Cybersecurity: Risks, Controls and What to Expect in 2019
The world of Cybersecurity has brought about several subtle changes in 2018. For example, malware and targeted 'Spear Phishing' were on the rise, while the focus on protecting the perimeter has begun to take a back seat to hardening internal controls. As we enter 2019, the changing threat landscape is certain to result in a barrage of additional considerations in how we protect data and systems.
Below is a handful of my personal predictions about cybersecurity risks, controls, and culture in 2019 – in no particular order.
- Phishing Attacks will increase exponentially: The days of poorly worded messages filled with grammar errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will bring a rise in the number of successful phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the costs (and risks) of mounting phishing attacks to plant malware or steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
- Ransomware attacks will decrease, while basic malware will become commonplace: Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so, and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defenses have improved. Ransomware will, however, remain in the hacker toolkit, but will be used mostly as a distraction, to focus attention on the locked files, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining, etc.) will also increase as an attack vector of choice because of its simplicity and effectiveness.
- Multi-Factor Authentication (MFA) will become the standard: Because increases in processing power make it so much easier to mount effective brute-force password guessing attacks – and because users still don’t consistently create strong passwords – credential theft will continue to be a favorite exploit method. While not perfect, MFA (using something you know or have or “are” in addition to IDs and passwords) does an effective job of thwarting most credential theft attacks. As such, customers, regulators, and auditors will require MFA to be used wherever possible – to the extent that it will become a commodity. Whether it’s the use of soft tokens on mobile devices, hard tokens, biometrics, or something different, cyber-savvy organizations will strive to implement MFA across their environments, on as many platforms and in as many applications as possible, as soon as possible.
- Companies will become much smarter on using the Cloud: Years ago, everyone was eager to “move to the cloud” to save money and take advantage of the quick scalability offered. Cloud providers were seen as invincible repositories providing ultimate security for your data. With breaches and availability issues at cloud providers, companies are realizing that protection of their data in the cloud is often their responsibility under many provider agreements. Some companies have found that the costs of implementing necessary controls in third-party cloud environments negates cost savings. In 2019, protection of data in the cloud will become a much higher priority than its availability or the cost savings that can be realized. There are great cloud providers out there that focus properly on data protection controls, but customers may steer the cloud market to be more responsive to providing “stock” security controls and to be transparent about the details of those controls.
- Shadow IT will become a significant problem: Users often have problems understanding why hardware and services are so expensive at their companies when they can go to a big box electronics store and buy something so inexpensively. However, things must be done at an enterprise scale, which requires costs and implementation processes and procedures that take a little longer than expected. Regardless, as the need for quicker deliveries increases and as well-meaning customer relationship employees want to provide speed-of-light service to their customers, 2019 will bring an increase in “Shadow IT,” a name given to business-people standing up their own (rogue) servers or storage devices, or sometimes entering one-off contracts with “unapproved” vendors. While their motivation is rarely malicious, their actions can cause serious risks to the company and to the protection of data.
- We’ll see more exploits of application vulnerabilities: Fraudsters are always looking for new, more effective ways to exploit corporate environments. As many of the recent breaches have identified, using application vulnerabilities to access networks has become a successful attack vector – and is likely to increase in popularity amongst fraudsters as the number and types of application vulnerabilities (including those in middleware used in applications) become more visible. While infrastructure vulnerabilities have been exploited successfully for years, attacks to exploit applications will increase significantly in 2019.
- Compliance is on the rise: While some would argue that it’s outside of the “cybersecurity bucket,” it seems that every country (and most U.S States) now have their own data protection and/or privacy compliance requirements – and each one demands different security controls, as well as different reporting requirements. It is critical that companies get in front of these detailed requirements to prevent hefty fines and penalties. The best way (and perhaps the only way) to do this effectively is to establish a robust and highly-competent compliance organization that’s tasked with cutting through the fog of compliance requirements. Next year, we expect to see a massive increase in the formation and operation of compliance organizations (and experts) to companies that have previously seen compliance as just an additional duty or someone’s part-time job.
- CISOs and cybersecurity teams will begin reporting to other than the CIO: Cybersecurity is all about risk. Security organizations reporting up through the IT Department are going to be a thing of the past. It’s an unfortunate fact, but security organizations are often at odds with IT departments, and having them in separate reporting organizations effectively creates the “separation of duties” that is now so important. Beginning in 2019, and continuing for several more years, progressive companies will begin migrating their information security organizations into the Risk, Finance, or Legal organizations. Some will even have them reporting directly to the CEO. This is a serious change in the way of doing business, and such changes take time to gain support and traction. However, given the increased importance of cybersecurity, many companies will realize the benefits of moving security out from under IT and placing it strategically within the organization.
- Boards will dramatically increase their attention toward cybersecurity: Over the last several years, board members of companies have become increasingly more aware of the “personal liabilities” of serving on corporate boards. U.S. law authorizes shareholders to sue corporate directors for wrongful acts that harm the corporation or the value of its shares. As cybersecurity becomes a much more significant aspect of successful companies, board members want to (have to) ensure due diligence for proper security-related controls and processes. As such, they are becoming much more aware of “everything cyber” to ensure they fully understand their responsibilities. As that awareness increases, in parallel with the importance to cybersecurity, 2019 and beyond will see a drastic increase in board members becoming involved in decisions around their companies’ cybersecurity programs.
Read more about the evolution of fraud threats in our Holiday Fraud Benchmark Report.
Related Blog Posts
Let’s Get Phygital: eCommerce Is Coming To A Store Near You
While payments vendors continue to pitch and strategize with a focus on omnichannel, the omnichannel story has already moved on.
Make no mistake – omnichannel remains important and the best vendors have solutions that provide a single cloud payments service capable of delivering a single view of the customer across stores and digital channels. And the best retailers utilize these solutions to deliver efficient cross-channel shopping experiences. Meanwhile, many other retailers get by (though seldom rise to the top) with a siloed approach.
Around The World: Taking Stock of Global eCommerce in 2019
As I head to #NRF2019 in New York City next week, I’m excited to see how some of the biggest retailers and merchants see the industry evolving over the coming year. What trends they think are going to shape 2019, and which of 2018’s buzzwords can be put to bed.
Fraudsters Don’t Wait for Peak, So Neither Should You: 2019 Fraud Strategy Starts Now!
In existence for barely two decades, eCommerce has transformed not only the way we shop, but also how retailers plan and execute their marketing strategies around the peak shopping season. Now that we’re deep into this period, retailers will have prepared for changes in buyer behaviors, relaxed their strategies to be within the limits of manageable review rate, and most important of all, put strategies in place for increased fraud attempts.
The Power Behind Payments – Is It Time for the ‘Slow Fintech’ Movement?
According to a freshly-minted piece of research from the Dutch central bank, choosing card payments over cash is not only convenient, it’s also good for the environment. The study considers everything from the origin of cotton that goes into the production of (Euro) banknotes and the environmental impact of armored vehicles to transport cash, through to the energy usage of POS card payment terminals in standby mode.
‘Soup To Nuts’ – A Multi-Layered Fraud Menu for the Holiday Season
The holiday shopping season is well underway, with Black Friday now behind us and many retailers around the world braced for higher levels of eCommerce fraud, from Cyber Monday all the way though until Christmas.
The ‘Internet of Things’ is the Game-Changing Next Step for Telcos… But What Are They Missing?
As I travel to meet new telcos and attend an array of trade shows around the globe, one discussion that comes up again and again is how the telco industry can gear up for the world of IoT. And it’s not just a topic that telcos are “a bit” interested in – the sector believes that IoT will drive the fourth industrial revolution, likening it in importance to the discovery of steam power.
The Challenge of Catering to the Anything, Anywhere, Anytime Retail Shopper
Ten years ago, retail eCommerce was a fairly simple provision; most retailers’ websites offered a small range of products with long lead times, local delivery and postal returns. Payments were mostly completed by card in the local currency, and the online customer experience was less than slick.
German Gamers Present Conversion Challenges for Game Publishers
The gaming sector is booming – it's the perfect time to delve into some of the current trends in gaming that are revealed in our latest benchmark survey with Newzoo – and a chance to look at what sets German gamers apart.
Positive Profiling Makes Everyone a Winner in Gaming
Online gaming is one of the fastest-growing segments within the broader entertainment industry. With 2 billion active gamers worldwide and 200 million people playing games on social networking sites at least once a day, it is no surprise that the market is now worth well over USD $100 billion per year.
Top Tips to Battle Payments Fraud in Gaming—From a Millennial Gamer
The gaming industry, from a consumer point of view, has evolved dramatically over the last 5-10 years. The buying process has rapidly changed from a one-time, final payment – often at a physical store for a physical product – to a series of never ending bundles, boosters, skins, downloadable content and in-game currency sales!