Cybersecurity: Risks, Controls and What to Expect in 2019
The world of Cybersecurity has brought about several subtle changes in 2018. For example, malware and targeted 'Spear Phishing' were on the rise, while the focus on protecting the perimeter has begun to take a back seat to hardening internal controls. As we enter 2019, the changing threat landscape is certain to result in a barrage of additional considerations in how we protect data and systems.
Below is a handful of my personal predictions about cybersecurity risks, controls, and culture in 2019 – in no particular order.
- Phishing Attacks will increase exponentially: The days of poorly worded messages filled with grammar errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will bring a rise in the number of successful phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the costs (and risks) of mounting phishing attacks to plant malware or steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
- Ransomware attacks will decrease, while basic malware will become commonplace: Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so, and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defenses have improved. Ransomware will, however, remain in the hacker toolkit, but will be used mostly as a distraction, to focus attention on the locked files, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining, etc.) will also increase as an attack vector of choice because of its simplicity and effectiveness.
- Multi-Factor Authentication (MFA) will become the standard: Because increases in processing power make it so much easier to mount effective brute-force password guessing attacks – and because users still don’t consistently create strong passwords – credential theft will continue to be a favorite exploit method. While not perfect, MFA (using something you know or have or “are” in addition to IDs and passwords) does an effective job of thwarting most credential theft attacks. As such, customers, regulators, and auditors will require MFA to be used wherever possible – to the extent that it will become a commodity. Whether it’s the use of soft tokens on mobile devices, hard tokens, biometrics, or something different, cyber-savvy organizations will strive to implement MFA across their environments, on as many platforms and in as many applications as possible, as soon as possible.
- Companies will become much smarter on using the Cloud: Years ago, everyone was eager to “move to the cloud” to save money and take advantage of the quick scalability offered. Cloud providers were seen as invincible repositories providing ultimate security for your data. With breaches and availability issues at cloud providers, companies are realizing that protection of their data in the cloud is often their responsibility under many provider agreements. Some companies have found that the costs of implementing necessary controls in third-party cloud environments negates cost savings. In 2019, protection of data in the cloud will become a much higher priority than its availability or the cost savings that can be realized. There are great cloud providers out there that focus properly on data protection controls, but customers may steer the cloud market to be more responsive to providing “stock” security controls and to be transparent about the details of those controls.
- Shadow IT will become a significant problem: Users often have problems understanding why hardware and services are so expensive at their companies when they can go to a big box electronics store and buy something so inexpensively. However, things must be done at an enterprise scale, which requires costs and implementation processes and procedures that take a little longer than expected. Regardless, as the need for quicker deliveries increases and as well-meaning customer relationship employees want to provide speed-of-light service to their customers, 2019 will bring an increase in “Shadow IT,” a name given to business-people standing up their own (rogue) servers or storage devices, or sometimes entering one-off contracts with “unapproved” vendors. While their motivation is rarely malicious, their actions can cause serious risks to the company and to the protection of data.
- We’ll see more exploits of application vulnerabilities: Fraudsters are always looking for new, more effective ways to exploit corporate environments. As many of the recent breaches have identified, using application vulnerabilities to access networks has become a successful attack vector – and is likely to increase in popularity amongst fraudsters as the number and types of application vulnerabilities (including those in middleware used in applications) become more visible. While infrastructure vulnerabilities have been exploited successfully for years, attacks to exploit applications will increase significantly in 2019.
- Compliance is on the rise: While some would argue that it’s outside of the “cybersecurity bucket,” it seems that every country (and most U.S States) now have their own data protection and/or privacy compliance requirements – and each one demands different security controls, as well as different reporting requirements. It is critical that companies get in front of these detailed requirements to prevent hefty fines and penalties. The best way (and perhaps the only way) to do this effectively is to establish a robust and highly-competent compliance organization that’s tasked with cutting through the fog of compliance requirements. Next year, we expect to see a massive increase in the formation and operation of compliance organizations (and experts) to companies that have previously seen compliance as just an additional duty or someone’s part-time job.
- CISOs and cybersecurity teams will begin reporting to other than the CIO: Cybersecurity is all about risk. Security organizations reporting up through the IT Department are going to be a thing of the past. It’s an unfortunate fact, but security organizations are often at odds with IT departments, and having them in separate reporting organizations effectively creates the “separation of duties” that is now so important. Beginning in 2019, and continuing for several more years, progressive companies will begin migrating their information security organizations into the Risk, Finance, or Legal organizations. Some will even have them reporting directly to the CEO. This is a serious change in the way of doing business, and such changes take time to gain support and traction. However, given the increased importance of cybersecurity, many companies will realize the benefits of moving security out from under IT and placing it strategically within the organization.
- Boards will dramatically increase their attention toward cybersecurity: Over the last several years, board members of companies have become increasingly more aware of the “personal liabilities” of serving on corporate boards. U.S. law authorizes shareholders to sue corporate directors for wrongful acts that harm the corporation or the value of its shares. As cybersecurity becomes a much more significant aspect of successful companies, board members want to (have to) ensure due diligence for proper security-related controls and processes. As such, they are becoming much more aware of “everything cyber” to ensure they fully understand their responsibilities. As that awareness increases, in parallel with the importance to cybersecurity, 2019 and beyond will see a drastic increase in board members becoming involved in decisions around their companies’ cybersecurity programs.
View our Machine Learning for Fraud Prevention webinar to discover how a multi-faceted fraud prevention strategy with machine learning can turn your fraud expertise into a revenue generator
Related Blog Posts
How Banks and Acquirers Can Deliver on the Benefits of PSD2 SCA Exemptions and Differentiate Their Merchant Services
PSD2 is an opportunity for acquirers to differentiate themselves by delivering improved services to their merchants, if they implement modern solutions to manage SCA exemptions. This will drive the best customer experience in combination with regulatory compliance.
PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
Transforming Telecom Companies in a Retail World
The recent MVNO World Congress in Amsterdam brought fascinating insights into the changing telecom industry, particularly around the opportunities that lie ahead for Mobile Virtual Network Operators (MVNOs) and how they can they can cement their position in today’s fast-paced climate.
Beyond Borders: Navigating the Challenges of eCommerce Expansion
eCommerce continues to flourish, with impressive growth figures year after year. In 2018, global online sales reached almost $3 trillion, and are expected to hit $4 trillion by the end of 2020.
Despite eCommerce taking an increasing slice of the retail pie (which could now be as high as 15 percent according to recent figures), it is increasingly challenging, with competition and cost pressures creating significant issues for merchants of all sizes.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Knowing New Customers – And How Shared Data Helps in Fighting Fraud
As the eCommerce industry continues its rapid growth, the lines between physical and digital shopping are becoming increasingly blurred. These changes are creating a number of challenges for merchants, not least around customer visibility and fraud prevention.
Adding a Global Payments Layer for Future Growth
Digitization has changed the payments industry completely and irrevocably. Cash payments are in full retreat, as more people pay digitally – with more than 1.6 billion people now shopping online. The digital customer expects an extremely fast and convenient payment experience, with high security standards, and immediate availability of payments information.
Let’s Get Phygital: eCommerce Is Coming To A Store Near You
While payments vendors continue to pitch and strategize with a focus on omnichannel, the omnichannel story has already moved on.
Make no mistake – omnichannel remains important and the best vendors have solutions that provide a single cloud payments service capable of delivering a single view of the customer across stores and digital channels. And the best retailers utilize these solutions to deliver efficient cross-channel shopping experiences. Meanwhile, many other retailers get by (though seldom rise to the top) with a siloed approach.
Around The World: Taking Stock of Global eCommerce in 2019
As I head to #NRF2019 in New York City next week, I’m excited to see how some of the biggest retailers and merchants see the industry evolving over the coming year. What trends they think are going to shape 2019, and which of 2018’s buzzwords can be put to bed.
Fraudsters Don’t Wait for Peak, So Neither Should You: 2019 Fraud Strategy Starts Now!
In existence for barely two decades, eCommerce has transformed not only the way we shop, but also how retailers plan and execute their marketing strategies around the peak shopping season. Now that we’re deep into this period, retailers will have prepared for changes in buyer behaviors, relaxed their strategies to be within the limits of manageable review rate, and most important of all, put strategies in place for increased fraud attempts.