From data breaches to elections, regulation to IoT, Joseph Carson, Chief Security Scientist, Thycotic, shares his thoughts on the top cyber security trends of 2019.
2018 was yet another year where the news agenda was dominated by cyber security in many areas of our lives. The endless march of customer data breaches continued apace, with high profile incidents including carriers British Airways and Cathay Pacific, broker Exactis, and brands such as Under Armour. Between the various major breaches, the data of hundreds of millions of people was stolen throughout the year.
Cyber was also extremely influential in the global political agenda once again, particularly regarding the US elections. Accusations of electoral interference continued and took a new twist with revelations about Facebook data being used by Cambridge Analytica to target voters. Major concerns were also raised about the prospect of the US midterm elections being hacked, and the vulnerabilities of the voting machines and related systems was a major theme at this year’s Black Hat.
The year ahead looks set to be equally dominated by cyber security issues, from continued nation state activity to evolving hacker tactics exploiting the latest technology. Here are my biggest predictions for 2019.
The idea of machines turning on humans has existed for as long as the idea of robots and artificial intelligence have. While we’re (hopefully) still some way off from Skynet or Hal 9000, machines are posing an increasing threat to our lives.
The rapidly growing number of Internet of Things (IoT) devices in the world make it increasingly likely for cyber criminals to directly impact human lives. The possibilities are endless, from connected cars being hijacked and medical devices overdosing patients, to smart home heating and cooking devices overheating and starting fires. With the current state of IoT security extremely lacking, billions of devices are vulnerable to exploitation.
Alongside physical devices, we are also seeing AI play an increasing role on both sides of the cyber fence. Security teams are using powerful AI-driven solutions to protect against attacks, but criminals are also using the same technology to automate and advance their techniques.
Governments around the world have been developing cyber weapons and using them clandestinely against other countries for many years. With the recent high profile of nation state attacks however, I believe we will begin to see more overt use of cyber capabilities.
The threat of Mutually Assured Destruction from nuclear arms is no longer proving to be an effective deterrent to armed conflict. In 2019 we will likely see governments revealing their cyber weapon capabilities to create a new deterrent, showing adversaries that they will retaliate if they continue to use their own cyber techniques to covertly cause social and political harm.
2018 saw several prominent fines being issued to companies for security failings, with organisations including Facebook and Equifax being fined £500,000 – the maximum penalty allowed under the old UK Data Protection Law. Meanwhile in the US, Uber was fined $148m for a serious breach and its subsequent attempts to cover up the incident.
All of the companies fined in 2018 had lucky escapes, as the incidents took place before the advent of the EU GDPR in May. Any breaches which occurred after the new regulation came into law are subject to much higher fines, potentially as much as four percent of global turnover or £20m, whichever is higher.
This means 2019 is likely to see several cases of multimillion-pound fines against large organisations who have been found to have serious security failings. Facebook, Google and British Airways are among the companies under the microscope as we wait to see who will be receiving record fines in the near year.
Alongside the GDPR, other countries around the world are also seeking to ramp up their data protection laws to cope with a modern world where data has become one of the most valuable assets. For example, the California Consumer Privacy Act was passed into law earlier in 2018 and will come into force in 2020. I anticipate multiple governments moving forwards with their own stricter laws to approximate the power of the GDPR, to punish companies that fail to protect the consumer data they are profiting from.
Likewise, we will also see continued efforts to bring some order to rapidly advancing technology fields such as IoT, which are currently suffering from a lack of security standards.
Email and compromised privileged accounts will remain the biggest threats
Although we will continue to see the emergence of powerful new cyber weapons and advanced attack techniques, 2019 will also see cyber criminals rely on the tried and tested methods of email attacks and compromised privileges.
Social engineering campaigns conducted via email are still the primary method for delivering malware or tricking victims into sharing credentials or data, and criminals continue to circumvent security measures and cause serious harm by illicitly logging in to privileged accounts.
Companies that hope to avoid becoming one of 2019’s major data breach stories need to ensure they have done all they can to reduce the risk of these widely used attack methods. The ability to control email hyperlinks and attachments, as well as implementing strategies such as least privilege and session monitoring will drastically reduce the threat.
As fast as the cyber threat landscape is evolving, criminals will continue to rely on these techniques as long as companies remain vulnerable to them.