Now that we are nearing the end of the year, I thought I would revisit my own write-up on 2018 cybersecurity predictions and see how I can best update them for 2019. The acceleration of rapid digitization and the inter-networked world led to a huge data explosion, which, combined with the relentless growth of transformative technologies, underscores the importance of cybersecurity much more than even last year.
Therefore for 2019, my top five predictions for major cybersecurity trends remain largely the same as for 2018, but only with more emphasis and, interestingly, with more corroborating evidence.
- Huge demand for security professionals with evolving and grounded expertise
- Stringent global regulations
- Rise of crypto-mining, Banking Trojans, DDoS attacks and cyber-warfare
- Explosion of threats, vulnerabilities and IoT
- Privacy, ethics of big data, and back to basics
Huge demand for security professionals with evolving and grounded expertise
Industries require skilled cybersecurity professionals who are not only able to meet the current challenges, but also can evolve continuously with the changing technology landscape and with the associated threats and vulnerabilities. This point is emphasized by the Future of the Jobs Report 2018, published by World Economic Forum. Some of the top skills needed in the context of the current threat scenario are as follows:
- Data analysis, data governance and enterprise IT governance
- Data analytics, data science and big data management
- Cognitive computing and artificial intelligence
- Strong knowledge to address ransomware and evolving IoT connectivity issues and mobile access
- Increased use of DevOps will necessitate application security and knowledge of defensive software engineering, application security self-testing, run time application, self-protection (RASP)
- Blockchain technology and cloud security, including Cloud Access Security Brokers (CASB)
- Strong knowledge on regulatory guidelines
Stringent global regulations
The General Data Protection Regulation (GDPR) was fully enforced throughout the European Union in May. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). Given the serious implications, GDPR has become a top priority for boards of directors around the globe. The US released its first fully articulated cyber strategy in September, which gives lots of importance to tighter control and monitoring of third-party vendors, IT governance, strategic alignment to security spending, and calls for international cooperation in tracking and nabbing cyber criminals operating across the globe.
Rise of crypto-mining, Banking Trojans, DDoS attacks and cyber-warfare
Bitcoins are generated through crypto-mining, which is a computationally-intensive task that utilizes lots of energy and processing power for verifying transactions, for which the miners are rewarded by adding coins to their digital wallet. When this process is executed illegally, by using computers belonging to other users without their intent and knowledge, this is known as crypto-jacking, and the hackers get bitcoins directly added to their wallet. This malware directly prints money for criminals, which is much better than ransomware, which is now reportedly on the decline due to best practices being followed and users’ refusal to pay ransom.
Now there is a surge in Banking Trojans, which allows access to financial accounts primarily through stealing login credentials by tricking victims to open a malicious mail attachment or making them visit a compromised website. Such type of malware is behind ATMs and SWIFT fraud worldwide.
DDoS continues to pose a serious threat to organizations worldwide, as the capacities employed by cyber-criminals keep growing year after year with no decline in number of attacks. The threat of DDoS will get accentuated with the increased usage of Internet of Things (IoT)-connected devices in the enterprise, which, when left unsecured, can become pathways as well as slave nodes, and add to the DDoS traffic stream.
As a consequence, cyber-crimes will flourish, which could be used by powerful nations to initiate and develop highly refined attacks against targets of national value belonging to other countries. This has been well articulated, with remedial measures pronounced in the US Cyber Strategy released in September.
Explosion of threats, vulnerabilities and IoT
Due to exponential growth of innovative technologies, lots of new vulnerabilities will be introduced. However, the highest risks will still come from well-known and well-understood vulnerabilities. SANS estimates that over 80 percent of cybersecurity incidents exploit known vulnerabilities, and the annual Verizon Data Breach Investigations Report shows similar numbers. Gartner comes in much higher, estimating that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
As if this is not sufficient, in the space of IoT, Cisco estimates that 40 billion devices will be connected to the internet by 2020 as cars, fridges, medical devices and gadgets not yet imagined or invented will link in, which will lead to the tremendous growth of threats and vulnerabilities.
Privacy, ethics of big data, and back to basics
With the acceleration of big data, organizations now come across new types and formats of data, many of which are not structured like that of traditional data. Different types of sensors generate data in various formats and in huge volume. Hopefully, GDPR will serve as a guide post for exercising compliance while leveraging big data.
Most of the time, cybersecurity issues are due to internal processes and people. In 2019, organizations the world over will be spending more on security awareness and training their employees so that preventive measures are exercised and incidents are properly addressed when required. Patching of servers and updating software versions will remain important as basic security hygiene.
Author’s note: The views expressed in this article are the author’s and do not represent those of his organization or of the professional bodies to which he is associated.