It’s that time again.
That time when we look back at the year that was. It’s a habitual practice we all do in some shape or form. Sometimes it’s to reminisce the victories and joys we experienced. Other times its to learn from the mistakes we made. For many, it is a way to discern what it all meant, and what it denotes for the coming year. From a cybersecurity perspective, 2018 was an active year to say the least. In this article we will spotlight some of the major events and trends that helped define the year that was. We will then examine some of the challenges we face in the year ahead.
Social Media Sites were Popular with Hackers for Many Reasons
Social media continued to be a driving force in 2018 for society at large. People continue to spend a large amount of their time browsing and posting to these interconnected sites. People have recognized the power of sharing information both socially and professionally. Unfortunately, hackers also love what users share as well. Hackers continued to turn to sites such as Facebook for information such as your mother’s maiden name, the name of your first pet or the make and model of the first car was you owned. Why? Because this type of information is commonly asked for in security questions to reset online account passwords. Hackers also use social media to track the lives and patterns of business executives within targeted companies. Besides serving as a vast open resource of information to aid in attacks, hackers also attacked social media sites as well.
- Facebook was involved in not one, but two separate data breach incidents. In April, the leading social media site informed the world of the Cambridge Analytica scandal which exposed the information of 87 million FB users. Later in September, FB engineers discovered another breach involving 50 million FB users.
- Google+ experienced a data breach in October. Coupled with the fact that the social media site never managed to gain real popularity, the incident response plan initiated by Google was to simply shut down the site.
- Quora may not be a social media site you think of but it has 300 million users. It is a site in which users post questions concerning just about any subject you can possibly think of. Unfortunately, an unauthorized user didn’t ask, but seized the information of 100 million of its users by infiltrating its servers.
Cities and Municipalities were Easy Targets for SamSam
Regardless of location or population, government municipalities have several things in common. They offer essential services to the local residents who depend on them. They host a lot of valuable data and they often lack the required cyber security expertise and personnel to fully protect their network infrastructure from experienced cyber criminals. The SamSam ransomware strain traveled across the country in 2018 inflicting destruction to many towns and cities.
- The state of Georgia received more than its share of attacks. Atlanta, the ninth largest metro city in the U.S., was forced to halt many essential operations in March when it fell victim to ransomware. The city refused to pay the $51,000 bitcoin ransom demanded by the perpetrators. The city has since spent 17 million dollars cleaning up from the aftermath. Five months later, metro suburban Coweta county experienced an attack that brought down nearly all of its servers for up to two weeks.
- The state of Alaska may still be an untapped frontier compared to the other 49 states, but it isn’t exempt from cyber attacks. Located just outside of Anchorage, Alaska, the Borough of Matanuska-Susitna fell victim to a ransomware attack that was able to encrypt not just its production environments, but its backups as well over the summer. As a result, their email system was irrecoverable. Days later, Valdez Alaska lost the use of its entire network due to a separate attack and paid a ransom of $23,000.
- 114 of 535 servers within the Connecticut court system were hit by a ransomware attack in March, impacting critical functions of the state judicial system. Elsewhere in the state, having learned the lessons of Atlanta, the IT Director of West Haven, CN, admitted that the city paid a ransom of $2,000 to the perpetrators of a ransomware attack in October.
Major Cybersecurity Compliancy Legislation is Passed throughout the Western World
The General Data Protection Regulation (GDPR) became active in May. Yes, it may have been passed by politicians residing on the other side of the world, but GDPR will have sweeping impact throughout the United States and elsewhere across the globe for many years. That is because GDPR doesn’t just apply to companies that reside within the borders of the EU. It applies to any organization, anywhere, that processes or stores the personal data of its citizenry. In other words, it is not directed at companies, but at the data and information of the EU citizens it serves. The potential directed fines by GDPR are also potentially devastating. Companies can be fined as much as 4% of annual global revenue or €20 Million (whichever is greater) for the most serious infringements. A lower tier levies a fine of 2% or €10 Million for lesser infractions.
GDPR may have created a template soon to be adapted by other governments as well. In September, the state of California passed its own version of GDPR called the California Consumer Privacy act of 2018. The legislation will go into effect January 1, 2020 and will be the strictest data privacy law of its type amongst the 50 states. Like GDPR, CCPA is not restricted to the companies that reside inside its borders. It too follows the data of its state residents, which means that national companies that serve California based customers must comply with the regulations as well. This will force multi-regional corporations to either create a separate policy concerning the data of California citizens or adapt CCPA regulations universally.
The Healthcare Industry Grew Ill from Cyber Attacks
If the healthcare industry were a patient in 2018, its diagnosis would not be good. Healthcare cybersecurity had a lot of activity. In the month of July alone there were 33 data breaches within the industry, affecting 2,292,552 patients. One of those incidents involved a phishing attack on Iowa-based UnityPoint Health that involved 1.4 million patients. Nearly every type of healthcare sector was hit this year.
Examples included a hospice organization in May, a cancer treatment center in December, a healthcare insurance firm in September, a clinical laboratory in July and an eyecare center in November. The breaches were the result of multiple reasons including phishing attacks, malware, employee negligence and traditional hacking. Despite the fact that 92 percent of healthcare organizations planned to spend more on cyber security in 2018, it is clear that the industry needs to do more in 2019.
Predicted Cyber Security Challenges Facing 2019
No one knows for sure what the future holds. There are some things we pretty much know to be true going forward however. The cyber attack surfaces of enterprises will expand, thus creating more points of vulnerability for attacks. Hackers will grow more sophisticated as criminal organizations now actively recruit top college talent from Universities in some parts of the world such as eastern Europe. We also know that the weakest security link within most enterprises will continue to be the end user and that cyber criminals will continue to target them in creative ways next year. Some of the cyber security trends that companies and organizations will have to contend with are outlined below.
Nation state hacking
Cyber attacks sponsored or initiated by nation states will increase in 2019. This includes espionage, cyber crime and sabotage. IP theft now accounts for more than 25 percent of the $600+ billion cost of cyber crime to the world economy. It is not just the increased volume of nation state backed attacks, but the high level talent and expertise involved in these attacks. While nation states can afford to recruit top talent, small and midsize businesses (SMBs) do not have the resources or personnel to combat them.
Growing sophistication of email attacks
There was a time not so long ago in which the primary task of email security was to stop unnecessary spam from overwhelming user inboxes. Those annoying emails concerning weight loss, get rich quick schemes and performance enhancement products constituted the extent of email threat concerns. Today email is used as the primary deployment mechanism for sophisticated malware and hacking attacks. Once plagued by poor grammar and spelling errors, these email attacks continue to grow in sophistication and effectiveness. Phishing attacks will continue to batter user inboxes in the coming twelve months.
GDPR fines will kick in
Companies across the western world have been trying to figure out their compliance responsibilities concerning GDPR since it became active May. Many companies were still scrambling to meet compliance obligations well into the summer. GPDR regulators have been lax on enforcing the sweeping legislation up to now in order to give companies the opportunity to adjust to the new compliances. That is about to end however. In a recent interview with Reuters in October, European Data Protection Supervisor Giovanni Buttarelli, explained that regulators are ready to begin leveling penalties against companies that run afoul of the GDPR. The International Association of Privacy Professionals (IAPP) predicts the first enforcement actions to occur in February of 2019.
The proliferation of IoT
The presence of IoT will continue to expand rapidly throughout enterprises of all sizes in the coming year in order to quench the insatiable thirst for data and information. According to Gartner, the number of IoT devices will grow to 20.4 billion devices by 2020. Those are a lot of touchpoints to protect. Even more challenging is the fact that IoT devices are rarely designed with a security mindset. They lack endpoint protection and often utilize outdated security protocols. Even worse, these devices usually reside at the edge of the network where security is less scrutinized.
The cybersecurity talent shortage will continue
For many hiring managers, this is no new proclamation. Some estimates have the number of unfilled cybersecurity industry positions as high as 3.5 million by 2021. According to a 2017 study, two-thirds of its nearly 20,000 respondents indicate that their organizations lack the number of cyber security professionals needed for today’s threat climate. This critical shortage of talent will force many organizations to turn to third party consultant firms.
The Good News
Yes, there are a lot of challenges facing us next year, but there is good news too. You aren’t expected to be prepared to combat every encountered threat in 2019. You won’t be penalized for not ensuring perfection. What is expected is that you perform your duty of care. There is a set of guidelines available called the Center for Internet Security Risk Assessment Method (CIS RAM) that provides a set of controls to address your risks and obligations as well as a prioritized set of actions to protect the assets of your organization from cyber attacks. You don’t have to be scared of the challenges that 2019 will bring. You only have to be prepared in the appropriate legal way you are expected to.
Do you know “reasonable” for your organization?
