The Security & Privacy Threats coming in 20186 min read

Growth of Crime-As-A-Service (CaaS)

Criminal organisations will continue their ongoing development and become increasingly more sophisticated and look to grow into different avenues which they can look to actively exploit. The complex hierarchies, partnerships and collaborations that exist on an online marketplace represent and facilitate their diversification into new markets. Some organisations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.

Organisations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value. The resulting cyber incidents in the coming year will be more persistent and damaging than organisations have experienced previously, leading to business disruption and loss of trust in existing security controls. This leads onto the second largest threat directly,

Ransomware in the cloud

The past 12 months have seen a plague of ransomware attacks, with targets including the National Health Service, San Francisco’s light-rail network, and big companies such as FedEx. Ransomware is a relatively simple form of malware that breaches defences and locks down computer files using strong encryption.

Hackers then demand money in exchange for digital keys to unlock the data. Victims will often pay, especially if the material encrypted hasn’t been backed up, the date is often then abandoned and not unencrypted.

That’s made ransomware popular with criminal hackers, who often demand payment in hard-to-trace cryptocurrencies. One big target in 2018 will be cloud computing businesses, which house mountains of data for companies. Some also run consumer services such as e-mail and photo libraries. The biggest cloud operators, like Google, Amazon, and IBM, have hired some of the brightest minds in digital security, so they won’t be easy to crack. But smaller companies are likely to be more vulnerable, and even a modest breach could lead to a big payday for the hackers involved as millions of customers could be affected at once.

The Internet of Things (IoT) Adds Unmanaged Risks

Organisations will adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organisations to use personal data in ways customers did not intend. It will be problematic for organisations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs.

When breaches occur, or transparency violations are revealed, organisations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.

Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organisation’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, organisations must focus on the weakest spots in their supply chains.

Not every security compromise can be prevented beforehand but being proactive now means that you, and your suppliers, will be better able to react quickly and intelligently when something does happen. To address information risk in the supply chain, organisations should adopt strong, scalable and repeatable processes/obtaining assurance proportionate to the risk faced.

Supply chain information risk management should be embedded within existing procurement and vendor management processes. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.

Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organisations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organisations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives.

In the longer term, organisations will benefit from the uniformity introduced by the reform. But it is not just in the area of privacy where legislation will bite.  The increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

The weaponization of AI

This year will see the emergence of an AI-driven arms race. Security firms and researchers have been using machine-learning models, neural networks, and other AI technologies for a while to better anticipate attacks, and to spot ones already under way. It’s highly likely that hackers are adopting the same technology to strike back. “AI unfortunately gives attackers the tools to get a much greater return on their investment,” explains Steve Grobman, chief technology officer at McAfee.

An example is spear phishing, which uses carefully targeted digital messages to trick people into installing malware or sharing sensitive data. Machine-learning models can now match humans at the art of crafting convincing fake messages, and they can churn out far more of them without tiring. Hackers will take advantage of this to drive more phishing attacks. They’re also likely to use AI to help design malware that’s even better at fooling “sandboxes,” or security programs that try to spot rogue code before it is deployed in companies’ systems.

Hacking elections and social media influence

Fake news isn’t the only threat facing any country running an election. There’s also the risk of cyberattacks on the voting process itself. It’s now clear that Russian hackers targeted voting systems in numerous American states ahead of the 2016 presidential election. With midterm elections looming in the U.S. in November, officials have been working hard to plug vulnerabilities. But determined attackers still have plenty of potential targets, from electronic voter rolls to voting machines and the software that’s used to collate and audit results.

As these and other risks grow in 2018, so will the penalties for companies that fail to address them effectively. On May 25, the General Data Protection Regulation will come into effect in Europe. The first big overhaul of the region’s data protection rules in more than two decades, the GDPR will require companies to report data breaches to regulators—and inform customers their data has been stolen—within 72 hours of discovering a breach. Failure to comply could lead to fines of up to 20 million euros or 4 percent of a company’s global revenues, whichever is greater.

The recent revelation that Uber covered up a big cyberattack last year has sparked calls for breach disclosure rules to be toughened in America too. All this means that lawyers as well as hackers will have a very busy 2018.

Author: Taran Ranger, CyNation