ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Cyber Risk List Has a New No. 1 for 2018

Cyber Risk List Has a New No. 1 for 2018

Raef Meeuwisse, CISM, CISA, Author, “Cybersecurity for Beginners”
| Posted at 3:18 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Raef MeeuwisseI recently presented the predictions for the Top 10 2018 Cyber Risks at the Whitehall Media, Enterprise Security and Risk Management conference in London.

So, what had changed since the 2017 list of Top 10 Cyber Risks that I presented at ISACA’s EuroCACS event back in May?

At number 5 in the chart, digital transformation makes an appearance. When we apply technology to activities where it was not traditionally used, we get all kinds of great innovations, but it also opens up a wealth of new vulnerabilities.

At number 4, malware (including ransomware) is still riding high in the charts. This is still a significant and widely used component in many breaches and cyberattacks. Notably, since the start of 2017, there has also been a substantial increase in the use of fileless malware (malicious software that exists only in memory or as appended functions to existing files).

Although phishing and web application attacks are also up in the top five, there is a surprise new entry straight in at number one. The number one spot is occupied by the new EU General Data Protection Regulation (GDPR) that carries with it a maximum potential fine of up to 4% of global revenue for non-compliance.

So, why is this at number one?

For most enterprises, the consequences for non-compliance with this regulation have made GDPR a boardroom priority. Although cybersecurity is only one component within the regulation, it is expected that the first investigations and fines will probably be driven by the really large personal data breaches that emerge after the regulation becomes effective in May 2018.

If you think about recent incidents, such as the Uber data breach, if they happen once GDPR is active, the consequences will be much greater than in the past.

That fact can also be used by hackers. If a hacker stole personal information from a company before GDPR, they could only ransom the data for the potential brand damage or inherent data value, but after GDPR is in place, if you don’t pay the hackers, you will likely be facing a GDPR investigation by a supervisory authority – with a potentially massive fine attached.

GDPR has made personal information a lot more valuable than before, so cybersecurity departments will face challenges not only assisting and consulting on the process changes required by GDPR but also with increased targeting of personal information because the ransom value will have risen substantially.

Editor’s note: The video of Meeuwisse’s full presentation is available on YouTube via this link.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.