2018 forecast: Compliance Regulation, Ransomware, IoT, Comprehensive Cybersecurity Service and More
Our 2018 Cybersecurity Trends article was developed to promote awareness and offer information on emerging threats, cybersecurity risk management, preventive measures, countermeasures and security awareness training to empower you with cyber intelligence.
Photo Credit: © Sashkin - stock.adobe.com
More Compliance RegulationsThe need for regulation in cybersecurity has and will continue to give rise to regulatory standards and actions taken in upholding said standards.
- EU General Data Protection Regulation (May 2018)
- The new GDPR standards for processing, storing, and securing the personal data of EU citizens will have far-reaching influence and the threat of potentially major fines; even if you don’t work extensively within the EU, expect this move to inspire regulation elsewhere. The first few to violate the GDPR may be made into examples to deter future noncompliance.
- The SEC’s Cybersecurity Division aims to provide guidance and resources for the public and private sectors, including alerts, bulletins, and analysis.
- In 2017 New York became the first state to set minimum cybersecurity standards (23 NYCRR Part 500), affecting banks, insurance companies, and financial services institutions. Companies will likely still be scrambling toward compliance, and similar measures in other states may soon follow
- Standardization does not always have to be legal, and can include publications such as those of the National Institute of Standards and Technology, which creates research-driven helpful cybersecurity guides
Takeaway: Regulation creates a pressing need for partners that understand and meet the latest rules. Align Cybersecurity™ combines expertise in technology, governance, education and technical law as an all-inclusive, end-to-end service.
The Evolution of RansomwareRansomware was a big subject in 2017 and will likely continue to cause problems in 2018, as new attacks surface and hackers pivot into new avenues of attack and exploitation.
- Fallout from attacks like WannaCry has been enormous. It’s likely that hackers with aspirations of similar impact already have attacks in the works
- Ransomware campaigns may react to increased security by pivoting toward targeting more vulnerable individuals and businesses
Takeaway: Major attacks are thwarted, but remain a mystery. Ransomware isn’t going away any time soon, and nimble, up-to-the-minute knowledge of the latest breaches and patches is essential.
Vulnerabilities in the Internet of Things
- New devices continue to be added, but the Internet of Things remains a vulnerability, with many devices lacking basic security
- With estimates on the number of devices anywhere between 24 and 50 billion devices by 2020, the IoT and the potential losses from vulnerabilities will continue to rise exponentially
Takeaway: Market pressures and rapid expansion have made the buzzy IoT a prime target. Shoring up existing security and encouraging secure behavior through training and authentication will be key to hedge funds and alternative investment firms staying ahead of the curve.
Two-Factor Authentication in the Crosshairs
- The relationship between defenders and attackers continues to be an arms race of developing technology
- As demand increases for two-factor authentication in response to large data breaches, hackers will be looking to find workarounds or vulnerabilities that diminish or sidestep the security two-factor affords
Takeaway: Two-factor is a great additional layer of data security, but should never be considered a finished, impenetrable security system. Security at any level is only as good as its ongoing maintenance and updating.
Need for Qualified, Comprehensive Cybersecurity Service
- According to a recent report, security incidents and operational/compliance issues are commonplace due to human error and malicious activity
- There’s a huge need for cybersecurity personnel, increasing demand for external services/partners and virtual Chief Information Security Officers (vCISOs) to provide services without hiring additional full-time personnel
- Cybersecurity impacts multiple departments in a firm, therefore, a business needs to employ a multidisciplinary approach to cyber risk management.
- A comprehensive cybersecurity solution reduces the headache of working with multiple vendors and mitigates the risk associated with so many moving parts. Working with a team of subject matter experts across a variety of disciplines including education, legal, technology and security will build the diverse foundation a firm needs to protect their most critical assets today and in the future.
Takeaway: Cybersecurity is a major issue for modern businesses, and investment firms, private equity and financial institutions are prime targets. Savvy firm owners will prioritize finding the best service providers, and innovative players in the cybersecurity industry should take advantage of the opportunity.
- The surge in Bitcoin’s value has brought increased attention to cryptocurrency; this has also made cryptocurrency a target for hacking and ransomware
- High-threat groups have begun targeting the cryptocurrency market and its major players
Takeaway: Businesses that deal in or are related to cryptocurrency should expect the increased interest to bring more scrutiny and a greater threat to security as unsavory actors attempt to take advantage of vulnerabilities.
Nation-state Hackers and Proxy Wars
- With North Korea named as a likely culprit for the WannaCry attack, hacking has moved to the international stage as governments weigh in and use cyberattacks against each other
- Tech companies may find it essential to work in between the public and private sphere as cyberattacks target private citizens and companies for public gain
Takeaway: Cyberattacks as a means of nation-state action entangle citizens and companies regardless of their perceived involvement. Cybersecurity, and better communication about the nature and spread of breaches, will be a major topic in 2018.
Handling Data Breaches
- Equifax has summarily demonstrated the wrong way to handle a data breach, delaying, misdirecting, and underscoring their own failures. Their public embarrassment will hopefully be a lesson for other companies to more gracefully handle the PR and response to a breach.
- The Equifax data breach highlights the evolving threat landscape and the universal state of unpreparedness in both the corporate and personal contexts.
- Now more than ever, all consumers must also evolve, and learn how to protect their personal financial information and consumer credit profiles.
TAKEAWAY: How your company handles a data breach makes all the difference in mitigating loss—the optics can be just as important as the actual security of your data. Savvy companies will benefit from a proactive and responsible contingency plan in the event of a breach.
Endpoint Security – Patching and Application Testing
- WannaCry could’ve been avoided with active patch management, but doing so remains a challenge for many organizations
- If you can’t manage endpoint security and simply leave it to chance, your organization is likely to be vulnerable to this year’s attacks
Takeaway: In most cases, ransomware takes advantage of common vulnerabilities. Actively managing endpoint security is a simple way to mitigate massive amounts of risk to your data security.
Think Before You Click - Phishing Emails Tips
As a cybersecurity best practice, Align advises you to remain vigilant and skeptical of potential email scams. You need to watch out for the following things:
- Phishing emails that claim to be from your financial institution, social media accounts and the like, where you can check if your data was compromised
- Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
- Calls from scammers that claim they are from your bank or credit union
- Fraudulent charges on any credit card because your identity was stolen
- Emails that your account has been suspended. If you want to change the settings of subscription services, never click on a link in an unverified email claiming it’s from an organization you have an account with. Instead, type the website name in your browser, log in to your account the standard way and check for any messages there.