Right up to the end of 2018, massive cyber-attacks made immense waves. In the year ahead, organisations must prepare for the unknown so they have the flexibility to endure unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since innovative attacks will most certainly impact both business reputation and shareholder value.
Based on comprehensive assessments of the threat landscape, the Information Security Forum recommends that businesses focus on the following cyber security topics in 2019:
- The Increased Sophistication of Cybercrime and Ransomware
- The Impact of Legislation
- Smart Devices Challenge Data Integrity
- The Myth of Supply Chain Assurance
We’ve provided an overview for each of these areas below:
The increased sophistication of cybercrime and ransomware
Criminal organisations will continue their ongoing development and become increasingly more sophisticated. Some organisations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organisations will also struggle to keep pace with this increased sophistication and the impact will extend worldwide, with malware in general and ransomware in particular becoming the leading means of attack. While overall damages arising from ransomware attacks are difficult to calculate, some estimates suggest that there was a global loss in excess of $5 billion in 2017. On the whole, the volume of new mobile malware families grew significantly throughout 2017, in particular mobile ransomware. This should be expected to continue in 2019. Email-based attacks such as spam and phishing (including targeted spear phishing) are most commonly used to obtain an initial foothold on a victim’s device. Cyber criminals behind ransomware will shift their attention to smart and personal devices as a means of spreading targeted malware attacks.
The impact of legislation
National and regional legislators and regulators that are already trying to keep pace with existing developments will fall even further behind the needs of a world eagerly grasping revolutionary technologies. At present, organisations have insufficient knowledge and resources to keep abreast of current and pending legislation. Additionally, legislation by its nature is government and regulator driven, resulting in a move towards national regulation at a time when cross border collaboration is needed. Organisations will struggle to keep abreast of such developments which may also impact business models which many have taken for granted. This will be of particular challenge to cloud implementations where understanding the location of cloud data has been an oversight.
Smart devices challenge data integrity
Organisations will adopt smart devices with enthusiasm, not realising that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organisations to use personal data in ways customers did not intend. It will be problematic for organisations to know what information is leaving their networks or what is being secretly captured and transmitted by devices such as smartphones, smart TVs or conference phones. When breaches occur, or transparency violations are revealed, organisations will be held liable by regulators and customers for inadequate data protection.
The myth of supply chain assurance
Supply chains are a vital component of every organisation’s global business operations and the backbone of today’s global economy. However, a range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. In 2019, organisations will discover that assuring the security of their supply chain is a lost cause. Instead, it is time to refocus on managing their key data and understanding where and how it has been shared across multiple channels and boundaries, irrespective of supply chain provider. This will cause many organisations to refocus on the traditional confidentiality and integrity components of the information security mix, placing an additional burden on already overstretched security departments. Businesses that continue to focus on assuring supply chain security with traditional approaches, such as self certified audit and assurance, may preserve the illusion of security in the short term but will discover to their peril that the security foundations they believed to be in place were lacking.
Don’t forget to involve key stakeholders and the board of directors
The role of the C-Suite has undergone noteworthy transformation over the past decade. Public scrutiny of business leaders is at an all-time high, in large part due to massive hacks and global data breaches. It’s become progressively clear in the last few years that in the event of a breach, the hacked organisation will be blamed and held accountable.
Given the swift pace of business and technology, and the countless elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.
Occurrences will happen as it is impossible to evade every breach. But you can pledge to building a mature, realistic, broad-based, collaborative approach to cyber security and resilience. Maturing your organisation’s ability to detect intrusions quickly and respond expeditiously will be of the highest importance in 2019 and beyond.
Steve Durbin, Managing Director, Information Security Forum
Image source: Shutterstock/deepadesigns