Cybersecurity: Risks, Controls and What to Expect in 2019
The world of Cybersecurity has brought about several subtle changes in 2018. For example, malware and targeted 'Spear Phishing' were on the rise, while the focus on protecting the perimeter has begun to take a back seat to hardening internal controls. As we enter 2019, the changing threat landscape is certain to result in a barrage of additional considerations in how we protect data and systems.
Below is a handful of my personal predictions about cybersecurity risks, controls, and culture in 2019 – in no particular order.
- Phishing Attacks will increase exponentially: The days of poorly worded messages filled with grammar errors and cut-and-pasted logos are over. Messages are now more succinct and do a much better job of masquerading as legitimate correspondence. This will bring a rise in the number of successful phishing attacks. In fact, spear-phishing (phishing designed to target specific individuals or roles in a company) will become the norm. Since the costs (and risks) of mounting phishing attacks to plant malware or steal credentials are so disappointingly low, phishing will continue to be one of the most prevalent attack vectors used by malicious individuals.
- Ransomware attacks will decrease, while basic malware will become commonplace: Once the holy grail of hackers (and feared by corporate security professionals), ransomware has decreased over the last year or so, and that downward trend will continue into 2019. This is because fewer companies paid ransoms to recover data than expected, while malware/ransomware defenses have improved. Ransomware will, however, remain in the hacker toolkit, but will be used mostly as a distraction, to focus attention on the locked files, while a data harvesting attack is silently occurring elsewhere in the network. Whether delivered via email or visits to malicious websites, basic malware (keylogging, data mining, etc.) will also increase as an attack vector of choice because of its simplicity and effectiveness.
- Multi-Factor Authentication (MFA) will become the standard: Because increases in processing power make it so much easier to mount effective brute-force password guessing attacks – and because users still don’t consistently create strong passwords – credential theft will continue to be a favorite exploit method. While not perfect, MFA (using something you know or have or “are” in addition to IDs and passwords) does an effective job of thwarting most credential theft attacks. As such, customers, regulators, and auditors will require MFA to be used wherever possible – to the extent that it will become a commodity. Whether it’s the use of soft tokens on mobile devices, hard tokens, biometrics, or something different, cyber-savvy organizations will strive to implement MFA across their environments, on as many platforms and in as many applications as possible, as soon as possible.
- Companies will become much smarter on using the Cloud: Years ago, everyone was eager to “move to the cloud” to save money and take advantage of the quick scalability offered. Cloud providers were seen as invincible repositories providing ultimate security for your data. With breaches and availability issues at cloud providers, companies are realizing that protection of their data in the cloud is often their responsibility under many provider agreements. Some companies have found that the costs of implementing necessary controls in third-party cloud environments negates cost savings. In 2019, protection of data in the cloud will become a much higher priority than its availability or the cost savings that can be realized. There are great cloud providers out there that focus properly on data protection controls, but customers may steer the cloud market to be more responsive to providing “stock” security controls and to be transparent about the details of those controls.
- Shadow IT will become a significant problem: Users often have problems understanding why hardware and services are so expensive at their companies when they can go to a big box electronics store and buy something so inexpensively. However, things must be done at an enterprise scale, which requires costs and implementation processes and procedures that take a little longer than expected. Regardless, as the need for quicker deliveries increases and as well-meaning customer relationship employees want to provide speed-of-light service to their customers, 2019 will bring an increase in “Shadow IT,” a name given to business-people standing up their own (rogue) servers or storage devices, or sometimes entering one-off contracts with “unapproved” vendors. While their motivation is rarely malicious, their actions can cause serious risks to the company and to the protection of data.
- We’ll see more exploits of application vulnerabilities: Fraudsters are always looking for new, more effective ways to exploit corporate environments. As many of the recent breaches have identified, using application vulnerabilities to access networks has become a successful attack vector – and is likely to increase in popularity amongst fraudsters as the number and types of application vulnerabilities (including those in middleware used in applications) become more visible. While infrastructure vulnerabilities have been exploited successfully for years, attacks to exploit applications will increase significantly in 2019.
- Compliance is on the rise: While some would argue that it’s outside of the “cybersecurity bucket,” it seems that every country (and most U.S States) now have their own data protection and/or privacy compliance requirements – and each one demands different security controls, as well as different reporting requirements. It is critical that companies get in front of these detailed requirements to prevent hefty fines and penalties. The best way (and perhaps the only way) to do this effectively is to establish a robust and highly-competent compliance organization that’s tasked with cutting through the fog of compliance requirements. Next year, we expect to see a massive increase in the formation and operation of compliance organizations (and experts) to companies that have previously seen compliance as just an additional duty or someone’s part-time job.
- CISOs and cybersecurity teams will begin reporting to other than the CIO: Cybersecurity is all about risk. Security organizations reporting up through the IT Department are going to be a thing of the past. It’s an unfortunate fact, but security organizations are often at odds with IT departments, and having them in separate reporting organizations effectively creates the “separation of duties” that is now so important. Beginning in 2019, and continuing for several more years, progressive companies will begin migrating their information security organizations into the Risk, Finance, or Legal organizations. Some will even have them reporting directly to the CEO. This is a serious change in the way of doing business, and such changes take time to gain support and traction. However, given the increased importance of cybersecurity, many companies will realize the benefits of moving security out from under IT and placing it strategically within the organization.
- Boards will dramatically increase their attention toward cybersecurity: Over the last several years, board members of companies have become increasingly more aware of the “personal liabilities” of serving on corporate boards. U.S. law authorizes shareholders to sue corporate directors for wrongful acts that harm the corporation or the value of its shares. As cybersecurity becomes a much more significant aspect of successful companies, board members want to (have to) ensure due diligence for proper security-related controls and processes. As such, they are becoming much more aware of “everything cyber” to ensure they fully understand their responsibilities. As that awareness increases, in parallel with the importance to cybersecurity, 2019 and beyond will see a drastic increase in board members becoming involved in decisions around their companies’ cybersecurity programs.
View our Machine Learning for Fraud Prevention webinar to discover how a multi-faceted fraud prevention strategy with machine learning can turn your fraud expertise into a revenue generator
Related Blog Posts
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.
SWIFT gpi: Leveraging Cross-Border Payments for the Real-Time World
SWIFT gpi represents the evolution of business done over the SWIFT network, bringing correspondent banking into the digital era.
I’ve covered this topic before, but with gpi now reaching the two-year milestone, it’s a good chance to reassess the progress that has been made – and what is needed to drive further adoption.
Keeping Up With Fraudsters: A Month Isn’t Enough
As the Government of Canada campaigns for improved fraud prevention and awareness this month, I’d like to do my part as a fellow Canadian, and shed some light on why payments need to stay a step (or more) ahead of fraudsters, today more than ever.
Local Perspectives: Real-Time Realities Across Asia-Pacific in 2019
Money20/20 Asia returns to Singapore this week, attracting payments professionals from around the vast APAC region – and beyond. The real-time and open imperative is one of the reasons why all eyes are on Asia-Pacific when it comes to payments, so I caught up with ACI payments experts representing three of the key countries within the region, to take the pulse of real-time schemes that are in varying stages of maturity.