The 2019 Cyberattack Landscape and How to Navigate It
Just as the world slowly recovered from 2017’s WannaCry ransomware attack and the Equifax data breach, 2018 began with a massive denial of service (DOS) attack on GitHub, the largest of its kind. By the second quarter, Positive Technologies estimated the number of unique cyber incidents to have skyrocketed by 47% over the previous year.
It is no surprise then that in a survey conducted by 451 Research Digital Pulse, 36% of IT generalists pointed out that the one aspect of their jobs that keeps them up at night is the threat to information security. As the digital landscape continues to permeate every aspect of our jobs and lives, digital threats also continue to multiply.
It’s clear that cyberattacks are getting increasingly sophisticated and innovative. Cyber criminals seem to unearth new ways of finding and exploiting vulnerabilities in the digital world every day. 2019 will be no different and is expected to have its fair share of cyber security challenges.
So what can businesses do to survive the cyber threat landscape of 2019? Protection begins with awareness, so here is an overview of key areas of cybersecurity vulnerability for 2019:
#1 Security, Privacy and Regulations
Analysts estimate that the information security market will grow by 8.7% over the next year to $124 billion as a growing number of companies invest heavily in their data security and compliance requirements. As legislation around privacy laws grows tougher and more complex, companies are going to have to set aside sizeable budgets for cybersecurity and make investment decisions accordingly. Global public policy is already closing in on privacy laws. Regional compliance and regulatory requirements such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 are a clear testament to the fact that data security is not something nations and international bodies take lightly.
The on-going GDPR case against the Marriott hotel group, due to the Starwood Hotels and Resort data breach, may be the first of its kind, but it sets the tone for what is to come. If found guilty, the Marriot group will have to cough up the world’s first GDPR penalty, and in all likelihood, it’s going to be sizeable. “What we learned early on is that all organizations should create a core team to help drive awareness and compliance across all areas of the organization,” says John Samuel, Senior Vice President and Global Chief Information Officer, CGS. “At a minimum, the core team should have operational, legal, HR, and IT representatives, but, until the team is self-sufficient, having outside consultants can be helpful.” Organizations should read the writing on the wall and ensure that they are within compliance – not only for their own cyber security but liability as well.
#2 Rise in Targeted Attacks and Bot Armies
By the end of 2019, we can expect to see a rise in focused and targeted ransomware attacks. The frequency of such attacks has been steadily growing, with an attack every 60 seconds in 2016, to an attack every 14 seconds in 2018. Research estimates that ransomware attacks will cross 2018’s high of $8 billion in losses to $11.5 billion by the end of 2019.
The threat of botnets will also increase in the next year. Botnets are especially nefarious since cyber attackers use them to carry out Distributed Denial of Service (DDoS) attacks that can potentially cripple and incapacitate private and public networks. Organizations will need to pre-empt threats by exploring various security options, from software-defined solutions to blockchain encryption, and choose something (or a combination) that works for them. This is even more urgent given the proliferation of autonomous digital bots and their sizeable role in executing these attacks.
#3 Cloud Insecurity and Human Error
Cloud insecurity grew in 2018 and will continue to prevail in 2019. The trend of cryptojacking or the hijacking of cloud accounts to mine for cryptocurrency is also expected to rise. Tesla’s Amazon cloud account was cryptohacked in 2018, but it wasn’t the only incident of this type. Aviva insurance and Gemalto security also had their Amazon cloud accounts hijacked by hackers to quietly process crypto mining operations.
While these incidents exposed multiple vulnerabilities on cloud services such as Microsoft Azure and Google Cloud, they were largely due to human carelessness. This trend is unlikely to change unless organizations take a proactive role in training and monitoring employees on security practices. Also, research shows that nearly 91% of cyber and ransomware attacks are initiated by spear phishing emails. To effectively protect themselves, organizations needs to create and nurture a cybersecurity mind-set among employees and partners.
#4 Moving Beyond Passwords
Password breaches and digital theft will continue to be a daily occurrence, thanks in large part to the human element involved. It may come as a surprise to some but research shows that nearly 49% of adults keep their passwords written on paper while 39% regularly reuse old passwords. Human carelessness, digital illiteracy or poor training are usually to blame for these attacks.
But hope is nigh. Passwords may soon become a relic of the past as attempts to seek out viable authentication alternatives yield promising results. 2019 might see the beginning of a passwordless world, where no one needs to memorize or retain multiple passwords for different platforms. Instead, they can rely on new technology using biometrics, two-factor authentication, and contextual identity solutions.
#5 Combating the Threats
In case anyone still thinks an ironclad cybersecurity plan is a nice-to-have, consider this statistic: The estimated cost of global cybercrimes is set to exceed all other criminal endeavours by 2019 and will set the global economy back by nearly $2.1 trillion next year.
Here are some fundamental steps organizations can take to ensure that they’ve protected themselves:
- Educate employees and create awareness around cybersecurity. Train them on preventive measures. This includes flagging all suspicious activities including seemingly harmless emails. If you see something, say something. In a an interview with Forbes magazine, John Samuel, Senior Vice President and Global Chief Information Officer, CGS, explains: “While next-gen technology like Artificial Intelligence (AI) and Machine Learning (ML) are transforming many enterprises for the better, they’ve also given rise to a new breed of ‘smart’ attack. The ability to scale and carry out attacks is extremely enticing to cybercriminals, including use of intelligent malware. The rise in next-gen threats means that security professionals must be extra vigilant with detection and training against these threats, while also adopting new methods of automated prevention methods.” Depending on your workplace culture, training can be top-down, with a cybersecurity ambassador appointed for each department who can assist in incident response for potential threats.
- Collecting and analyzing security logs is a critical activity, and one that organizations should prioritize. Regular monitoring helps detect criminal activities and enhances digital forensics. As digital threats evolve and accelerate, isolated security solutions may soon prove to be ineffective in combating future threats. During the next year, organizations can expect to witness a surge in state-sponsored efforts to develop cybersecurity policies, guidelines, procedures, and interventionist protections. As both governments, businesses, individuals, and economies fall under threat, both the public and private sector will need to collaborate and develop a unified approach to combating digital malicious actors.
- Devices that are not updated with the latest software and security updates are easier to hack. This makes it imperative to schedule regular updates across devices and platforms. Organizations should make it mandatory for employees to update their personal devices (that are used for business purposes) and business-owned devices.
This means that organizations need to embrace an easy-to-follow but secure BYOD (bring your own device) policy. An organization’s policy should include how much monitoring the IT department is allowed over the employees’ device, where the device can be used, and the protocol for reporting a stolen or lost device. Enterprises can also consider supplying business-owned devices which are set up with special protection.
Companies looking to pace-up and fortify their cybersecurity measures should consider partnering with service providers who are aware of and compliant with both global and local privacy and security regulations. To effectively prevent and combat these attacks, business leaders have to adopt a proactive approach to both cybersecurity technologies and to employee culture. Ultimately, cybersecurity issues affect everyone, from the bottom up. Particularly for organizations which have access to large troves of customer data, constant vigilance, robust security measures and a rock solid recovery/contingency plan, are key. The right mix of technologies, tools, and services, can help them stay ahead of the curve.
Comment below: Which cybersecurity trend will dominate 2019?
- Denial-of-Service (DOS): In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet.
- Distributed Denial-of-Service (DDoS): A Distributed Denial of Service (DDoS) is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
- General Data Protection Regulation (GDPR): The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
- California Consumer Privacy Act of 2018: The California Consumer Privacy Act of 2018 is a bill passed by the state of California legislature signed by its governor on June 28, 2018. The purpose of the Act is to provide California residents with the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom.
- Say no to the sale of personal information.
- Access their personal information.
- Equal service and price, even if they exercise their privacy rights.