one thing, there are far more IoT devices in the market today. Amazon reportedly sold tens of millions of Alexa devices during the holiday season. Consumer-based IoT devices have more access to our personal information and more control over our homes and our lives—making them an irresistible target for cybercriminals who want to cause major mayhem or simply prove that they can hack into millions of homes.
There is likely even a Meltdown/Spectre angle here. Fortunately, I also predict that this is the year that the industry will realize the need for IoT security standards and regulations to mitigate the risk—e.g., requiring that manufacturers automatically push security updates to IoT devices.
Prediction #6: The good guys get smarter.
It’s not all doom and gloom for the new year. In fact, I predict that companies get a lot smarter about how they protect themselves as User and Entity Behavioral Analytics (UEBA) solutions go mainstream. We’ve already seen some of the major security players acquire UEBA technology for their portfolios, including HPE (Niara) and Palo Alto Networks (LightCyber). Expect to see more acquisitions in this space, too. UEBA has an important role to play in automating much of the detection/protection work that is done manually today, which will free up security teams to pay more attention to the new and harder-to-detect attacks of the future.
The best prediction of whether you’ll come out of 2018 safe and secure is if you’ve updated your security strategy to reflect the changing threat landscape. If you haven’t looked at your security strategy lately, maybe it’s time to bring in the security experts at Rolta AdvizeX to assess your security strengths and vulnerabilities with a Security Advizer engagement.
For a deeper perspective into the security challenges ahead, please check out my latest CyberSecurity webinar. ▪