As information security professionals approach the finish line of another year, it’s fair to say the past 12 months have once again been packed with incident. Just as cybercrime is no respecter of international borders, so it doesn’t usually conform to neat 12-month cycles. However, taking stock of the biggest trends and stories over the year can be a useful discipline in helping to drive a more strategic way of thinking going forward.
So what have we learned from 2018?What have we learned from 2018? Email is still the #1 threat vector, delivering attacks phishing, BEC, crypto-mining, ransomware, and other attacks in ~ 1 of every 10 messages. via @PhilMuncaster Click To Tweet
Email still the number one vector
First, the stuff you already know. Email continued to be the number one threat vector this year, accounting for over 80% of threats spotted in the wild, according to most estimates. One firm claimed that as many as one in 10 emails are malicious. They deliver phishing attempts, BEC scams, crypto-mining malware, ransomware and much more. Over a third of global organisations Barracuda Networks interviewed for its Email Security Trends 2018 report said they’d experienced a phishing attack. That’s bad news when you consider that 93% of all breaches analysed by Verizon featured a phishing element.
Mitigating the risk requires a blend of the technical — including AI-powered tools to better spot anomalies — with the human aspect of cybersecurity. Unfortunately, it’s the latter where firms often still fall down. They need customisable tools that can help employees spot suspicious emails, voicemails, calls and texts.
Cloud security awareness rises … slowly
Another thing we learned this year is that organisations are starting to get more cloud-aware, but things are moving at a glacial pace. Barracuda Networks research revealed that, although the vast majority (71%) now correctly believe cloud security is a shared responsibility, over half (57%) claim their on-premise security is better than that offered in the cloud. It doesn’t need to be this way. The tools exist today to make cloud deployments just as, if not more, secure. Yet according to Barracuda, just 34% have deployed next-gen firewalls, while separate research from SumoLogic found just 43% of European firms are making use of built-in security and compliance tools like Amazon CloudTrail.'As organisations shift to hybrid cloud environments, they need to 'shift left' with security, building it earlier into the app development lifecycle.' ~@PhilMuncasterClick To Tweet
As organisations increasingly shift to hybrid cloud environments, microservices and agile DevOps methodologies, they will need to “shift left” with security, building it earlier into the app development lifecycle. That means continuous scanning of images pre-deployment as well as run-time protection.
Supply chain risk
Several reports out this year highlighted the dangers posed by third-party risk. The National Cyber Security Centre (NCSC) warned: “even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.” Even more recently, a report from financial regulator the FCA claimed that visibility into third-party security is still lacking in the sector. That’s a concern given it is a favourite target for attackers.
Organisations will need to do better if they want to stay on the right side of GDPR and NIS Directive regulators in 2019.
Counting the cost of ransomware
Despite reports claiming cyber-criminals are eschewing ransomware in favour of easier ways to make money by crypto-mining this year, it remained a threat for many organisations. Those affected this year included the Scottish Arran Brewery, and Bristol Airport — the latter forcing staff to resort to handwritten departure boards for a weekend. Europol warned that ransomware remained the biggest malware threat to businesses and will remain a top threat for years.
As if to reinforce its point, it emerged this year that WannaCry cost the NHS £92m in lost output and IT overtime. But beyond the high-profile worms of 2017, ransomware is becoming more targeted today, as witnessed by strains such as SamSam. Recently attributed to two Iranians, these attacks have hit countless hospitals and local authorities in the US, Canada and UK, costing an estimated $30m in losses over the past three years.
The GDPR starts here
Last but not least, it’s been another year of major data breaches and leaks: from the Facebook Cambridge Analytica scandal to Cathay Pacific and Marriott International. A new development has been the development of several attack campaigns run by groups using the Magecart digital skimming code to strip card details from sites as soon as they are entered. Hundreds of e-commerce firms have been hit, either directly like British Airways, or via third party suppliers like Ticketmaster’s Inbenta Technologies.
IBM claims the cost of a breach now stands at just shy of $3.9m, an increase of over 6% from 2017. However, this figure could soon be out of date as the GDPR and NIS Directive regulation kicks in. We’ve been waiting for the first big fine for seven months, but at the time of writing, there’s only been one €20,000 penalty for a German chat app maker. That could be set to change with the Marriott breach affecting an estimated 500 million customers since 2014.
Security professionals and Data Protection Officers (DPOs) will be looking on keenly to see how regulators react. The UK’s ICO has issued major fines of £500,000 (Facebook and Equifax), £385,000 (Uber) and £250,000 (Yahoo) this year under the old regime. What happens next could precipitate a sharp increase in compliance spending in 2019.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.