The combination of increased variation and volume in attacks against a climate of stricter data regulation means that 2019 is more challenging than ever for the cyber security industry. We’ve already looked at trends for 2019 but as we approach the halfway point of the year, here’s an overview of some more that should be on your radar.
It’s been around for a long time, but ransomware persists because it is simple and inexpensive to deploy with potentially crippling results. While many campaigns sink without trace thanks to security software, ransomware can still devastate an enterprise’s operations. For example, one of the world’s largest aluminium producers recently had to deploy manual systems after a cyber attack. Ransomware teams continuously fine-tune attacks based upon the changing security landscape and security teams need to adjust their focus and protections accordingly.
Every company active in the European Union had to implement GDPR security processes for the May 2018 deadline, safeguarding the personal data and privacy of all citizens in the EU. But that’s not the end of the story. We haven’t seen the first major GDPR data breach, and the consequences of that for the company involved, but if and when it happens, businesses will discover the true cost and may have to take another look at their security measures.
In short, GDPR was not a one-time exercise, and the data protection officers appointed at the time need to ensure continued compliance. This means keeping up with the relevant laws, and, potentially, making significant changes to business processes and security plans to avoid large fines.
Or should that be cloud insecurity? Organisations are increasingly moving large quantities of data into the cloud, taking advantage of cutting-edge technology to replace older on-premises implementations. However, ensuring that data is secure in the cloud is a little different from securing it within your organisation.
For example, a company might be using multiple cloud providers for different data types. That data is uploaded and accessed from various parts of the company, including increasing numbers of remote workers. It’s vital that a cohesive security policy is developed for all aspects of cloud data management so that it’s completely clear as to where all data resides and who has responsibility for its security.
Another long-established attack vector, phishing continues to yield lucrative results for hackers. The emails that draw in users aren’t the poorly-spelt, obviously false missives of past years; cyber criminals have honed their skills to create personalised, localised threats that seem to originate from trusted senders. Phishing threats rose sharply in 2018, and 2019 looks to continue that trend.
The IoT sector is expanding all the time, but the increasing number of deployments present a significant security challenge. The benefits of IoT devices such as cameras that are permanently connected to the Internet and switched on all the time are obvious. However, many of these items do not include any security measures, therefore opening up a weakness where previously none existed. And if they do have some level of security, very often it’s not updatable.
An additional issue is the credentials for these devices, which are often left at the default factory settings; this information is easy for hackers to find online. All of these issues make IoT devices vulnerable to malicious activities. Combating the possible risks and consequences will be of paramount importance to security professionals.
Shadow IT is an increasing issue for organisations, as they continue to move towards both software as a service (SaaS) and bring your own device (BYOD) strategies, allowing employees to use their own devices. This leads to software not deployed or endorsed by the company’s IT department running on users’ smartphones or laptops, including legacy applications and programs without the latest updates. These can become a security risk that is very difficult to defend against criminal activity. 2019 will see more of this activity, in addition to greater awareness of the risk and attempts to mitigate it.
Last but by no means least, this is another persistent trend: the risk from a company’s own users. It’s more important than ever to provide security training that educates employees on risk awareness, including falling for phishing scams, accidentally violating data regulations, using unsecured public wi-fi networks and giving out sensitive information such as passwords or other credentials.
The more information you give your staff, the more they are empowered to form an integral part of your security plan. This is vital in a world where cyber attacks are increasingly varied and sophisticated.