In late 2016, Forrester forecast that automation and security services would be used increasingly to meet a shortage of tech talent, that greater than half a million IoT devices would be hacked, that compromises of healthcare systems would become as extensive and prevalent as previous ones within retail, and that a significant IT security breach in the Trump administration would be revealed within the initial 100 days. All those predictions came true. Similarly, the Internet Security Forum (ISF) was right with many of its 2016 predictions as well. This two-part security mini-guide looks at thoughts from those two organizations on how the threat landscape will evolve in 2018.
#1 – Expansion of crime-as-a-service
Steve Durbin, managing director of the nonprofit Information Security Forum (ISF), forecast in late 2016 that crime-as-a-service (CaaS) would expand massively in the year ahead as crime rings established more intricate structures, associations, and affiliations that reflect the robust and highly controlled mechanisms of enterprises.
Durbin states that his projection did come true, unfortunately, as crime-as-a-service was the central component of generally increased cybercrime activity. ISF again sounds the alarm this year that CaaS will continue to be a huge concern, with crime syndicates now specializing their efforts to suit niche markets and turning their malicious work into a traded international commodity. Organized crime will sometimes be the basis of companies that have other business functions; in other cases, cybercrime units operate as independent businesses.
A main way that CaaS will be evolving in 2018 is that more people Durbin describes as “aspirant cybercriminals” who are not necessarily adept at hacking will increasingly be able to cause greater damage through services and programs that they purchase.
In previous years, ransomware involved shutting down your IT systems and demanding payment, possibly as cryptoware that encrypted and locked you from data. Once payment was made, the intruder would stop their attack. That expectation depends on trust. Because aspirant hackers have started to use ransomware so much, businesses are – wisely – unlikely to trust that their services will be restored if they pay. Even if services are restored, you may have an issue with the perpetrators coming back repeatedly for additional payoffs. Businesses will become more aware of this issue.
CaaS will also be used through social engineering in 2018. Social engineering methods are a point of concern related to staff training since they are directed at single people instead of the organization. Security is so increasingly centered on the individual user that Durbin says lines blur between the individual and the enterprise; he concludes, “The individual is increasingly the enterprise.”
#2 – More frequent IoT assaults with different goals
The Internet of Things (IoT) was thriving in a sense in 2017, but really only in limited industries and contexts. There will be a terrific growth in the number of IoT devices in 2018.
Understanding and managing that data could lead to huge competitive advantages, boosting the demand for big data analysis.
There is a glaring issue with the IoT, though, as indicated by Forrester. The research firm notes that the rise of the IoT will also spur additional IoT hacking efforts that will have a different intent (related to the IoT devices themselves). The standard way cybercrime has utilized the IoT is as a way to form a botnet of slave zombie devices to use in distributed denial of service (DDoS) attacks. In 2018, attackers will start to become more interested in the data within the IoT devices, stealing it or blocking it to extract ransom.
#3 – Supply chain will continue as biggest issue with risk management
The ISF has long been concerned with the challenge posed to security by the supply chain. Large amounts of critical data may be shared with suppliers, in scenarios that necessarily involve giving over aspects of control to them. It is extremely important to know that the supplier is going to properly treat the data so that it is kept private, secure, and available.
Durbin noted that 2017 saw large manufacturing companies unable to maintain full production after losing access to some of their supplies – so this issue is key.
Furthermore, the notion of a supply chain extends far beyond manufacturing. Every organization has suppliers. You want to understand here your data is and how it is being protected (as with datacenters audited to meet the SSAE 18 / SSAE 16 standard), especially if it is being shared or entrusted to a third party.
2018 will be a year in which companies start to scrutinize their supply chains for full-lifecycle data protection. A proactive security stance will be more widely embraced. Durbin advises using services that have appropriate assurance related to the risk, building your fortress of safeguards out of repeatable, scalable processes. It is crucial to integrate supply chain IT risk management in your buying and vendor management policies.
#4 – General Data Protection Regulation prominent in security conversations
The General Data Protection Regulation (GDPR), a set of rules and standards put together through the European Union, will go into effect in May 2018. There are severe fines and sanctions for organizations that violate the laws set forth, which are generally upholding consumer and end-user protections. The fines really are significant, as high as 4% of yearly worldwide net sales (turnover) or 20 million euros, whichever is greater.
The GDPR is in place for everyone who lives in Europe, and it applies to businesses that are within Europe as well as those who do business in its member nations. GDPR is about safeguarding consumer as well as staff information.
A chief concern recently is that companies have been increasingly monitoring their workforce as a way to guard against internal cybercrime, human error, and hackers with stolen login data. That may be well-intentioned; however, it can also be considered an invasion of privacy from the perspective of anyone on staff.
The law, passed by the European Court of Human Rights in September, stated that organizations have to let any personnel know ahead of time if their email accounts in the workplace will be watched. Additionally, any surveillance that does occur cannot do so at the unreasonable expense of the employee’s privacy. The GDPR additionally related to the privacy and data management of workers and can lead to large fines if its stipulations are violated.
The Forrester researchers advise that these laws are geared toward stopping improper handling of customer data. However, the information of employees is personal data, regardless that it is within the company’s system. Forrester expects regulators to start to focus increasingly on employee privacy.
Durbin notes that the GDPR comes up in virtually every conversation he has related to security with anyone in the world.
#5 – Possible malicious impact on United States midterm elections
Forrester states bluntly in its report that the United States has been failing to address systemic flaws in the voting process, in which computer programs are used for voting, as well as counting, verification, and reporting.
The analyst firm notes that the attacker would not even have to access a voting machine itself. They could “use compromised Windows machines to adjust the voting tabulation results in web-accessible software,” states the report; alternatively, they could modify a database or spreadsheet of totals from individual precincts.
The huge swaths of data that were taken in the attacks on numerous state agencies, the Republican National Committee, and Equifax will make it easier for malicious parties to submit fraudulent votes in areas where the vote is close, says Forrester.
High-security, high-performance infrastructure
Are you concerned about properly safeguarding the data being entrusted to your organization? In 2018 more than ever, you need IT partners that prioritize security.
At Total Server Solutions, our high-performance infrastructure is adherent with the SSAE 18 / SSAE 16 standard from the American Institute of Certified Public Accountants. See our security commitment.