The technology industry is dynamic and continually evolving. Organisations have increasingly utilised this growing technology and incorporated it into their operations. While the benefits are numerous, there are undeniable cybersecurity risks facing organisations in 2018. Security experts are wary of the major threats posed by cybersecurity and have made certain predictions for 2018 based on previous years and future trends. According to Gartner’s report, these predictions are based on an analysis of major trends in cybersecurity, including shifting attacker tactics, new laws and regulations, changing consumer expectations and increased digitisation of businesses and society as a whole.
Insurers Will Adopt New Cybersecurity Policies
C-Suite executives and management boards are finally acknowledging the severity of insufficient cybersecurity in their businesses. In 2017, thousands of organisations worldwide experienced financial loss, resignations, increases in class-actions law suits and regulatory investigations – all caused by cyber attacks. Cyber attacks cause extreme harm to organisations by reducing earnings, exposing data, disrupting operations and destroying share prices.
In 2018, we will see these organisations being held accountable for their cybersecurity management. Shareholders, regulators and the public are no longer satisfied by board members or CEOs stepping down in the wake of major compromises. Indeed, organisations themselves cannot afford to react this way.
Companies will demand full coverage from insurers for the impact of cyber attacks. Adoption of these insurance policies will spread from traditional buyers including retail, finance and healthcare sectors and move into other organisations such as airlines, power suppliers, manufacturing plants and oil and gas companies.
Insurance companies are expected to create enterprise cyber insurance policies covering a broad spectrum of cyber-related exposure. Stemming from the rising executive concern over cyber liability, companies must be prepared to adapt and embrace these changing insurance policies.
The Makeup Of Executive Control Will Shift
The sophistication and severity of cyber attacks has caused a rude awakening for top senior executives. In response to this, companies will rearrange their executive framework to include a greater role for Chief Risk Officers (CROs) and Chief Information Security Officers (CISOs). These newly integrated roles will work with the entire organisation to enhance the businesses’ understanding of its cybersecurity exposure and develop more effective risk management policies.
Cyber attacks in 2017 took down manufacturing companies, hospitals and electrical grids to name but a few. These attacks occurred because companies failed to take cybersecurity seriously.
This is expected to change in 2018, with a broad range of industries finally incorporating cybersecurity into all areas of business risk. These companies will utilise CISO’s and CRO’s specialised knowledge to improve their cyber risk model and create a broader picture of the impact of risk on the company as a whole. The need for security to be a board-level topic was identified by research firm Gartner 10 years ago, but the recommendation went largely unheard then. That is changing now, and executives are beginning to realise the need to heighten cybersecurity and develop clear digital business strategies.
As such, CISO and CRO positions will become increasingly valuable to companies and will enable more effective investment in cybersecurity measures and insurance. In their report, Gartner explains that their role is to ensure businesses know what risks they face and have enough information to make the best decisions about how much risk they’re willing and able to accept.
Stricter Regulations And Demand For Harmonisation
Regulators from international, national and local spheres will strictly enforce existing cybersecurity regulations, ensure compliance and introduce further regulations. Industry sectors being impacted by these regulations will demand harmonisation of regulations, in order to reduce complexity and support compliance.
Various regulations were introduced throughout 2017 in an attempt to address the growing impact and spread of cyber attacks across businesses, sectors and jurisdictions. In the EU, this came in the form of the General Data Protection Regulation (GDPR), governing all companies collecting data from EU citizens. Many countries have aligned themselves with the GDPR’s strict policies, including Australia, Japan and South Korea, but have moderated their policies somewhat.
The prediction is that the EU will make an example out of an organisation. While one camp believes that this organisation will be European, most argue it will be a major US company. Some even suggest the European Commission has specific companies in mind, such as Google, Apple, Amazon or Facebook. It is not difficult to guess why this would be, as holding these companies to account will allow the EU to make a strong statement about GDPR compliance. The European Commission can apply various enforcement actions, including a maximum fine of 4% of worldwide annual revenue or US$23.8 million.
Reacting to the burden of continuously increasing regulations and pressure, businesses and industry organisations will demand unification. This has already been witnessed, with bodies such as the US Chamber of Commerce and the DigitalEurope trade association calling for harmonisation and consistency amongst cybersecurity regulations.
An AON 2018 report warns, however, that in 2018 the compliance burden for companies will get tougher before it gets better. Companies must therefore self-regulate to avoid sanctions, by utilising external expertise and developing compliance/privacy management programs to enhance their cybersecurity risk techniques.
Third-Party Attacks Will Rise
So far, global organisations have failed to effectively consider third-party risk management as part of their operations. It is predicted that this failure will continue throughout 2018 and lead to a large company being brought down by an attack on a third-party vendor.
There is a clear benefit to interconnecting larger businesses to their vendors or contractors, disintegrating traditional network perimeters and converging digital and physical information. The boom in usage of the Internet of Things (IoT) allows businesses to gather data, automate and monitor their operations and drive efficiency. Thus usage may generate approximately $11.1 trillion a year in economic value by 2025.
However, these processes also pose new and complex security challenges. The IoT is notoriously overlooked, misunderstood and unsecured. Indeed, attacks on the IoT are relatively simple, with botnet kits such as the Andromeda, Gamarue and Wauchos being attributed to infecting more than 1 million devices in a month.
To avoid these issues, large organisations must acknowledge the cyber risk from third-party providers, and small to mid-sized businesses (SMBs) must implement more effective security measures.
A 2017 Ponemon study found that only 25% of executives asked for assurances from third-parties that IoT risks had been assessed, managed and monitored effectively. What is more concerning is that another study found that between 2015 and 2016, 55% of SMBs had experienced a cyber attack. Such worrying statistics support the prediction that cyber hackers will pinpoint SMB’s working with larger business and utilise IoT platforms to gain entry to these larger companies.
Ideally, companies will begin demanding enhanced transparency from their third-party SMBs regarding cyber security. In order to compete effectively, SMBs will need to demonstrate stronger security measures and proper integration of security into their IoT ecosystem. Large companies are likely to demand security audits from their partners, suppliers and service providers in order to avoid serious danger from third-party cybersecurity attacks. Essentially, any organisations’ security is only as good as its extended network.
Multi-Factor Authentication Will Become Essential
Consumers and businesses alike are realising that passwords are failing. Studies have shown that 81% of hackers leveraged stolen or weak passwords in their attack. Recently, consumers had a considerable wake-up call by the Equifax and Anthem breaches, prompting them to demand better protection from the businesses that hold their personally identifiable information (PII).
In response, it is predicted that passwords will be phased out as the primary method of authentication in 2018, but they will not disappear. Stepping up from passwords will be biometric identity authentication such as facial recognition, iris patterns and fingerprinting technologies. While such methods were once considered extreme, they will likely go mainstream throughout 2018.
However, as this technology becomes more prevalent hackers will advance their attacks to override it. Therefore, single layers of authentication will not be enough. 2018 will see the rise of multi-factor authentication (MFA). Organisations unable to leverage advanced MFA techniques will fall behind and be at significant risk of cyber attacks.
As more credentials are compromised and biometrics are cracked, MFA will expand. Indeed, MFA technology such as identity and access management tools (IAM) are projected to grow around 14.8% in 2018.
Companies will need to respond to the demand from consumers for better protection and adapt their security risk management to utilise MFA. Even after doing so, companies must proactively and continuously test and improve their defences.
Bug Bounty Programs Will Spread
It is predicted that 2018 will see a broad variety of industry sectors utilising bug bounty programs on a mainstream level. Specifically, businesses that use loyalty programs, gift cards, and reward or point programs will adopt the bug bounty system to avoid hackers targeting their point currency transactions.
In 2016, companies in technology, government, automotive and financial sectors led the first wave of bug bounty programs. The idea is to release a business’s software publicly, crowdsourcing the expertise of security specialists and engineers to locate vulnerabilities and security problems in the software. Once located, you compensate them. Recently, Google compensated researchers up to US$5,000 for finding and reporting issues on the Chrome web browser.
As the threat to a larger variety of ‘points as currency’ companies increases, bug bounty programs will become a standard security process. The programs are expected to spread in 2018 to industries including airlines, hospitals, retail and hospitality.
The Ransomware Industry Will Flourish And Target Wider Networks
The global cost of ransomware attacks for organisations rose 400% in 2017, reaching a cost of approximately $5 billion. In previous years, these attacks have been targeted specifically at vulnerabilities. However, it is predicted that criminals will evolve throughout 2018 and begin launching more sophisticated, researched and targeted attacks intended to gain access to, and infect, wider networks and high-value assets.
The number of attacks, the volume of ransomware tools and the targets for infection will mean that ransomware attacks will become more profitable and disruptive in 2018.
To respond to this, businesses must urgently segment their networks. Those that fail to do so will be attacked on unnecessarily large scales. For further protection, a company must utilise systems that can create snapshots or maintain multiple versions of files. Such techniques will enable restoration to a specific point in time and reduce lost productivity resulting from a ransomware attack.
Trust will also be a casualty of these attacks. In 2018, more companies will be required to implement the Principle of Least Privilege, which reduces an employee’s data or file access to the bare minimum required to perform their work. Moreover, companies can no longer automatically trust their suppliers, partners or services providers and must undertake security audits continuously.
Other 2018 technology trends will make ransomware attacks more prevalent. Specifically:
- Cryptocurrencies enable the ransomware industry to flourish;
- The continued widespread use and insecurity of the IoT will enable large-scale access to critical data that is mission critical;
- The spread of benign malware, such as distributed denial of service attacks (DDoS), allows criminals to unleash huge outbreaks of ransomware.
Essentially, 2018 will see the rise of sophisticated and prevalent ransomware attacks launched on various platforms and targeting increasingly profitable and critical systems such as hospitals, transport companies and manufacturing companies.
The Insider Risk Will Continue To Rise
Organisations have failed to recognise and take action against the rising impact of ‘insider’ security breaches that have been predicted since 2016. Businesses are underestimating the critical vulnerability to their information, systems and networks from malicious, careless, negligent or unaware parties. These parties include employees, contractors and consultants to name a few. Underinvestment in proactive insider risk management will likely continue throughout 2018.
The definition of an ‘insider’ continues to evolve as businesses utilise consultancy and freelance services, blurring the boundaries between internal and external employees. Moreover, the changing dynamics of the modern workforce have resulted in depersonalised workplaces, causing employees to become less psychologically invested and engaged in the organisation.
Insiders can cause serious damage to a company by misappropriating intellectual property, allowing access to sensitive data and systems, and enabling hacker infiltration into the organisation’s perimeter.
It is predicted that 2018 will see companies continuing to manage insider risk reactively. To avoid this, companies must implement security training and technical controls, enhance employee relations and develop effective security risk mitigation strategies. Organisations must appreciate and address the vulnerabilities presented by insider risk.