Relations between companies, governments and cybercriminals on the information security in 2018 are going deeper. In this analysis, Falcongaze analytics tried to display the main trends and identify four main concerns for companies in 2018.
1. What tasks will arise after the implementation of new regulations?
2. What are new areas and ways of cyberattacks?
3. What will increase the threat?
4. What are new changes in the security strategy for 2018?
So, on the May 25th, the European Commission's data protection regulation (GDPR) comes into force. It sets requirements for companies to protect data of EU citizens. The GDPR applies to any organization that collect or process personal data of EU residents, regardless whether these companies are located in the European Union or not. New regulations will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. They are to solve the list of technological and financial tasks: lack of awareness among internal stakeholders; need to increase compliance and data management costs while pulling attention and investment away from other important initiatives; lack of qualified specialists.
The next important point here is the regulators. Organizations that don’t take GDPR seriously and experience an event that triggers an investigation by regulators are at real risk of a heavy fine - four percent of annual turnover or 20 million euros.
There are experts who believe that regulators will not audit for GDPR compliance, so companies are vulnerable to fines only if there is a breach or EU citizens file complaints. Even if a company experiences a breach or complaint, regulators will likely treat it leniently if the company can document good-faith efforts to comply.
However, the management of companies that rely on this opinion should pay attention to the next trend. The customers will demand compliance along with regulators. Large corporate customers today check more often how the suppliers protect their data. Also, an interesting initiative is growing up.
The NOYB non-profit will be established in Vienna and comprise technicians and lawyers who will find privacy violations and ensure compliance with the fundamental right to privacy in the private sector through strategic enforcement, either in court or through data protection authorities (DPAs).
Despite the topical nature of the threats to network security, the lesser known directive on security of network and information systems (NIS) doesn’t even register as a term of interest. We know that the level of preparedness for GDPR is lower than it should be despite prominent coverage.
NIS should become a part of national legislation by May 2018. It imposes the same stringent sanctions for non-compliance as GDPR. NIS is focused on creating a common level of cybersecurity in the EU by creating national Computer Security Incident Response Teams (CSIRTs). It is also focused on improving security culture in the operators of essential services (energy, telecommunications, health and transport sectors) and providers of digital services.
It is therefore clear that the NIS Directive is, worryingly, going to catch many firms by surprise.
1. Increase of attacks through hacked Internet devices of things (IoT). Millions of connected devices have little or no defense against hackers who want to gain control over them. It’s getting even easier for hackers to take over scores of internet of things (IoT) devices. All they need to do is buy a botnet kit and they are in business. Andromeda, Gamarue and Wauchos are estimated to compromise more than a million devices a month.
The problem is that we do not exactly know what the hackers who control botnets intend to do. They can launch denial-of-service (DDoS) attacks or send a huge amount of spam or may create new unexpected ways of malicious behavior.
IoT device makers are slowly making progress on securing their devices - there is high competition in IoT sphere, but real protection requires large expenses. However, that won’t help the scores of devices already deployed that are difficult or impossible to patch. So a huge number of devices around the world are exposed to the risk of infection.
2. Wormable malware. Some of the biggest cyber incidents in 2017 were related to the problem of self-replicating malware that spread between networks. For example WannaCry and NotPetya. We can expect that such malicious software will continue its work in 2018.
3. Wireless connection. One of the most troubling news of 2017 was the detection of a fundamental flaw in the WPA2 Wi-Fi security protocol, which is unlikely to be eliminated on most WiFi enabled devices. There is a high probability of attacks in 2018.
4. Meltdown and Specter vulnerabilities. Vulnerabilities found in processors are among the most critical in recent years. Given the widespread prevalence of such processors, a huge number of users are exposed to the threat. And hackers are just working on how to use it.
5. Healthcare. The most notable victim of the outbreak of WannaCry malware in early 2017 was the National Health Service of Great Britain (NHS). The telemedicine development and the multiplicity of stored personal data will continue to attract intruders. The introduction of IoT as medical devices connected to the network increases the risk of further attacks.
1. The number of attacks sponsored by states will increase. More and more cyberattacks involving states are taking place. Most governments do not admit this, but there are good reasons to believe that many states have special units carrying out such activities and they hire professional hackers too. They will continue their attempts to extort, steal, spy and destroy by penetrating information systems. That can lead to large-scale failures or loss of personal data.
2. Crime as a service expands tools and services. Criminal organizations will continue their constant development and become more sophisticated. Complex hierarchies, partnerships and cooperation will facilitate their entry into new markets and the commercialization of activities at the global level. As a result, cyberattacks will become more continuous and destructive than they were previously.
1. Programs that were originally designed with seriously features will begin to improve the safety of automated control systems (ACS). ACS is used to manage technological processes in various industries, energy, transport, etc. i.e. in areas critical for human life. Security flaws lead to incidents similar to cyberattack to the Ukrainian energy system in 2015. A little later, there were a second and lesser known attack using fully automated malware that could cause more extensive damage in less time. Such things led to a heightened awareness on security problems. More and more ACS developers create software that initially takes into account malicious methods of influence. There is still much to be done, but legislators around the world are increasingly tightening the rules and punish the weak points in the security system.
2. Focus on real efficiency. The company management often expects immediate benefits from the IS, but security is a process. A completely safe organization is a goal, and it takes time.
Thus, the expectations of top managers exceed the real capabilities of the system. And the discrepancy will show itself when big incident occur. Not only the organization will face a significant problem, its consequences will also affect the personal and common reputation of all stakeholders.
In 2018 more and more organizations will realize that attacks cannot be avoided. It will happen not if but when. So companies will pay more attention to results not just calming down when check the availability of all the tools they think are necessary. The security technology will have to prove how it supports business initiatives.
3. Security automation. According to Frost & Sullivan, the shortage of qualified security professionals could reach 1.5 million by 2020. This increases investments to alternative ways of ensuring security. We expect innovative products based on artificial intelligence that monitor and test the information security system.
Summarizing, it is important to emphasize the necessity to change the attitude to information security as an optional service. The information environment is growing getting sophisticated, and the option that could be previously ignored, one cannot avoid now. This is why new legal acts and regulators are going into force. Only those companies that have realized this will remain on the market.