There are four major factors in cyber security that change constantly, creating meaningful impact to business and government cybersecurity programs:
- Business trends and new technology adoption
- Advances in threats
- Regulations and compliance
- Improvements in cybersecurity defensive tools and processes
None of these factors change on any predictable schedule, but humans tend to like to look ahead each time we ring in the New Year. John Pescatore, Director of Emerging Security Trends at the SANS Institute, provides his top five predictions for cybersecurity in 2018.
- Business reliance on cloud will drive increased direct attacks against cloud services.We will continue to see rapid increase in the adoption of cloud-based Infrastructure-as-a-Service offerings for running business critical applications on public cloud. The elasticity of cloud based services is attractive to businesses to reduce costs and increase speed to market. While the top tier of these services is designed and managed with security in mind, the promise of cost reduction means enterprises are not investing in the skills and tools required by IT operations to safely manage the cloud. Server administrators have been understaffed and under skilled, unable to securely administer a relatively small and constrained number of servers found in traditional data centers. Daily news stories of misconfigured cloud services are already showing how the use of cloud is exposing this risk and making cloud services attractive targets for cyberthieves.
- Denial of service will become as financially lucrative as identity theft. Cybercrime has represented the majority of damaging cybersecurity incidents for the past several years. Using stolen identities for new account fraud has been the major revenue driver behind breaches. However, in recent years ransomware attacks have caused as much, if not more damage, as increased reliance on distributed applications and cloud services results in massive business damage when information, applications or systems are held hostage by attackers.
- The focus on “increase staff or automate” vs. “increase skills and support” will fail to show any return on investment. There are countless media headlines touting massive underemployment in cybersecurity, when most enterprises really see a need for more effective cybersecurity staff vs. just more bodies. Similarly, the latest buzzword technologies such as “machine learning” and “AI” have yet again been vastly overpromised as technology that will eliminate or drastically reduce the need for experienced and skilled cybersecurity staff. The real successes in cybersecurity have been where skills are continually upgraded, staff growth is moderate and next generation cybersecurity tools are used to act as “force multipliers” that enable limited staff to keep up with the speed of both threats and business demands.
- Consumer advances in secure use of technology will drive workplace change. Phishing attacks continue to succeed because the vast majority of Windows PC users within businesses are still using reusable passwords. However, large numbers of consumers now routinely use biometric authentication on their mobile phones and 28% of consumers are using two factor authentication on at least one personal account. Apple and Android mobile phones and tablets include advanced technologies like application control, privilege management and encryption that are rarely enabled on work PCs. Home users are actually often safer using their own technology than they are using systems at the office! Just as users have driven businesses to adopt technologies like the Internet, Wi-Fi, smartphones, etc. – they will start to drive stronger forms of authentication and data protection at work.
- Cyber-insurance policies will not demonstrate any actual reduction in business costs from cyberattacks. The high levels of business damage due to cyberattacks has greatly increased the interest of Boards of Directors in managing this risk. This has driven an increase in procurement of cyber-insurance policies, as capping liability via insurance is well known to Directors. However, for a variety of reasons cyber-insurance does not bound liability in any way, and the payback very often doesn’t even cover the costs of the premiums and the deductibles if an incident does occur.