Nationally critical infrastructure often tends to be out of date and frequently under-funded or otherwise plagued by systemic problems (old hardware, lack of talent, long-lasting design faults – see the American nuclear agency that had to FedEx around a wrench for 450 nuclear missiles).
Data breaches
Barely a week goes by without a high-profile victim of a data breach and we don't expect that trend to change in 2018.
Some of 2017's biggest culprits included Uber – which admitted to covering up an enormous breach – and the record-breaking Equifax data leak that exposed 143 million customers in the US. We've handily rounded up the worst of them over here on Techworld.
Balkanisation
While there are persisting attempts to unify international policy around data sovereignty, ownership, rules for cyber warfare, and open standards, there are also some signs that the threat of a ‘balkanised’ internet is edging closer to reality.
The reaction to allegations that Kaspersky Labs anti-virus software was being used for espionage has led to public bodies uninstalling the software, retailers stripping its software from shelves, and a retraction by Barclays bank that previously saw it offer the software to customers for free.
Similarly, Box CEO Aaron Levie has previously warned of a balkanised cloud – where the interests of national governments meddle with the interests of using or running public cloud.
For example, AWS recently boasted of a mega-deal with US three-letter spy agencies called AWS Secret Region, and Computerworld UK has heard from Chinese companies that prefer building their own private clouds so they can have ownership over the full stack.
While it’s not a security trend per se – more of a policy trend, really – it is something that businesses will have to grapple with, as international tensions seem to be heating up.
Organisation
Financially motivated hacking groups have become increasingly organised over the years: just as many white collar workers in the western world go to their offices, the same is true of hackers in countries with more lax laws about cyber security.
“The biggest danger facing enterprises in 2018 is organised threat actors,” commented Jay Coley, senior director of security services for Akamai – the company that claims to be the world’s biggest data aggregator after the NSA. “2017 showed us that businesses are facing criminal organisations, hackers backed by competitors and even nation states.
“We’ve long suspected this would be the case, but it’s becoming increasingly clear that the level of sophistication and tenacity shown by these attackers is far beyond the opportunistic hacking many enterprises are currently prepared to defend against.
“Because attribution is so hard and proving who the attackers are is nearly impossible for most organisations, the hacks will be more brazen as the year goes by.”
Kaspersky Lab unearthed a cyber-heist that allowed hackers to take full control of a bank for as long as six hours, a complex operation that saw the attackers hijack the domain of the bank – with preparations underway for five months.
Finance is far and away the biggest motivator for the majority of cyber security incidents, with big-name institutions like FedEx and Reckitt Benckiser having their bottom lines impacted by the NotPetya encrypting ransomware. It’s estimated that cyber crime hit the global economy for as much as $450 billion in 2016.
WannaCry and NotPetya wrought havoc to businesses everywhere, and while they will hopefully serve as wake-up calls for companies large and small, infosec is full of surprises and businesses can only do their best to mitigate.
More stolen cyber weapons
The group that calls itself the Shadow Brokers – which first emerged in 2016 – was responsible for leaking tools that belonged to the NSA.
These leaks were transformed into the WannaCry and NotPetya ransomware attacks, with the group promising more leaks to come, and were described by the New York Times as having shaken the NSA to the core.
Compliance and humans being human
Frankly one of the biggest challenges any organisation faces is staff who might be lacking in security training – white-hat pen-testers will often scope out their targets and play on human psychology to gain access to server rooms or cyber-physical systems.
Take a look at these real-life nightmare scenarios outlined by Verizon when investigating Payment Card Industry Data Security Standards – among the most stringent privacy and security standards in the world.
Examples include an unprotected connected fish tank siphoning off data to an unknown location, an (unnamed) airforce that was leaking information through one of its printers, and a dodgy server room hosted in an apartment bathroom in Mexico.
Of course, the famous General Data Protection Regulation (GDPR) is coming into force in May 2018 and this will provide organisations of all sizes with compliance challenges.
Plus, companies will have to report any data breaches quickly or risk hefty fines – a tricky hurdle to leap considering many businesses have been unaware that a breach had occurred, or the severity of a breach, until stumbling upon them by chance, being informed by security researchers, and carrying out complex internal forensic investigations.
Biometric hacking
Biometric verification, like the new iPhone X Face ID feature, is likely to continue to see traction in consumer tech, but also in the enterprise.
Financial services companies have already experimented with biometric authentication for customers, including a partnership between Lloyds and Microsoft to explore fingerprint and facial recognition through Windows Hello on Windows 10.
Jesper Frederiksen, UK GM of identity management provider Okta predicted that “within enterprise environments, biometrics will not completely replace passwords in the immediate future, but they will provide a supporting security layer as part of a multi-factor authentication model."
In the financial services sector specifically he says it "has already experimented with biometrics for regulating access to certain services.
Major banks have incorporated tools such as voice and fingerprint recognition as an additional security measure to ensure that only the correct party receives access, protecting against bad actors."
Skills shortage
Security specialists are in high demand and a report from the Recruitment and Employment Confederation suggests this is going to lead to a boom in salaries.
Businesses reported that in eight out of the last nine months security roles were tricky to fill, and most companies surveyed agreed that the UK workforce will likely fall short for demand. Almost all recruiters believe cyber security wages will soar accordingly.
And a study at the start of the year suggested the skills gap could actually damage British businesses. Recruitment website Indeed’s Mariano Mamertino said: “The problem is fast approaching crisis point and British businesses will inevitably be put at risk if they can’t find the expertise they need to mitigate the threat.”
