Security Predictions for 2019 — But Are They Different From 2018?

Looking Back Finds Reasons for Optimism...and Why You Should Plan Ahead

Prognostication is a risky business. Trying to predict events and issues that are largely based on unpredictable human behaviors is like picking your spouse on a blind date. Sure, you might be right, but you are just as likely to make a disastrous choice.

Yet, every year at this time, lots of smart people with loads of data at their fingertips predict what they think will be the major cybersecurity issues of the coming year. In 2018, Waratek's Crystal Ball had a pretty good track record — three out of five security predictions have come to pass with two partials — and there is still time to pick up the others before the year ends.

A list of 2019 security predictions could easily include all of the above, but that's just a tacit acknowledgment that the security community is not making headway in solving the primary issues that teams face every day. The reality is, though, we are making progress against cyber attacks. Progress is not linear or steady, but there are signs the collective actions of teams may be impacting the effectiveness of current attack vectors.

So, without further ado, here is a list of cybersecurity issues you can expect to see in 2019 — in no particular order.

Fewer Data Breaches...

2018 is on track to see fewer reported breaches and fewer reported CVEs after a record-smashing 2017. If the current trends hold true to the end of 2018, we will see the first year-over-year drop in reported data losses since 2011. Check back this time next year to see if this is a trend or a momentary pause in action.

...But Bigger Data Losses

The number of security breaches may be down but the size of data losses per attack is growing. Adjusting for the 2017 Equifax breach, the number of records lost will double in 2018. Expect that trend to continue in 2019.

Unpatched Vulnerabilities Will Get you Media Attention You Don't Want

The latest numbers from The Ponemon Institute and CA Veracode tell the story: according to Ponemon, security leaders around the world say that manual patching processes create risk. Yet, they continue to invest in headcount instead of automated tools like runtime virtual patches that can fix known code flaws with no downtime. A US government report confirms that hackers breached Equifax within two days of CVE 2017 — 5638 being announced — yet CA Veracode says fewer than 30 percent of known code flaws are patched within 30 days of discovery.

Security and Compliance Risks From Legacy Java Applications Only Get Bigger

The release of Java 8 SE in March 2014 marked the end of backward compatibility for the world's most popular application. Java 8 has since been replaced by Java 9, 10, and 11 and will go "end of public support" in January 2019, yet it remains the go-to framework for enterprise applications. Depending on whose measuring stick you use, Java 8 accounts for between 79 percent and 84 percent of Java-based applications. A little more than 40 percent are still being written in Java 6 (2006) or Java 7 (2011)! With no backward compatibility in Java 11, enterprises with legacy apps (which is most organizations) must rewrite their applications or virtually upgrade their applications using compiler-based technology and a virtual container.

More of the Same With a Touch of "Huh?"

In a world where SQL injection and Cross Site Scripting vulnerabilities continue to plague between 30 and 50 percent of applications, we're going to see more of the same in 2019. But there will be surprises, too, says Captain Obvious. It could be that crypto-mining attacks will accelerate, or maybe ransomware attacks will threaten more than just healthcare companies. Will we see a surge in DDoS attacks linked to the IoT after a year of relative calm in 2018? And what about critical infrastructure attacks from for-profit hackers and nation/states?