03 january 2019

9 cyber security PREDICTIoNS FOR 2019

Now that the New Year is upon us, it’s that time again when we consider what to expect in the 12 months ahead. Here are nine key trends and activities that Secrutiny’s founders and executives think will have a profound influence on the cyber security industry for 2019.

1.Cyber security will expand into cyber resiliency and more focus on business continuity planning will emerge

Cyber resilience is an evolving perspective that is rapidly gaining recognition. It refers to an organisation’s ability to continue delivering services to its customers despite adverse cyber events. The concept essentially brings the areas of information security, business continuity and resilience together.

The National Institute of Standards and Technology (NIST) have produced a framework that offers techniques and practices that when incorporated together helps organisations meet the objectives and goals of cyber resilience.

2.Insurance underwriters will require cyber assurance reports

Cyber insurance is said to be one of the few areas of growth and innovation in the insurance market these days. However, according to a survey by PWC*, the attitude towards cyber seems to have split the market in half. Approximately half of the survey respondents already sell cyber policies. The other half do not actively pursue cyber, believing this risk to be borderline insurable.

The main challenge emerging is how to design a market leading but pragmatic approach to managing cyber risk. The issue is not only due to data available being scarce, but also because any models are at risk of quickly becoming obsolete due to the rapid change of the cyber risk landscape as cyber weaponry progresses. While 85% of respondents claim to have a loss estimation methodology in place, the majority use simplistic exposure and factor-based methods which have in the past shown to underestimate the risk.

We believe the best solution is to base cyber insurance cover on cyber assurance reports; compiled through consistent evidential audits of the organisations ongoing management of cyber risks. As well as giving business leaders comfort on the completeness of cyber cover versus their risk appetite, this approach will further encourage risk reduction by businesses, since they will see a corresponding reduction in insurance costs for more resilient organisations or vice versa.

*Source PWC Cyber Risk Management Survey

3.A two-factor authentication solution will get beaten; multi-factor authentication will be needed

Passwords are problematic; they’re easily guessed, bypassed and/or stolen. That’s where two-factor authentication (2FA) came into play. Put simply: it uses two factors to confirm it’s you. In addition to your password/username combo, you’re asked to verify who you are with something that you – and only you — own, such as a mobile phone.

Today’s most popular two-factor systems usually work by sending a unique code to the phone paired with your account. But there’s a problem with this approach: This system can be broken by intercepting that bit of shared knowledge — the unique code — between the two parties.

To combat this, multi-factor authentication (MFA) requires that users confirm a collection of things to verify their identity — usually something they have, and a factor unique to their physical being —think retina or fingerprint scan or location and the time of day.

Many organisations rely on 2FA because it is more practical – less costly and easier for end users, however,  it stands to reason the more the authentication checks we have, the better security will be, eliminating the opportunity for hackers to get around the control. While MFA may seem excessive, it’s actually pretty common, particularly among banks and we don’t think it will be long before mid-market and enterprises switch to MFA.

4. Employee cyber security behaviour will become an employment contract debate

Opening curious email attachments, setting basic passwords and even leaving security doors propped open, might seem like innocent actions but in reality, they provide exactly the type of opening cybercriminals need to obtain a foothold on your network and steal or sabotage commercially valuable information.

Being ignorant of, or actively breaking, recommended cyber security practices to save time or boost productivity might once have been acceptable, but given the increasing financial and reputational cost of breaches, such activities cannot afford to be overlooked.

In recent years, comprehensive employee awareness programs have been adopted by the majority of organisations. Despite this, the 2017 Willis Towers Watson Cyber Risk Survey shows that 58% of cyber claims are attributable to employee behaviour, such as negligence, accidental disclosure and lost or stolen devices.

This leads us to believe that awareness is not enough, behaviour change and responsibility is the way forward. Covering cyber security behaviours in employee contracts will ensure that employees understand their role in cyber security and believe it’s central to their accountabilities.

5. Senior employees will need to follow a social media code of conduct

Social media has turned into a reconnaissance tool for hackers and is quickly becoming a major cyber security risk for businesses. Poor social media security practices could put your brand, customers, executives and entire organisation at risk.

Most individuals neglect their privacy settings or publicly post personal notes and photos, assuming it is not threatening to them or their workplace. Cyber criminals take that information to execute a variety of widespread cyber attacks and scams. Including everything from social engineering to exploit distribution to counterfeit sales to brand impersonations, account takeovers, customer fraud, phishing mail and much more. The advert below from Barclays demonstrates just how easy this can be.

In 2019 we think businesses will place a higher importance on ensuring employees understand the external risk of having information available through personal and corporate accounts, and manage their privacy settings strategically.

6. 2019 will be the year that enterprise start to consider deleting data

The attitude of most organisations is one of information hoarding; retaining information is a comfort blanket should it be needed in the future. It is true that there are reasons to retain information (regulatory is just one) however, more often than not, data retention extends well beyond what is required. Data should be recognised as expensive and a risk to the business; the more data stored, the higher the risk and likelihood of a data breach or GDPR fine.

In fact, 80% of the GDPR issues just disappear with the delete key!

Now, many would see deleting data as a scary and extreme option and a risk in itself. This is why next-generation Data Archiving, as a soft delete, provides an interesting solution to the problems outlined above. Data archiving is the process of moving data that is no longer actively used to a separate storage device for long-term retention.

In 2019 we think there will be a significant uptake of solutions such as Rubrik, which allows organisations to easily manage long-term data retention across on-prem storage, the private or public cloud. While retaining instant access to archived data with real-time predictive search.

7. Cyber becomes part of risk and not IT

All the evidence suggests that cyber security has gone up board agendas significantly in recent years however, companies still struggle to join up IT and information risks with wider understanding and management of business risks. This is largely due to the perception that cyber is an IT problem and therefore the responsibility of IT teams to solve. However, cyber risk is a business issue. Cyber incidents can, at their lowest level, force an organisation to lose revenue due to a period of productivity loss. But, the consequences of a data breach resulting in data loss, can be catastrophic because of the resulting reputational damage, breach of regulatory obligations or temporary barriers to operation.

If the risk is that high, then should it not be the responsibility of the organisations’ leadership team to take ultimate ownership and manage that risk? By raising cyber from an IT responsibility to a business responsibility, IT and executives can work together to embed security by design rather than rely on a security overlay, or in other words, security becomes baked in rather than bolted on afterwards.

 [EH1]Double space

8. Financial auditors will introduce control checks to prove ‘breach’ process capability at enterprise level

Cyber risks are growing due to the changing security landscape. Data is spread across an array of suppliers, service providers and devices, and attacks from all sources are increasing. As a result, businesses need to operate on the basis of an ‘assumed state of compromise’.  

When hosting the security keynote panel at the ILTA’s INSIGHT 2018, Secrutiny CEO Simon Crumplin asked the audience ‘how many people believe they have all of the right data in the location in the event of Doomsday would be able to respond with confidence?’ – one individual raised their hand. So, does this mean we are prioritising protection over and above response? And detection over and above response?

While preventative controls remain important, greater attention needs to be given to resilience and quick response.

9. A secure and viable alternative to email will be launched

Email, by default, is not a secure communication tool because it travels through the internet from one server to another.

 

Email was built for a different time, one in which cyber threats were few and far between, but with it still being the primary business communication tool, it’s unsurprising that it’s shown itself to be the weakest link in an organisations armour.

Four out of five organisations (80%) have faced an email-based cyber attack in the past year and 73% of IT security professionals say the frequency of such attacks is increasing, a survey has found.

Although newer web-based communication and collaboration systems have emerged in recent years, email remains the gold standard for IT because it is fast, convenient, simple to use, cost-effective and auditable. We think 2019 will be the year a secure and viable alternative to email will be launched.

WannaCry is just one example of the scale of damage cybercriminals can inflict upon an organisation by using email as a means of delivery.

 

On Friday 12th May last 2017, a global ransomware attack, aptly named WannaCry, infected over 200,000 computers in at least 100 countries. It began with an email at roughly 8:30am London time.

 

By midday, employees at Spain’s mobile operating giant Telefónica were being shut out of their work terminals and in the UK, emergency services were being pulled and hospital facilities were being shut down. At organisations around the world, similar events were being reported.