It’s that time of year again, when we ask the great and the good in the 2-sec office for their security predictions for 2018. Here are our six top cyber security forecasts for the next 12 months.
PREDICTION 1 – Little tolerance for non GDPR compliant companies
Those who have taken the EU General Data Protection Regulation (GDPR) seriously, and have ensured their compliance will be in a comfortable position in 2018. Unfortunately, a recent survey by Collyer Bristow has shown that 55% of UK small businesses are STILL unaware of the GDPR. They now have little more than six months until the GDPR compliance deadline on 25th May 2018.
Luke Vile, our Cyber Security Director, says “The legislation does seem poorly understood among some industries in the UK, and I worry that companies may have indefinitely postponed their GDPR compliance projects. Consequently, it may even take until the first prosecution to see these unprepared organisations scrambling to achieve compliance. Many companies misunderstand the critical areas that they need to be aware of when preparing for the GDPR.
I believe there is likely to be little tolerance for non-compliant companies which suffer data breaches after 25th May, especially when you consider that the EU has given 2 years after GDPR passed into law (27th April 2016) for companies to achieve compliance. Although fines are a last resort and there may be a short period of grace, businesses that still mishandle personal data and have poor privacy policies will definitely be under the searchlight.”
PREDICTION 2 – More spectacular data breaches
As well as the WannaCry ransomware, that damaged the unprepared NHS in May, we’ve also seen successful attacks on Equifax, Verizon, Deloitte, Imgur and Uber in 2017, among many others. Will there be more data breaches in 2018?
Tim Holman, our CEO says, “Every year, the number of companies falling victim to these breaches increases. Large companies are not meeting regulations, have poor cybersecurity hygiene and are failing to implement the policies they create and enforce on others. In 2018, we will see even more high-profile names. I also believe that there will be further data breaches in the UK’s health industry. The advent of IoT and the absence of security requirements plus the problem of patching medical IoT devices has left the industry very vulnerable to a hostile attack.
Ransomware also continues to become more complex and increasingly high-tech and simple end user error is a major danger to UK companies. Insider threat is one of the most immediate hazards to a company’s security – either maliciously, opportunistic or errors from untrained employees. This will continue until these organizations enforce the fundamentals of cyber security and the balance of risk and reward reverts making ransomware far less appealing to cyber criminals.
I believe more organizations are accepting that breaches are inevitable whatever defences they install, and in my experience there has been a paradigm shift towards containment of a breach, rather than prevention.
Cyber security can never be perfect and shifting focus towards containment and reducing the impact of a breach, will be at the centre of organisation’s cyber security policies.”
PREDICTION 3 – Increased cyber security automation
Our Penetration Tester, Alexander Drabek comments, “With the increase in size of the cyber security threat, the amount of data that needs be processed by cyber security and penetration testing teams has also massively increased. My prediction is that we will see a growth in the number of available cyber security and pen testing automated tools that will do much of the low-level work. This will enable pen testers to concentrate on the higher-risk, more complex threats involved in day to day interactive testing.
Not all these tools will be valuable, and they will need to be used critically. But it will be an important shift, and the increased use automated technologies and more in-depth results will lead to growth in this area.”
PREDICTION 4 – Increase in security training budgets in 2018
The high profile 2017 attacks will lead to an increase in 2018 security budgets, which will move away from software security products, and into employee training. Shrewder businesses will recognise the benefit of training their employees how to protect themselves and company data from attacks. The increase in ransomware and phishing and growth in end user error means that businesses will place importance on suitable employee training.
Phishing simulations are essential to flag up weaknesses in a company’s security defences, and companies will invest more in this type of interactive training. Simply teaching staff proper email security training and learning how to recognise and avoid suspicious links will go a long way towards bolstering company’s defences against ransomware attacks.
However, increased security budgets will not prevent some companies from neglecting the basics, such as regular patching and updating.
PREDICTION 5 – Biometric devices are not secure
We’ve been keeping an eye on advances in biometric technology, and agree that these new developments are STILL just as susceptible to hacking, as old-style phones and tablets.
Iris and fingerprint recognition are vulnerable to hackers, as recent news stories have shown. Attacks and research against biometric technology in Microsoft Hello, Surface Laptops, Samsung Galaxy Note, and Apple iPhone X will be the principle targets for researchers and hackers. The results will prove that these new technologies are just as susceptible to compromise a touch ID sensors, passcodes, and passwords.
PREDICTION 6 – Final move towards multi factor authentication
We believe that 2018 will finally see the move away from passwords as the sole factor of authentication towards two, or more factor authentication. The Deloitte breach in March this year became a wake-up call, since hackers compromised the firm’s global email server through an “administrator’s account” that was only protected by a single password, and that, in theory, gave them privileged, unrestricted access to all areas.
These high-profile data breaches will continue to make headlines, and many companies will finally ditch single passwords and move towards a more secure login. However, two factor authentication may not be the silver bullet that everyone expected, as dedicated hackers are able to bypass through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. Companies are instead starting to combine two factor with behavioural biometrics for improving security. This form of biometric security differs from physical biometrics, e.g. simple fingerprints or iris scans, as it involves patterns derived from people's specific behaviour, such as a signature or typing recognition. At 2-sec, we believe that a password-less future is coming within the next 10 years…