Prediction No. 1: Business Emails with Nasty Surprises, Attached
Businesses are quickly becoming cybercriminals’ favored targets. Over $US12 billion worldwide has been stolen over the past five years due to business email compromise. As the theft of passwords and login details becomes increasingly common in enterprise environments, attackers have grown more confident and motivated, targeting small and large organizations by masquerading as partners or internal stakeholders – a pattern that will continue to plague businesses if they fail to adapt. This alarming rise in business email compromise underscores the increasingly diverse and sophisticated methods attackers use today, from mimicking corporate websites to targeting employees’ personal social media accounts to launch exploits. As attackers find increasingly crafty ways to bypass internal checks, will 2019 be the year businesses beat cyber criminals at their own game? Doubtful!
Where possible, businesses will need to assess their internal flow of information as well as implement more comprehensive checks and approval processes, especially with regard to the movement of resources. As we have seen, passwords remain among the weakest links in computer security – easy to steal, difficult to secure and offering little proof of a user’s identity. In response to this, 2019 will see measures such as two-factor or multi-factor authentication and biometrics become increasingly commonplace.
Prediction No. 2: Supply Chain Will Be Your Weakest Link
The digital age has helped break down barriers to create an interconnected, global supply chain, making it very easy for businesses to tap suppliers and outsourced services from around the globe. These links, including the sharing of data and networks, have empowered organizations to embrace new efficiencies through connectivity and analytics. However, this will also prove a boon to opportunistic attackers preying on weaknesses in existing security. These risks have become more apparent in the healthcare sector, where third-party connected medical devices – such as MRI and X-ray machines – plug into internal networks daily, providing multiple new attack surfaces and vulnerabilities over which hospitals have almost no control.
Pinpointing and avoiding cybersecurity risks will soon be nearly impossible as the global supply chain becomes increasingly complex. Perhaps it is time for organizations in other sectors to start asking, ‘Do we know who or which individuals, organizations and other third parties have been connecting to our networks? Do you know which systems and services your organization is dependent on?’
CSOs will need to look carefully at traffic within the network to ensure sensitive information is kept separate and secure, away from external devices and systems. As multiple unsecured devices connect to corporate networks, the internet of things, or IoT, can quickly become an ‘internet of cyber threats’. Although the use of certain third-party apps and connected devices may be unavoidable in many cases, businesses and organizations need to pay more attention to internal security standards around the procurement of such devices or services. This includes ensuring that firmware and applications are always up-to-date, and login configurations should be changed from the default configuration. If third-party systems and devices reside on your network, apply a Zero Trust mode to inspect and verify all traffic by placing them in a zone which only allows approved users and apps to communicate with them. In 2019, an unsecured connected device could serve as a gateway for attackers as easily as any computer or smartphone.
Prediction No. 3: Data Protection Legislation Gains Ground in APAC
As Asia-Pacific countries pledge greater cooperation with cybersecurity initiatives, the move towards formalizing data protection frameworks seem inevitable. Countries like Australia and Singapore have taken the first plunge, and others in the region will soon follow as they wake up to the urgency of national security and data protection for their citizens. As digital maturity varies across the region, the framework for these countries to roll out their own version of GDPR could take some time to develop, and the path ahead is not straightforward. However, 2019 could be the year many countries take the first steps towards protecting their citizens’ data.
In the Philippines, for example, the country has made strides for prioritizing cybersecurity with the new 2012 law: the Data Privacy Act. In addition, the Philippines recently won a seat in the International Conference of Data Protection and Privacy Commissioners (ICDPPC) after being members of the global privacy body for two years. ASEAN has set its sights on becoming the world’s fourth-largest economy by 2030. Today, the region is well on its way to achieving this goal, with 700 million active mobile connections, making it the fastest-growing internet region. Recognizing this as a good foundation for a flourishing digital economy, the recent Master Plan on ASEAN Connectivity 2025 (MPAC 2025) has outlined an initiative to establish an ASEAN Digital Data Governance Framework as a step towards transparency in data privacy and cross-border data sharing among member states.
The European Union’s General Data Protection Regulation has served as a clarion call for organizations in the APAC region to pay attention to the data they collect and store. Businesses in this region can use the GDPR as a baseline to assess current gaps in compliance and help determine their overall prevention posture. It may take several years before a similar region-wide framework emerges in APAC, but businesses can use the GDPR’s policies as a way to start minimizing unnecessary personal data collection, which could help minimize risks and exposure in the process.
Prediction No. 4: Forecast For 2019: Cloudy Skies Ahead
This app-powered era is thriving partly because of cloud computing, which has become a go-to resource for businesses looking to deliver new products and services without bearing hefty initial investments in computing resources. Cloud computing helps simplify a few areas of security, but it also presents newfound challenges. Implementing a cloud computing strategy often means that mission-critical data and systems will sit with third parties. These assets will need to be securely stored and transmitted, and only accessible to authorized personnel is of utmost importance. The security of the cloud is not the sole responsibility of the cloud service provider; but is shared with enterprises that also must grapple with the security of data, applications, operating systems, network configurations and more. This intertwined ecosystem has made security a much more complex undertaking, especially for organizations already dealing with the difficulty of finding cybersecurity talent and making sense of the many point products available in the market today.
With the speed at which enterprises are moving to innovate and deliver new services, all while dealing with a complex web of computing resources, it’s easy to let the discipline required for security slip. DevOps can help speed development, but it can be challenging to get and keep security in place, especially in the transition from traditional IT management to DevOps.
To succeed, enterprises must ultimately have the processes, technology and – most importantly – people in place to keep systems adequately secured.
It is critical to remember that legacy security systems, made up of various point products, have proven inadequate to prevent the rising volume and sophistication of cyber attacks. Too many security tools depend heavily on manual intervention, which can’t enact new protections quickly enough to have a meaningful impact on ongoing, targeted attacks. Reducing cyber risk requires having integrated, automated and effective controls in place to detect as well as prevent threats, known and unknown, at every stage of the attack life cycle.
Prediction No. 5: We’ll Finally Realize What Makes Critical Infrastructure (C.I.) So Critical
More than just a catchall term to describe public infrastructure and resources, the definition of critical infrastructure (CI) today has evolved to encompass other essential sectors, such as banking and financial services, telecommunications and the media. As CI goes digital and automated, cross-pollination between corporate and industrial networks has made them easier targets for cybercriminals. This is especially dangerous as industry systems such as supervisory control and data acquisition (SCADA) and industrial control systems (ICS), which are critical to the energy, water, and public transport sectors, often rely on legacy and unpatchable systems.
The UK’s National Cyber Security Centre has already warned that a cyber attack in the UK is inevitable, potentially taking aim at the elections and CI targets. This view has been echoed by the World Economic Forum Global Risk Report 2018, which has identified cyber attacks as a top cause of disruption globally, coming only after natural disasters and extreme weather events. How will Asia prepare itself in 2019?
Thus far, infrastructure owners have primarily focused on the confidentiality of information and overlooked the other two principals of information security: integrity and availability. This will be especially crucial as countries in the region adopt industry 4.0 technologies (e.g., machine learning for autonomous vehicles). These innovations will rely on telemetry and always-on connectivity, putting the lives of the public in the hands of systems that rely on accurate and accessible data. As a start, CI owners, both public and private, will have to put in place Zero Trust systems and ensure the segregation of access.
Perspectives about compliance need to change as well. CI owners must move away from a compliance-driven approach to security, towards a stance that lives and breathes security. Regulators and owners can co-create a regulatory framework that works for both while cultivating a security-first approach to designing and maintaining all CIs. Think less “tick and flick”, more “secure from the start”.