Big breaches, passwords live on, rise of social engineering and more: 2018 mid-year cybersecurity update

null

As we reach the halfway point of this year a few things have become clear. The roll-call of big-name data breaches over the past six months might not top last year’s list, but the persistent menace of malicious third parties continues to confound businesses all over the world. Cyber-criminals and nation state operatives are as well drilled and determined as ever, tactics continue to evolve and organisations and customers remain caught in the middle. Amid this ever-evolving landscape GDPR is both a challenge and an opportunity, potentially heralding major fines but also offering an advantage for those prepared to follow best practices. So should decision makers be fearful of what’s to come? And what can we expect for the rest of 2018? 

Breaches galore

It will be tough to top 2017. After all, that was the year in which we saw mega-breaches revealed at Uber (57 million), Equifax (145.5m) and Yahoo (3 billion). Each represents a cautionary tale for IT teams and business leaders, and already 2018 is proving no different. So far this year we’ve seen major breach announcements from the likes of: nutrition app MyFitnessPal which impacted 150m customers, the parent company of Saks Fifth Avenue (5m) and recently Ticketmaster suffered a leak of 400k of customers’ records. 

One security firm claims that during the first quarter of 2018 alone there were over 680 data breaches globally, resulting in the exposure of almost 1.5bn records. This involves 20 incidents in the UK, including Dixons Carphone which recently announce the compromise of 5.9m customer payment cards and 1.2m personal data records. If anything, the EU’s new privacy regime, which came into force at the end of May, will compel even more firms in the second half of 2018 to come clean about such incidents. The combination of mandatory 72-hour breach notifications and massive theoretical fines of up to £17m, or 4% of global annual turnover, will start to focus the minds of boards all over the world. If attempts are made at a cover-up, penalties will be guaranteed to be even bigger, leaving organisations with nowhere to hide. 

With all of this in mind, don’t expect to see large-scale breaches disappear from our headlines anytime soon. 

Social engineering remains increasing threat  

Phishing is one of the biggest threats facing any organisation operating today, representing 93% of all breaches analysed by Verizon in its 2018 Data Breach Investigations Report. Organisations are regularly reminding users to beware of spear-phishing attacks. However, knowing how to recognise them is becoming increasingly difficult as these attacks become ever more intelligent – fooling even the most seasoned security professionals. Criminals have achieved high success rates; that success is breeding even cleverer and more elaborate attacks. 

Worryingly, it’s likely we’ll see a continuation of these attacks as phishing campaigns become trickier to detect. Although organisations are beginning to realise the importance of user education and training, emerging AI tools offer the black hats an opportunity to craft even more convincing fake emails to trick employees.

Businesses continue to underestimate danger of passwords 

We’ve heard it all before. Passwords remain at the very heart of the problem for organisations looking to mitigate the risk of data breaches. They get little respect from today’s cybercriminals. The Equifax breach last year was a wake-up call for many businesses yet many are still relying on password-only authentication even in 2018. They both provide a front-door key for hackers to break into corporate databases full of sensitive customer information and IP, and expose customers to the risk of identity theft if their own account passwords are subsequently stolen. The two issues are linked because consumers are also employees, and many reuse passwords and even corporate email addresses across multiple sites and accounts. This means if their details are stolen for one site they could be reused by hackers to try and break into a corporate network.

For example, in January, researchers discovered 1.2 million corporate email addresses on the dark web. They belonged to staff at 500 of the UK’s top law firms and had been previously breached via cyber-attacks on firms like LinkedIn. In February, another company discovered 2.7 million previously stolen online account log-ins from Fortune 500 employees on the dark web, 10% of which had used their work email to set up the breached accounts.

Passwords are often all that stand between online attackers and the corporate network. If they’ve not already been made available via breaches, they could be guessed, brute forced via automated tools or phished. As we move into the second half of the year, it’s likely we’ll continue to see these organisations under estimate the potentially devastating impact of compromised passwords on their business operations, reputation and revenues, as well the loss of customer’s trust if a breach happens. 

We’re not just talking about data breaches here, either. The latest attack method to leverage passwords is crypto-jacking: where corporate resources are hijacked by botnet herders to mine crypto-currency. It happened recently to Tesla, after a Kubernetes console was left unprotected. The risk here is not of data theft, but of IT downtime, hardware burn-out, productivity losses and rising energy bills.

A way forward 

Passwords have been sat on Death Row for over a decade since Bill Gates predicted their demise back in 2004, and yet organisations persist with an authentication method proven time and again to be a massive security risk. 

More secure and advanced alternatives are readily available and if organisations start to implement these, much of their cyber-risk could be better managed as we head into the second half of 2018. Alternative log-in technologies like multi-factor authentication (MFA) have a track record of bolstering security systems, as they ensure that there are no passwords for hackers to steal. Instead, they require something you have, like a smart card or smartphone, and something you know, like a PIN or passcode. They can also be enhanced with something you are, like a fingerprint or other biometric. It’s hard to beat a determined attacker, but by plugging in MFA like this everywhere you stand a great chance of reducing risk to manageable levels.

Businesses of all sizes will continue to face a number of cybersecurity challenges as we move into the second half of 2018. Unsurprisingly, it’s already proven another pivotal year when it comes to security. Breaches remain big, cybercriminals are increasingly smarter and organisations are still struggling to plug the security skills gap. Not to mention, GDPR is in full force. In particular, business leaders’ optimism bias around passwords has led them to a precarious position as we look ahead to the second half of the year. Those prepared to invest in ‘digital trust’ are clearly better prepared and can be sure of holding on to their profits, their brand reputation and their jobs. 

Klaas van der Leest, CEO of Intercede   

Image Credit: Pavel Ignatov / Shutterstock