2018 Cybersecurity Predictions (Part 10)

RV Raghu, Board of Directors, ISACA

1. At least 50% of the global population will become victims of privacy breaches.
2. All individuals will need to obtain cyber insurance going forward just to wake up the next day with their identity intact or at least to be protected from financial loss.
3. Professionals will need three broad perspectives to be successful in 2018, that of the practitioner for risk mitigation, that of governance to ensure that business needs are met and that of an auditor from an assurance perspective. 
4. 2018 will see the first bioengineered hack of the human body.
5. At least 50% of all user interfaces will move from the touch screen to voice-based access. All devices sold will include voice as the first choice and touch as the next choice of interface.
6. Cyber attacks will hack into space reaching the ISS and probably going into interplanetary missions. 
7. With the average age of the population getting online going south, we will become victims much earlier … probably even before we are born.
8. Smart appliances will be first used to take privacy attacks to the next level. Your television, your refrigerator, and your connected toothbrush will know more about you than any other human can.
9. AI and ML will combine to give rise to superintelligent threats.
10. 3D printing will do to the real world what the Gutenberg press did to our intellectual lives - fall of 2018 will see the first 3D printed food, followed by 3D printing shops around the corner allowing you to print just about anything imaginable. Intellectual property as we know it will cease to exist.

Ravikumar Ramachandran, ISACA Member (holds all four ISACA certs and is a frequent ISACA author/contributor):

1. Huge demand for Security Professionals with evolving and grounded expertise

The industry requires skilled cybersecurity professionals who can not only meet the current challenges but also evolve continuously with the changing technology landscape and with the associated threats and vulnerabilities. Some of the top skills needed in the context of current threat scenarios are as follows:

• Data Analysis, Data Governance, and Enterprise IT Governance.
• Data Analytics, Data Science, and Big Data Management.
• Cognitive Computing and Artificial Intelligence.
• Strong knowledge to address ransomware and evolving IoT connectivity issues and mobile access.
• Application Security and knowledge of defensive software engineering.
• Strong knowledge of regulatory guidelines.

2. Stringent Global Regulations 

The GDPR (General Data Protection Regulation), an EU regulation, will become applicable to every country in the world in May 2018. Under the GDPR, organizations in breach of it can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. Therefore, a priority for all company boards will be to deliberate on all the compliance requirements.

3. Ransomware, DDoS attacks, and Cyber-Warfare

Ransomware, or sometimes categorized as crypto-ransomware, encrypts certain important files on the infected systems and forces users to pay a ransom through online payment methods to get a decrypt key. Normally, payments are demanded in crypto-currencies like bitcoin, however, payment does not guarantee that the files will be decrypted.

Ransomware, though initially found in Russia, has now spread across the world and is a profitable business model. It will continue to become more so, as long as users don’t follow best practices and systems remain unpatched.

DDoS poses a serious threat to organizations worldwide, especially when they lack the resources and the bandwidth to handle large network traffic. The threat of DDoS will get accentuated with the increased use of Internet of Things (IoT) connected devices in the enterprise, which, when left unsecured, can become pathways as well as slave nodes and add to the DDoS traffic stream.

As a consequence, cyber-crimes will flourish, which could be used by powerful nations to initiate and develop highly refined and targeted attacks against targets of national value belonging to alien countries.

4. Explosion of threats, vulnerabilities, and IoT

Due to the exponential growth of innovative technologies, lots of new vulnerabilities will be introduced. However, the highest risks will still come from well-known and well-understood vulnerabilities. SANS estimates that over 80 percent of cybersecurity incidents exploit known vulnerabilities^[1] and the annual Verizon Data Breach Investigation report^[2]shows similar numbers. Gartner comes in much higher, estimating that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”^[3]

As if this is not sufficient, in the space of IoT, CISCO estimates that 40 billion devices will be connected to the Internet by 2020, as cars, fridges, medical devices, and gadgets not yet imagined or invented will link in, which will lead to the tremendous growth of threats and vulnerabilities in 2018 through 2020.

5. Privacy, Ethics of Big Data, and back to basics

Too much of data is entering business enterprises, and with the advent of big data, organizations now come across new types and formats of data, many of which are not structured like that of traditional data. Various types of sensors generate data in various formats and in huge numbers to be monitored.

^[4]The benefits of Big data innovation must be balanced by understanding the risks of unintentional consequences and organizations must be intentional about the inquiry and reduce the gaps between values and actions.

^[5]The more informed we are about privacy in the age of big data, the more we can shape and affect data privacy policies, standards, and regulations. This is not a debate about advertising, it is a debate about of how we balance privacy, security, and safety in an increasingly transparent and dangerous world.

Hopefully, GDPR will serve as a guidepost for exercising compliance while leveraging Big Data.

More often than not, cybersecurity issues are due to internal processes and people. Organizations the world over will be spending more on security awareness and training their employees so that preventive measures are exercised by them and incidents are raised when required. Patching of servers and updating software versions will gain prominence as basic security hygiene.

John Bambenek, Senior Threat Researcher, Fidelis Security

• Ransomware sabotage: Ransomware will continue to dominate the cyber threat landscape in 2018, but we will see a shift in its use and prevalence within the threat landscape. While traditionally used as an attack method for financial gain, we will see new cybercriminal groups increasingly use ransomware for sabotage. This motivational shift will impact the way in which ransomware variants are designed and created in the coming year. Cybercriminals will evolve their tricks and techniques to maximize infection and destruction on a global level rather than optimize financial extraction. While NotPetya, BadRabbit, and WannaCry used some of the same techniques that you see in ransomware, ultimately there is no way to recover data or a meaningful way to effectuate payment. Ordinypt is another example of where files where just overwritten with garbage, thankfully, in that case, there were forensic means still available to recover data. 

Tim Roddy, VP of Cybersecurity Product Strategy, Fidelis Security

• Vertical at most risk: Services firms. In 2018, the split between mass-scale and highly targeted cyber attacks will become even more apparent. While enterprises who house a lot of data will continue to be at high risk, smaller firms, specifically in the financial services and legal sector, who keep small quantities of highly sensitive information may become a top target. Alongside healthcare, the professional services sector is one of the lesser advanced in security, with many in the industry reporting to still have no security policies in place, despite today's threat landscape. Coupled with the fact that many in this sector are only now starting to undergo digital transformation projects, next year even the smallest of firms will make a lucrative target. Advanced security strategies for this sector will be critical. Cybercriminals undoubtedly have the advantage of learning from past campaigns with the threat of those wanting to leave breaches unannounced an even greater concern. When the target is data, service firms need to take heed. 
• Distributed workplace technical/endpoint. The compounding growth of remote workers and connected devices will see businesses face more cyber threats than ever before. The network edge is in a state of flux and so are today’s security technologies designed to protect them. Next year, we are going to see an undoubted spike in sophisticated cyber attacks that use combinations of unusual vectors to breach company networks – re-imagining the supply chain attack as we know it today. Simply identifying devices through endpoint security will not be enough to truly mitigate the threats evolving as a result of the distributed workplace next year. Integrated visibility and active defense will be important tools in the cybersecurity professional’s arsenal in 2018. It’s critical that IT professionals re-assess their security in 2018 to ensure that they are strategically layering in the right technologies to prepare for tomorrow’s enterprise threats. 

Ian Raine, Head of Product Management, iManage

• Greater integration of AI into security. Organizations will see more integration of AI into security and information governance in order to lower the risk of and damage from cyber attacks. When it comes to detection of breaches, AI will be increasingly utilized to automatically build rules to identify user patterns, so that deviations in behavior that indicate a breach or malicious behavior can be detected.