It’s that time of the year again – the time for us to start gazing into crystal balls, pulling out the ouija board, and taking a DeLorean up to 88 miles per hour, all in an attempt to predict what the coming year will bring to information security.
After extensive thought on the topic, I’ve come up with six predictions for 2018. Let’s take a deep dive into each.
- Lack of in-house expertise will cause ongoing cloud security woes
Are clouds secure? Are they not? Are we going to move workloads to the cloud? Are we not? Over the last few years, these questions have been repeated over and over within many organizations. However, as more companies have made the move to the cloud, vetted providers, and developed their cloud strategy, confusion has lessened – but security woes have not.
In the year ahead, we’ll continue to see a distinct lack of in-house cloud expertise resulting in security troubles for many organizations. While cloud providers offer adequately secure platforms, users still have a responsibility to ensure they are doing their part toward securing their data in the cloud (think the shared security model). This includes monitoring for security threats within the cloud environment, and equally ensuring cloud environments are properly configured. But, many IT and security professionals aren’t aware of their role in cloud security, or are aware but don’t know the best way to execute on their responsibilities.
There have been countless cases in 2017 whereby enterprises have left private information publicly exposed, which has resulted in huge breaches. While most resulted from a failure to properly secure Amazon Web Services (AWS) buckets, this is not the only cloud vulnerability. For example, many people also found that their information was shared publicly via Microsoft’s docs.com service.
Education and awareness around cloud security and the shared security model can go a long way in minimizing risk and keeping company data safe – regardless of whether it’s on-premises or in the cloud.
- Ransomware will remain one of the most popular attack methods
Ransomware has dominated many news cycles throughout 2017. And, unfortunately, we won’t see this attack vector slow down anytime soon.
With lower execution costs, high returns and minimal risk of discovery (compared to other forms of malware), ransomware has quickly become a preferred method of attack for cybercriminals. And it’s now easier than ever for virtually anyone – even individuals with minimal security knowledge – to extort money from companies and individuals through do-it-yourself ransomware toolkits or via the services of a Ransomware-as-a-Service (RaaS) provider. Cybercriminals always aim to take the path of least resistance while achieving maximum ROI, and RaaS lets them do just that.
While security controls continue to improve and definitely help companies defend against ransomware, the threat vector is becoming increasingly sophisticated and exacerbated by the growth of the “Internet of Things (IoT).” The proliferation of IoT devices has vastly expanded the network of potential targets for cybercriminals – making the “ransomware of IoT” the security world’s new nightmare.
- The debate around insecure IoT devices will heat up
Speaking of IoT, it’s made my predictions list three years in a row. How can this be, you ask? Because IoT is such a broad and all-encompassing term, the goal posts keep moving.
This year, we saw the devastation caused by Mirai and similar malware, which recruited many insecure IoT devices into a botnet to launch huge DDoS attacks. And the problem of insecure IoT devices will only worsen in 2018, as more and more manufacturers connect products to the internet. While some may be relatively harmless, such as a salt shaker that tracks your daily salt intake, others, such as smartwatches designed to protect children, could have more severe consequences if left vulnerable to attack.
IoT devices lack security by design, and they also don’t offer the option to upgrade or apply patches. Additionally, many vendors choose convenience (e.g., using default credentials in their appliances) over implementing proper security measures, which is a flagrant violation of best practices in product development.
Many vendors simply aren’t willing to put in the extra effort to ensure security unless it’s required. Perhaps 2018 will be the year we see governments around the world take an active role in IoT security and put pressure on these manufacturers to do the right thing for consumers.
- Prioritizing threat detection
Despite years of increasing cybersecurity spend on prevention, challenges remain largely unchanged. If anything, it feels as if breaches occur more frequently, and impact a greater number of users and companies.
We’ve already seen signs that many U.K. companies are decreasing their 2018 cybersecurity budgets. This may be attributed to Brexit and the economy, or maybe it’s a sign that companies believe that more spend doesn’t equate to better security. Rather, it’s about finding the best place to invest for maximum return.
As a result, we’ll likely see more attention towards building threat detection capabilities in order to discover when an attack is underway, or has occurred in a relatively short timeframe.
- Companies will scramble to comply with the General Data Privacy Regulation (GDPR)
Though GDPR has been a hot topic in the news, and at this year’s security conferences and events, many businesses are still either unaware of what it is, or lack an understanding of how the regulation will affect them. There is also a profound misperception that GDPR only impacts European companies. In reality, GDPR applies to all organizations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the U.S. that handle data from EU residents are very much impacted as well.
GDPR is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements – such as breach notification – and increasing fines on organizations that fail to comply. As GDPR comes into force in May 2018, we’ll see many organizations – both in Europe and the U.S. – scramble to put the necessary processes and technology in place to ensure compliance.
- Cybersecurity technology politics will prompt greater corporate transparency
Cybersecurity, in some way or another, has often been politicized (e.g., hacker activists or nation-state adversaries). Technology companies are finding themselves increasingly in the crosshairs of governments – from providing access to users or products, like Apple, to being accused of colluding with foreign intelligence agencies, like Kaspersky.
Technology companies like Kaspersky will want to avoid being used as a political pawn. In recent years, companies like Google and Facebook have been repeatedly asked by various governments to provide access to customer accounts. Similarly many messenger services that provide end- to-end encryption have been asked to provide backdoors.
It is unlikely that technology companies will provide carte blanche access to its customers data; it is likely that we’ll see great attempts at transparency through source code and assurance reviews to help mitigate any accusations of foreign influence or collusion.