WATCH: 10 cybersecurity trends to expect in 2018

HBO, Verizon, Equifax, Sonic and Uber were just a few of the countless blue chip names – and by extension their customers – to fall prey to massive cybersecurity breaches in 2017.

A number of high-profile figures also had their financial dealings exposed by the ‘Paradise Papers’ breach.

Governments and critical national infrastructure was also targeted. US Air Force’s security clearances, confidential CIA documents and the records of Californian voters were all leaked. A ransomware attack targeted Ukrainian utilities like power companies, airports, public transit, and the central bank.

No organisation it seems is inoculated against the threat. Even cybersecurity doyen John McaFee was not safe; his Twitter account was hacked.

If methods deployed by traditional criminals in physical-world crimes like extortion, heists, armed robberies or drug distribution evolved only slowly, the cyber threat mutates by the day as cybercriminals develop new forms of attack to blindside its targets.

In 2017 alone we saw the emergence of new ransomware variants like Wannacry, NotPetya, Locky, GoldenEye, and Jigsaw, which spread round the world at dizzying speed.

It’s uncontroversial to say, then, that 2018 will inevitably be an eventful one for cybersecurity, with inummerable new jargon to absorb.

David Ferbrache, CTO in KPMG’s cybersecurity practice, has set out 10 trends we can expect to see in 2018. Five of them are outlined in the video below – read on below that to find out the full 10.

1. Expect zero regulatory tolerance when GDPR comes into force

The General Data Protection Regulation (GDPR) comes into force across the EU – including the UK – from 25 May. It reshapes data protection law and stiffens penalties for breaches.

David Ferbrache: “Most firms have taken time to understand what GDPR may mean for them, and in many cases have reviewed (or even partially disposed of) their holdings of personal data. It is far harder to predict quite how sanctions under GDPR will be applied by the various regulators.

“We can expect a few high profile examples to be made early on, but perhaps not the tsunami some expect. Nevertheless, privacy rights are on the agenda, and we can expect zero regulatory tolerance for the long delays in notification of major breaches seen recently.”

 2. Criminals will continue to innovate to find the soft underbelly

It’s a never-ending game of cat and mouse as criminals find myriad new ways of circumventing existing protections. In response, cybersecurity professionals, business and government scramble to upgrade their response to defend against the new threats.

“Organised crime groups are on the hunt for new ways to monetise stolen information and access to systems”

David Ferbrache: “Organised crime groups are on the hunt for new ways to monetise stolen information and access to systems, and in a post-Bank of Bangladesh world they will be increasingly creative in how they do this.”

(Some $81 million was lost from accounts at Bangladesh Bank in just hours following a hack.)

“We can expect more attempts to initiate fraudulent payment transactions (often with a social engineering elements), as well as ongoing interest in our core financial infrastructure including payment and trading platform gateways.

“Growing demands are being placed on fraud control and anti-money laundering systems to catch these transactions, while customers demand instantaneous financial transfers. If these controls fail, expect to see a $100 million pay-out from a cyber-attack”.

3. Governments to prioritise collaboration and intelligence sharing

In a globalised, interconnected world, it’s no longer viable to develop cybersecurity programmes in silos. Cybercriminals are unconstrained by borders between nation-states. As with climate change, the response must be truly global to have a meaningful effect.

David Ferbrache: “As criminals industrialise cyber-attacks using crime as a service model to rent attack tools and ransomware, governments are increasingly looking for ways to disrupt the infrastructure used by criminals.

“Closer links with telcos and service providers are being built along with the operational processes needs to block sites hosting malware, detect and counter phishing attacks. Trusted DNS services and Domain-based Message Authentication, Reporting and Conformance (DMARC) will be rolled out at scale across the community by both the National Cyber Security Centre and by organisations such as the Global Cyber Alliance. These community measures linked to improved intelligence sharing will start to make a difference.”

 4. The birth of a new cybersecurity model

 The rise of the cloud is prompting a shift in the role of organisations in what and how they protect.

David Ferbrache: “As firms invest more in cloud computing, a new model for cybersecurity is emerging. Increasingly, firms can look to cloud providers to embed good IT security, but firms still own the problem of setting their requirements and determining just who can access what.

“The shift towards DevOps and agile development demands new ways of embedding security into the development lifecycle and an agile test regime”

“The shift towards DevOps and agile development, built on these more flexible infrastructures, also demands new ways of embedding security into the development lifecycle and an equally agile test regime. Security can no longer engage at the end of development cycles, and if it does, it risks being seen as a blocker rather than an enabler.”

5. Expect to see more automation of controls and compliance

The sheer scale and complexity of the threat means that monitoring by human personnel cannot possibly stem the tide.

David Ferbrache: “Firms are coming under pressure to contain their burgeoning cybersecurity budgets. Manpower intensive compliance processes are beginning to give way to continuous testing and controls monitoring, helping firms build a more accurate picture of their IT estate – helping the CIO as well as the CISO.

“The growing demand for supply chain security and third party assurance will also lead to a burgeoning industry of testing firms offering risk scoring and testing services for those third parties.”

6. Open APIs will create new vulnerabilities, which must be plugged with customer-centric solutions

David Ferbrache: “Digital channels are becoming more and more sophisticated demanding new consumer identity and access management approaches, dynamic transaction risk scoring and fraud controls, and an emphasis on usable non-intrusive security measures which don’t impact the consumer’s experience.

“Open Banking and the arrival of Payment Services Directive 2 will drive richer interactions between a new ecosystem of payment service providers and the banks who handle our money. A new world of open API is on the horizon, but concerns over criminal exploitation of these rich interfaces abound.”

7. Endemic poor security in the internet of things will not be solved in 2018

The internet of things comprises a wide array of devices in whose development security was little more than an afterthought. With more than eight billion connected ‘things’ already in operation and that number set to rise to more than 20 billion by 2020, this is going to be a tricky problem to tackle. Don’t expect the international community to get a strong handle on it this year, warns Ferbrache.

David Ferbrache: “Criminal groups continue to exploit insecure ‘internet of things’ devices as sources of attack traffic for denial of service attacks, leading to more and more extortion attacks but also an increasingly sophisticated response from the international community involving telcos, content delivery networks and Distributed Denial of Service (DDoS) mitigation firms.

“Unfortunately, this response won’t be consistent globally, and many nations may find themselves vulnerable to these attacks, which will cause major disruption in 2018.”

8. State-directed cyber threats continue to evolve and intensify

Amid the ongoing FBI investigation into allegations over Russian interference in the US Presidential Election, 2018 promises to be another eventful year in terms of state-directed espionage and disruptive attacks.

“Expect more evidence of industrial control system attack tools being tested”

David Ferbrache: “As countries invest to develop their cyber espionage and offensive capabilities, we will see more signs of their activities. Disclosures of high end techniques used by nations will continue, fuelling the opportunistic repurposing of these vulnerabilities by less sophisticated states and organised crime groups. Expect more evidence of industrial control system attack tools being tested as states explore the potential of this new form of warfare.”

9. Challenges ahead for regulatory alignment

Geopolitics as ever will make it fiendishly difficult to achieve cross-border regulatory consistency.

David Ferbrache: “States continue to intervene to protect their national security interests in cyberspace, risking an increasingly complex framework of international regulation and controls around the supply chain for critical infrastructure firms. While there will be some moves to align regulation across the global financial sector around the G7 fundamental elements of cyber security, this will take time and effort to achieve.”

10. Resilience will be prioritised

There’s a widespread acceptance that however well the world hones its defences againstthe cyber threat, it cannot hope to stamp out the menace altogether. Breaches are a fact of life and organisations can only strive to keep the risk of falling prey to a minimum.

With this in mind, reducing the impact of successful attacks is as big a priority as preventing them from happening in the first place.

David Ferbrache: “Regulators are focusing on resilience – the ability of an organisation to anticipate, absorb and adapt to disruptive events – whether cyber-attack, technology failure, physical events or collapse of a key supplier.

“Exercises and playbooks are in fashion as firms try to build the muscle memory they need to respond to a cyber-attack quickly and confidently, while cyber insurance is finding its place not just as a means of cost reimbursement but as a channel for access to specialist support in a crisis.”

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today