Cybersecurity: Risks, Controls and What to Expect in 2019
The world of Cybersecurity has brought about several subtle changes in 2018. For example, malware and targeted 'Spear Phishing' were on the rise, while the focus on protecting the perimeter has begun to take a back seat to hardening internal controls. As we enter 2019, the changing threat landscape is certain to result in a barrage of additional considerations in how we protect data and systems.
Below is a handful of my personal predictions about cybersecurity risks, controls, and culture in 2019 – in no particular order.
- Phishing Attacks will increase exponentially: The days of poorly worded messages filled with grammar errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will bring a rise in the number of successful phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the costs (and risks) of mounting phishing attacks to plant malware or steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
- Ransomware attacks will decrease, while basic malware will become commonplace: Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so, and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defenses have improved. Ransomware will, however, remain in the hacker toolkit, but will be used mostly as a distraction, to focus attention on the locked files, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining, etc.) will also increase as an attack vector of choice because of its simplicity and effectiveness.
- Multi-Factor Authentication (MFA) will become the standard: Because increases in processing power make it so much easier to mount effective brute-force password guessing attacks – and because users still don’t consistently create strong passwords – credential theft will continue to be a favorite exploit method. While not perfect, MFA (using something you know or have or “are” in addition to IDs and passwords) does an effective job of thwarting most credential theft attacks. As such, customers, regulators, and auditors will require MFA to be used wherever possible – to the extent that it will become a commodity. Whether it’s the use of soft tokens on mobile devices, hard tokens, biometrics, or something different, cyber-savvy organizations will strive to implement MFA across their environments, on as many platforms and in as many applications as possible, as soon as possible.
- Companies will become much smarter on using the Cloud: Years ago, everyone was eager to “move to the cloud” to save money and take advantage of the quick scalability offered. Cloud providers were seen as invincible repositories providing ultimate security for your data. With breaches and availability issues at cloud providers, companies are realizing that protection of their data in the cloud is often their responsibility under many provider agreements. Some companies have found that the costs of implementing necessary controls in third-party cloud environments negates cost savings. In 2019, protection of data in the cloud will become a much higher priority than its availability or the cost savings that can be realized. There are great cloud providers out there that focus properly on data protection controls, but customers may steer the cloud market to be more responsive to providing “stock” security controls and to be transparent about the details of those controls.
- Shadow IT will become a significant problem: Users often have problems understanding why hardware and services are so expensive at their companies when they can go to a big box electronics store and buy something so inexpensively. However, things must be done at an enterprise scale, which requires costs and implementation processes and procedures that take a little longer than expected. Regardless, as the need for quicker deliveries increases and as well-meaning customer relationship employees want to provide speed-of-light service to their customers, 2019 will bring an increase in “Shadow IT,” a name given to business-people standing up their own (rogue) servers or storage devices, or sometimes entering one-off contracts with “unapproved” vendors. While their motivation is rarely malicious, their actions can cause serious risks to the company and to the protection of data.
- We’ll see more exploits of application vulnerabilities: Fraudsters are always looking for new, more effective ways to exploit corporate environments. As many of the recent breaches have identified, using application vulnerabilities to access networks has become a successful attack vector – and is likely to increase in popularity amongst fraudsters as the number and types of application vulnerabilities (including those in middleware used in applications) become more visible. While infrastructure vulnerabilities have been exploited successfully for years, attacks to exploit applications will increase significantly in 2019.
- Compliance is on the rise: While some would argue that it’s outside of the “cybersecurity bucket,” it seems that every country (and most U.S States) now have their own data protection and/or privacy compliance requirements – and each one demands different security controls, as well as different reporting requirements. It is critical that companies get in front of these detailed requirements to prevent hefty fines and penalties. The best way (and perhaps the only way) to do this effectively is to establish a robust and highly-competent compliance organization that’s tasked with cutting through the fog of compliance requirements. Next year, we expect to see a massive increase in the formation and operation of compliance organizations (and experts) to companies that have previously seen compliance as just an additional duty or someone’s part-time job.
- CISOs and cybersecurity teams will begin reporting to other than the CIO: Cybersecurity is all about risk. Security organizations reporting up through the IT Department are going to be a thing of the past. It’s an unfortunate fact, but security organizations are often at odds with IT departments, and having them in separate reporting organizations effectively creates the “separation of duties” that is now so important. Beginning in 2019, and continuing for several more years, progressive companies will begin migrating their information security organizations into the Risk, Finance, or Legal organizations. Some will even have them reporting directly to the CEO. This is a serious change in the way of doing business, and such changes take time to gain support and traction. However, given the increased importance of cybersecurity, many companies will realize the benefits of moving security out from under IT and placing it strategically within the organization.
- Boards will dramatically increase their attention toward cybersecurity: Over the last several years, board members of companies have become increasingly more aware of the “personal liabilities” of serving on corporate boards. U.S. law authorizes shareholders to sue corporate directors for wrongful acts that harm the corporation or the value of its shares. As cybersecurity becomes a much more significant aspect of successful companies, board members want to (have to) ensure due diligence for proper security-related controls and processes. As such, they are becoming much more aware of “everything cyber” to ensure they fully understand their responsibilities. As that awareness increases, in parallel with the importance to cybersecurity, 2019 and beyond will see a drastic increase in board members becoming involved in decisions around their companies’ cybersecurity programs.
Read more about the evolution of fraud threats in our Holiday Fraud Benchmark Report.
Related Blog Posts
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
Dedicated Followers of Fintech: Why Transaction Banking Never Goes Out of Fashion
Taking part in a panel at a recent corporate treasury conference, I was introduced as a ‘consumer payments expert’ – not an obvious qualification for sharing stage-time with serious corporate liquidity and cash management folk, but as the talk track was on mobile wallets and Open Banking, I had some reasonably safe and relevant content on which to fall back.
Sibos Preview: The Five Trends Transforming Real-Time Payments
Real-time is now a reality, with more than 30 schemes live around the world. And real-time is in the spotlight as banks and financial service providers make their way to Sydney for Sibos 2018. What better time to look ahead at the key trends that are going to shape the ongoing development of real-time payments.
API Management: The Reason Digital Open Banking Can Fly
When it comes to thinking about the different roles that an API Manager can play for an organization, I personally think that an airport provides the perfect analogy. The customer is the passenger, the third-party organizations using a bank’s APIs are the airlines and the airport itself is the bank. I also think this analogy helps to visualize the variety of API management capabilities – including the role of an API gateway.
Can Corporate Banking be as Easy as Ordering Pizza?
ACI recently hosted Greenwich Associates on a webinar to discuss corporate banking. While not a topic that would usually make attendees salivate, the discussion turned toward ordering pizza (maybe, because it was close to lunchtime) and Greenwich highlighted how corporate banking should be as easy as ordering pizza.
Modernizing Cross-Border Transfers with SWIFT gpi
The customer experience for domestic payments – retail and corporate – has recently undergone a complete transformation. There’s still plenty more that could be achieved, but the advent of real-time payments in combination with open APIs has seen the launch of Request for Payment services and direct eCommerce instant payments in the UK and Europe. And it’s not just the PSD2 push in Europe that’s driving change – in the U.S., Zelle is moving beyond standalone P2P payments to become an integrated part of the retail banking app experience, as well as being included in new kinds of corporate disbursements.
Instant + Open Payments = A Winning Combination
I recently joined a panel discussion at EBAday 2018, alongside representatives from across the payments ecosystem, and the clear consensus was that real-time payments will be the new normal. This was evidenced by some of the interactive polls carried out.
Maintain Vs. Invest: What the Digital Era Ushers in for Banks
Taking place this week in Brussels, the European Credit Research Institute (ECRI) will host a high-level debate on how policymakers can build on the process of digitalisation of banks to raise competitiveness in light of increased competition from fintech start-ups and tech giants.
How the Merchant Payment Ecosystem Can Create Value in Instant Payments
Recently, ACI conducted some research into the appetite to make use of instant payments among corporates. The results were overwhelmingly favorable, but when we think about the benefits of immediate payments for corporates, it does seem obvious that they would want to leverage this new payment type.
Real-Time Payments Will be Europe’s Most Dominant Payments System – Are You Ready to Realize the Full Value?
Since the launch of the SCT Inst rulebook in November 2017, many more banks are live and offering real-time payments to their customers, with most of the rest committed to 2018. The buzzword at the recent ECB #TIPSapp Event in Frankfurt was ‘Interoperability,’ or as my friend José Beltrán from STET would say, ‘Reachability.’ No-one expressed this more clearly on February 6th than Javier Santamaria, President of the European Payments Council, when he reiterated his message from Il Salone Dei Pagamenti, the day after the SEPA launch; "We have launched the Pan-EU scheme, now it is up to you in the audience and beyond to take advantage of it and make it work."