Below are a handful of my personal predictions about this year’s cybersecurity risks, controls, and culture – in no particular order.
- Phishing Attacks will increase exponentially: The days of poorly worded messages filled with grammar errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will bring a rise in the number of successful phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the costs (and risks) of mounting phishing attacks to plant malware or steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
- Ransomware attacks will decrease, while basic malware will become commonplace: Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so, and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defenses have improved. Ransomware will, however, remain in the hacker toolkit, but will be used mostly as a distraction, to focus attention on the locked files, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining, etc.) will also increase as an attack vector of choice because of its simplicity and effectiveness.
- Multi-Factor Authentication (MFA) will become the standard: Because increases in processing power make it so much easier to mount effective brute-force password guessing attacks – and because users still don’t consistently create strong passwords – credential theft will continue to be a favorite exploit method. While not perfect, MFA (using something you know or have or “are” in addition to IDs and passwords) does an effective job of thwarting most credential theft attacks. As such, customers, regulators, and auditors will require MFA to be used wherever possible – to the extent that it will become a commodity. Whether it’s the use of soft tokens on mobile devices, hard tokens, biometrics, or something different, cyber-savvy organizations will strive to implement MFA across their environments, on as many platforms and in as many applications as possible, as soon as possible.
- Companies will become much smarter on using the Cloud: Years ago, everyone was eager to “move to the cloud” to save money and take advantage of the quick scalability offered. Cloud providers were seen as invincible repositories providing ultimate security for your data. With breaches and availability issues at cloud providers, companies are realizing that protection of their data in the cloud is often their responsibility under many provider agreements. Some companies have found that the costs of implementing necessary controls in third-party cloud environments negates cost savings. In 2019, protection of data in the cloud will become a much higher priority than its availability or the cost savings that can be realized. There are great cloud providers out there that focus properly on data protection controls, but customers may steer the cloud market to be more responsive to providing “stock” security controls and to be transparent about the details of those controls.
- Shadow IT will become a significant problem: Users often have problems understanding why hardware and services are so expensive at their companies when they can go to a big box electronics store and buy something so inexpensively. However, things must be done at an enterprise scale, which requires costs and implementation processes and procedures that take a little longer than expected. Regardless, as the need for quicker deliveries increases and as well-meaning customer relationship employees want to provide speed-of-light service to their customers, 2019 will bring an increase in “Shadow IT,” a name given to business-people standing up their own (rogue) servers or storage devices, or sometimes entering one-off contracts with “unapproved” vendors. While their motivation is rarely malicious, their actions can cause serious risks to the company and to the protection of data.
- We’ll see more exploits of application vulnerabilities: Fraudsters are always looking for new, more effective ways to exploit corporate environments. As many of the recent breaches have identified, using application vulnerabilities to access networks has become a successful attack vector – and is likely to increase in popularity amongst fraudsters as the number and types of application vulnerabilities (including those in middleware used in applications) become more visible. While infrastructure vulnerabilities have been exploited successfully for years, attacks to exploit applications will increase significantly in 2019.
- Compliance is on the rise: While some would argue that it’s outside of the “cybersecurity bucket,” it seems that every country (and most U.S States) now have their own data protection and/or privacy compliance requirements – and each one demands different security controls, as well as different reporting requirements. It is critical that companies get in front of these detailed requirements to prevent hefty fines and penalties. The best way (and perhaps the only way) to do this effectively is to establish a robust and highly-competent compliance organization that’s tasked with cutting through the fog of compliance requirements. Next year, we expect to see a massive increase in the formation and operation of compliance organizations (and experts) to companies that have previously seen compliance as just an additional duty or someone’s part-time job.
- CISOs and cybersecurity teams will begin reporting to other than the CIO: Cybersecurity is all about risk. Security organizations reporting up through the IT Department are going to be a thing of the past. It’s an unfortunate fact, but security organizations are often at odds with IT departments, and having them in separate reporting organizations effectively creates the “separation of duties” that is now so important. Beginning in 2019, and continuing for several more years, progressive companies will begin migrating their information security organizations into the Risk, Finance, or Legal organizations. Some will even have them reporting directly to the CEO. This is a serious change in the way of doing business, and such changes take time to gain support and traction. However, given the increased importance of cybersecurity, many companies will realize the benefits of moving security out from under IT and placing it strategically within the organization.
- Boards will dramatically increase their attention toward cybersecurity: Over the last several years, board members of companies have become increasingly more aware of the “personal liabilities” of serving on corporate boards. U.S. law authorizes shareholders to sue corporate directors for wrongful acts that harm the corporation or the value of its shares. As cybersecurity becomes a much more significant aspect of successful companies, board members want to (have to) ensure due diligence for proper security-related controls and processes. As such, they are becoming much more aware of “everything cyber” to ensure they fully understand their responsibilities. As that awareness increases, in parallel with the importance to cybersecurity, 2019 and beyond will see a drastic increase in board members becoming involved in decisions around their companies’ cybersecurity programs.
Want to improve customer service and reduce fraud? Download our guide: The Six-Step Guide to Leveraging Machine Learning for Payments Intelligence