Given what’s happened in 2017 — the Equifax breach, state-sponsored attacks, Russian manipulation of social media, Wannacry, and more phishing scams than we can count — you might not be looking forward to 2018. Breaches will be bigger, hackers will be smarter, and security teams and budgets won’t seem to keep pace.
There is reason to be optimistic, though. Yes, some things will get worse before they get better, but we expect real progress in a few areas. Here’s what we think will happen next year.
1. Many, if not most, U.S. companies will not meet GDPR compliance by deadline
Surveys show that U.S. companies subject to the European Union’s (EU) General Data Protection Regulation (GDPR) are far behind where they need to be to make the May 25 compliance deadline. For some, it might not matter.
Regulators will not audit for GDPR compliance, so companies are vulnerable to fines only if there is a breach or EU citizens file complaints. Even if a company experiences a breach or complaint, regulators will likely treat it leniently if the company can document good-faith efforts to comply.
Organizations that don’t take GDPR seriously and experience an event that triggers an investigation by regulators are at real risk of a heavy fine. That leads us to our next prediction.
2. GDPR regulators will quickly make an example of an organization
There are two schools of thought about whom regulators will target first. Some say they will set a precedent first with an EU company because they are perceived to be less likely to fight a fine. Others believe that regulators will not only go after a U.S. company early, but they have specific companies in mind.
It’s not hard to guess which companies they might be. Google, Apple, Amazon, and Facebook have all had contentious relationships with the European Commission on privacy and antitrust issues. If any of these four show signs of non-compliance with GDPR, EU regulators might well seize the opportunity to make a statement.
Other companies are not likely to be early targets unless an especially egregious event occurs that could have been prevented or minimized had GDPR rules been followed. The safe plan is to make your best effort to be in compliance by May 25.
3. The decline of password-only authentication will accelerate
The Equifax and Anthem breaches were wake-up calls for many consumers, who are now asking questions about the safety of their online accounts. Most still have no idea about password alternatives or enhancements like multi-factor authentication (MFA) or risk-based authentication, but they are more aware that passwords alone no longer are enough. In fact, research done by Bitdefender shows that U.S. citizens are more concerned about stolen identities (79 percent) than email hacking (70 percent) or home break-ins (63 percent).
This is important, because companies often cite a lack of demand for stronger authentication as a reason for not offering it. They are reluctant to do so, in part, because they don’t want more complicated authentication degrading the user experience.
That worry will be eased by risk-based authentication tools that are becoming widely available. These tools work in the background to assess behavior and other data to determine the likelihood that the person attempting access is actually authorized. Coupled with MFA, risk-based authentication puts up a strong barrier to unauthorized access.
Risk-based authentication is often bundled with identity and access management (IAM) tools. According to Stratistics MRC, the IAM market is projected to grow at a compound annual growth rate of 14.8 percent in 2018, which is another indicator that password-only authentication is headed to extinction.
Liability concerns over compromised credentials are also driving companies to stronger authentication. In its Data Breach Industry Forecast, Experian points out that, after a major data breach at one company, credential reuse affects other companies. They are forced to notify users when hackers use their stolen credentials to fraudulently access services.
Experian calls this an aftershock breach, and the report urges organizations to deploy secondary authentication methods. “Given the continued success of aftershock breaches involving username and passwords, we predict that attackers are going to take the same approach with other types of attacks involving even more personal information, such as social security numbers or medical information,” the report stated.
4. State-sponsored attacks will increase
The usual suspects for state-sponsored attacks — North Korea, Iran, and Russia — don’t have much to lose by continuing their attempts to extort, steal, spy and disrupt by infiltrating information systems. All are already heavily sanctioned, and the consequences — at least those we know about — in response to state-sponsored attacks have been minimal.
This makes the risk of escalating those attacks seem low. Expect state-sponsored attackers to keep pushing the envelope in terms of scale and impact of their assaults. An area of particular concern is critical infrastructure like power and communications grids. “The progression of cyber attacks driven by nation-states will undoubtedly place critical infrastructure in the crosshairs, potentially leading to widespread outages or exposed personal information that could impact millions of innocent consumers,” stated Experian’s 2017 Data Breach Industry Forecast.
Affected nations and the international community will respond with more pressure on the bad actors. More sanctions and indictments of foreign nationals deemed responsible are likely. “Unfortunately, until there is a clear international agreement regarding rules of engagement in cyberspace, these attacks are likely only going to increase and escalate,” the Experian report stated.
State-sponsored attacks might also spur countries to form alliances to fight them. “Increased attacks on critical infrastructure will drive countries to begin discussing cybersecurity alliances. Establishing these alliances will provide mutual defense for all countries involved and it will allow for the sharing of intelligence in the face of attributed nation-state attacks, not to mention agreements to not attack each other,” says Eddie Habibi, CEO of PAS Global.
Until effective deterrents are in place, offending nations will escalate their attacks until the cost is too high. That cost might come in the form of in-kind counter-attacks or even some kind of physical strike. Let’s hope we don’t end up with the kind of brinkmanship that kept the world on edge during the Cold War.
5. Attacks via compromised IoT devices will get worse
Millions of connected devices have little or no defense against hackers who want to gain control of them. In fact, it’s getting easier for hackers to take over scores of internet of things (IoT) devices. All they have to do is purchase a botnet kit from the dark web and they are in business. The top three botnet kits — Andromeda, Gamarue and Wauchos — are estimated to be responsible for compromising more than a million devices a month. The Reaper botnet has infected more than a million devices.
The problem is that we haven’t yet seen what the hackers who control the botnets intend to do with them. Will it be to launch distributed denial of service (DDoS) attacks? Send massive amounts of spam? Or will they do something we haven’t seen before? We’ll find out in 2018.
It takes time to build, secure, and set up the command infrastructure for a botnet at a Reaper-like scale. A hacker would not likely invest that kind of effort without expecting a large return. Botnet attacks in 2018 could be very interesting, and not in a good way.
That’s the bad botnet news. The good news is that efforts against botnets are improving. In December, three people pleaded guilty to charges related to their creating and using the Mirai botnet to launch a DDoS attack on DNS service company Dyn. Also in December, ESET and Microsoft announced that they had cooperated to take down 464 botnets and more than 1,200 command and control domains. Also encouraging, an individual believed to be associated with the botnets was arrested in Belarus.
International cooperation will be necessary to stop botnets. The Belarus arrest along with the arrest of Peter Levashov, the hacker behind the Waledac and Kelihos spam botnets, in Spain last spring give hope that hackers will have fewer safe havens next year.
IoT device makers are slowly making progress on securing their devices as well. That won’t help the scores of devices already deployed that are difficult or impossible to patch, however. “Manufacturers will start to address these security faults or risk losing to the companies that bake-in security from the start,” says Ken Spinner, VP of field engineering at Varonis. “GDPR may save the day in the long run, forcing businesses to reconsider personal data collection via IoT, but we won’t see this effect until at least 2019."
6. Automation of some threat-detection tasks will increase
Security teams wade through massive volumes of alerts and data every day to determine what is or isn’t a likely threat. That volume will increase, driven by more attacks and more attack vectors. Filtering the alert data is repetitive, tedious work, which makes it a perfect candidate to automate using software.
Organizations are already taking advantage of machine-learning-based tools to help filter alerts to lighten the load of over-burdened security staff. We expect this trend to accelerate in 2018 as the volume of threat indicators increase and the security talent pool remains constrained. And why not? Studies have shown that, properly deployed, automation tools are highly effective at identifying which alerts a person needs to look at.
The automation trials that organizations are doing now will give them confidence in the technology and help them understand where it can and can’t help. That will encourage security teams to expand the use of automation where it makes sense. Automation will not be a panacea or replace staff, but it will boost threat detection effectiveness and free staff for other important tasks.
With the increased use of machine-learning-based automation will come a greater awareness of what it can’t do. For example, machine learning is only as good as its model and the data available to analyze. It will likely miss any new type of attack. This better understanding of machine learning and automation will allow security teams to deploy the technology more effectively.
7. Trust will be a casualty of the war on cyber crime
Who can blame anyone for mistrusting everything when it comes to cyber security? No one’s personally identifiable information (PII) is safe. Companies can’t count on the integrity of their suppliers’ and partners’ security capabilities. The U.S. government is even throwing shade on a leading providers of security software because it’s based in Russia.
This lack of trust is starting to have a real effect on business that will continue into 2018. Uber did not help matters when it was revealed that the company hid a large breach for a year. It will be harder to engage consumers when they are reluctant to trust companies with their PII. As explained above, this will drive companies to provide stronger authentication.
Expect more companies to demand security audits of their partners, suppliers, and service providers. Third-party breaches are becoming more common, and it shows that any organization’s security is only as good as its extended network. It can’t assure its customers and employees that their data is safe if they don’t know the risk presented by other organizations with which it does business.
The U.S. government has banned the use of Kaspersky software in government agencies because it believes the risk of Russian influence to compromise the software too high. Similar actions by other countries are likely in 2018. “Other countries have shown similar nationalistic tendencies such as China and its recently passed, far-reaching cybersecurity law that requires access to vendor source code. We predict that the U.S. Executive Branch will show similar tendencies and direct government agencies to exercise procurement preference for vendors with development and manufacturing in the U.S. or allied countries,” says PAS Global’s Habibi.
The environment of mistrust will present opportunities for companies that can show genuine concern for protecting data and that they have proper security infrastructure in place. In other words, earned trust becomes an asset when consumers and other organizations are willing to do business with you because they feel secure doing so.