A Look Back at Our 2019 Cyber Predictions How Did We Do?

December 2019

With only a couple of weeks to go until we release our 2020 cybersecurity predictions, we take a look back over last year’s predictions to see just how accurate we were.

1. Cybersecurity will expand into cyber resiliency, and more focus on business continuity planning will emerge

Organisations fail to understand the impact until they have a breach, and as such, remain complacent to the loss of trading costs. That said there are plenty of public examples of where the risk, cost, and embarrassment will have completely changed the landscape, and cyber risk/business interruption will be deemed priority.

Danish logistics company, Maersk, is one example of this. Back in June 2017, Maersk fell victim to the NotPetya malware causing outages at its computer systems across the globe; the attack has since been dubbed the ‘most devastating cyberattack in history‘. NotPetya cost Maersk between $250 million and $300 million.

2. Insurance underwriters will require cyber assurance reports

When we made this prediction, little did we think of the possibility of just non-payment by insurance companies. We had predicted that honoured claims would change the underwriting processes to ascertain best practice cyber agility by organisations, much in the same way that insurance companies have actuarial calculations that show which professions are worse risks for motor cover.

Bigger Risk = Bigger Premium?

This was wrong in the cyber insurance world – no-one currently calculates the individual policy risk as it appears there are too many opt-outs for insurance companies.

As noted in a previous blog, the challenge we’ve seen for organisations purchasing cyber insurance is that all such policies require the insured to exercise “due care” in their application of day-to-day security procedures. In the event of a breach, the failure to achieve due care in the opinion of the insurance company may result in the denial of the claim. The issue is that there is no official, recorded, formal definition of what is considered an acceptable level of ‘due care’ nor how this should be demonstrated. Due care is an intentionally grey area that can encompass many aspects of security and cyber preparedness.

3. A two-factor authentication solution will get beaten; multi-factor authentication will be needed

Security experts have demonstrated an automated phishing attack that can cut through that added layer of security—also called 2FA—potentially tricking unsuspecting users into sharing their private credentials. The attack was first demonstrated at the Hack in the Box Security Conference. The hack employs two tools, called Muraena and NecroBrowser, which work in tandem to automate the attacks. The two tools work together like the perfect crime duo. Think of Muraena as the clever bank robber, and NecroBrowser as the getaway driver.

Moving beyond 2FA is LastPass Identity, as they introduce a passwordless login experience for business users. Via biometric authentication, employees are able to log into their applications, workstation or VPN with just their fingerprint or face – users will never have to type a password.

4. Employee cybersecurity behaviour will become an employment contract debate

While this is getting ’trapped’ in the legal process, the general debate and understanding of what is required are relatively solid. Essentially, wording will become commonplace that makes employees realise they cannot carelessly use passwords/systems/data in a manner that it would be fair for people to deem reckless, and not the same behaviour they portray when dealing with their data or online accounts.

5. Senior employees will need to follow a social media code of conduct

This was correct, but not trickling down below enterprise size companies. Threat intelligence is now actively used to show senior employees their digital profile and how easy it is to find personal data. At an executive level, businesses are now seeing the importance of controlling their social media platforms, such as LinkedIn; Twitter; and Facebook.

For instance, did you know that Facebook uses your mobile number for more than just security purposes? And that the platform is awash with fake landing pages owned by malicious actors?

6. 2019 will be the year that enterprise start to consider deleting data

It is thanks to GDPR, which was enforced in May 2018, that companies are beginning to realise that old data has risk and comes at a cost. The risks of not complying with this law, include fines of up to four per cent of your organisation’s global turnover. Research reveals that 80% of the GDPR issues just disappear by deleting data.

Data archiving benefits include:

  1. Reduced costs of primary data storage;
  2. Faster backups and recoveries;
  3. Improved performance.

7. Cyber becomes part of risk and not IT

This was undoubtedly correct. At enterprise level, titles with the word ‘risk’ are now getting actively involved in understanding the significance of defence; processes; breach; and recovery.

It’s true that cyber security is not an IT problem but a risk to be managed – however, organisations cannot manage the problem if they don’t understand its context. It is this lack of context that puts a strain on teams to make prioritised, strategic decisions on how to secure their IT environment and safeguard their crown jewels.

Listen to Simon Crumplin, Founder of Secrutiny, as he expresses these concerns and priorities at Europe’s premier legal tech event, ILTACON Europe 2019.

8. Financial auditors will introduce control checks to prove ‘breach’ process capability at enterprise level

We were only partially right here, on the grounds that this is currently being determined more by a paper process.

9. A secure and viable alternative to email will be launched

Correct, but slow. The digital workspace area is showing its head as companies try to bring all data and systems inside a ‘working window’ and have collaboration from within that environment. Ultimately this will provide much greater control over the sharing of data with auditable history.

It’s difficult to make predictions, especially when it comes to cybersecurity, but it’s December, and we are at it again. Check back in next month as we pin down our cybersecurity predictions for 2020.