Preparing for 2019 – Forecasting the Top Cyber Risk Issues
As 2018 comes to an end we are reminded of what a dynamic year it has been in the realm of cybersecurity. Threats continue to proliferate, the regulatory environment is expanding, and technology continues to advance at a rapid pace. We’ve seen Congress interrogate tech giants for malpractice, businesses scramble to comply with GDPR, governments suffer at the hands of adversarial influence operations, and ransomware plague individuals and entire cities. As we welcome a New Year and all it holds in store, we must also prepare for how to best oversee and manage a variety of new or expanded cyber-related risks. Here are the top cyber risk issues to keep in mind over the next year.
Cloud Infrastructure Vulnerabilities – With more and more organizations turning to cloud computing, the security implications of cloud computing in 2019 will be more important than ever. The value-add of cloud computing has reduced the need to build-out data centers and invest in expensive equipment, however, when asked about adopting enterprise cloud computing, 66% of IT professionals say that security is their top concern. As this resource continues to expand, expect to see more breaches and attacks on cloud infrastructure in 2019.
SCADA & ICS – In 2019, we expect to see increased threats to critical infrastructure and advanced manufacturing systems that utilize Supervisory Control And Data Acquisition (SCADA) or Industrial Control Systems (ICS). According to a 2018 survey conducted by Forrester, 60% of organizations surveyed that use SCADA or ICS experienced a breach to those systems in the past year. Moreover, U.S. CERT specifically called out the Russian government for its multi-stage and targeted attacks on U.S. critical infrastructure. Additionally, as the manufacturing industry continues to advance toward an industry 4.0, we should expect a range of additional cyber threats targeting industry technologies and processes.
Continued Influence Operations – While influence operations have always been a hallmark tool used by countries with well-developed intelligence capabilities, one country’s notorious behavior has taken the spotlight the last new years and will likely continue to do so in 2019 – Russia. Russian influence operations have stretched across the Americas, former Soviet satellite states, throughout Europe, and anywhere the Russian Federation might see it fit to erode the ideals of democracy and post WWII international order. Russia uses such operations as an alternative to hard power and, in the digital information age, will continue to use the cyber domain as a vector for such operations.
Compliance and Regulation
Gradual Domestic Movements on Data Privacy and Security Legislation – Crafting cybersecurity legislation has become a unique and unofficial remit of individual states. With little federal guidance, states have demonstrated their capacity for developing much-needed cybersecurity regulatory policy. As of 2018, each state now has mandatory cyber breach notification laws. The first breach notification law was established in California and, continuing to lead the way in cybersecurity regulation, California is moving forward with passing Internet of Things (IoT) legislation that is geared toward protecting consumer privacy and enhancing security measures around IoT devices. We might also expect other states to follow New York’s lead in developing policy to ensure financial services organizations comply to rules and regulations that are intended to protect non-public information from cyberattacks and data loss.
Aftermath of GDPR – The General Data Protection Regulation (GDPR) is now in full swing. As industries around the world continue to adapt their strategies to comply with GDPR one reality has to be faced – this type of legislation may be the first of its kind, but it certainly won’t be the last. If the history of cyber policy has shown us anything, it is that there tends to be a domino effect when it comes to cyber legislation. Take, for instance, Australia’s efforts in developing laws that require companies to notify individuals and the Australian government if they believe a data breach has impacted their systems that may lead to personal information being compromised. The Notifiable Data Breaches (NDB) act in Australia emerged in the wake of the Uber data breach – another reminder that as we continue to see high-profile breaches, nations will continue to develop policies to further protect consumers.
NDAA 2019 Cyber Provisions – The National Defense Authorization Act for FY 2019 provides numerous provisions on matters of cybersecurity. In an effort to encourage public-private collaboration, there are a number of takeaways for the private sector. The Act generally speaks of the U.S. taking a more offensive approach to cyber operations and calls on the private sector to scrutinize its own supply chains, IT products and services, and calls for the private sector to work closely with the government to enhance the defenses of U.S. critical infrastructure. Additionally, certain investments in critical technology, critical infrastructure companies, and companies that maintain or collect sensitive personal data of U.S. citizens may be subject to the Committee on Foreign Investment in the United States (CFIUS) jurisdiction. NDAA 2019 marks a trend that will be here to stay for years to come – the government will continue to have increased expectations on the private sector for increased collaboration on matters of cybersecurity.
Artificial Intelligence – AI is gradually becoming an integral component of business operations worldwide. In 2018 alone, nearly six out of 15 emerging jobs, in some way, are linked to AI. In a recent study, McKinsey found that nearly 47% of business executives say their companies already have embedded at least one AI capability within their business and 21% say their organization has AI capabilities in several parts of the business. Meanwhile, another 30% of organizations are piloting AI. The rapid proliferation of AI technologies, however, has left numerous agencies in the U.S. intelligence community listing AI as a long-term threat the country will have to face. But how? AI systems themselves may possess unknown vulnerabilities to businesses. As is a common theme with cybersecurity, the rapid development of technology often outpaces our abilities to adequately defend those technologies from threats – AI is no exception. Additionally, AI will undoubtedly have the capacity to magnify the impact of hostile cyber operations such as influence campaigns, phishing scams, and hacking in general.
5G – The fifth generation of mobile network technology is filled with promises of improvements of data transmission, speed, and capacity like the world have never seen. But, for all its promises in revolutionizing many aspects of modern technology, the revolution is not without risk. 5G is anticipated to drive IoT, and as more devices use 5G, the network’s overall attack surface will increase. We could see conventional tactics used by cyber adversaries, such as ransomware and DDOS attacks, used against or in concert with IoT devices.
Empowered/Edge Computing – Edge computing is slowly making its debut in computing. Essentially, edge computing is focused on the idea that in order to cope with large and complex datasets generated by IoT sensors, data needs to be analyzed and processed at the edge of a network rather than to a data center. Edge computing shares many security challenges as IoT, including that IoT devices are often not built with security in mind. This means threat actors might have easy access to core systems to which the edge devices connect to. In short, the more devices that generate data in a network, especially those used in edge computing, can lead to additional cybersecurity vulnerabilities.
Bring On 2019
As technology continues to rapidly develop it can seem overwhelming to stay on top all of the latest threats, regulations, and new tech that’s out there. But remember, all of these elements can be boiled down to something you are familiar with – risk. Cybersecurity should always be an essential element in your larger enterprise risk framework. As such, it is important that the leaders of your organization have a firm understanding of what cyber risk is and means for your organization. As you move on into the new year, N2K is here to offer comprehensive cyber risk training for your c-suite, board, and other executives. Whether you’d prefer an in-person training or training on the go we can accommodate your organization’s needs.