As the year winds down, most security experts begin to set their sights on the months ahead. It makes sense because we should be planning for potential attack vectors and figuring out ways to protect sensitive data and networks.
But you can’t really plan for the future without understanding what happened in the past. The attacks of 2019 aren’t coming out of nowhere; they are building on the trends from 2018.
“While cyberattacks have become more unpredictable, three core principles remain true,” said Geoff Forsyth, CTO at PCI Pal. “Cyberattacks have evolved rapidly and unpredictably in the past year, but three core principles remain the same: Vulnerabilities are found in new systems and are attacked sometimes even before being discovered, old systems with known vulnerabilities continue to provide a glut of opportunities for attackers, and human error continues to be a reliable target for any malefactor.”
Here’s what security experts said were some of the biggest cyber trends in 2018, a show of how things have evolved, yet stay the same.
Major Data Breaches and the Tremors
Just like a major earthquake will have aftershocks, major data breaches spawn their own tremors. Yes, the high-profile, very large data breaches gain all the headlines, said Franklyn Jones, CMO at Cequence Security, but these types of breaches also provided fuel for a significant number of secondary bot attacks in 2018. “These attacks leverage stolen credentials acquired from the dark web following the initial breach, then target other digitally connected organizations to take over consumer accounts for financial gain,” said Jones.
We Continue to Miss the Cybersecurity Basics
Cybersecurity is hard. Cybersecurity is going to continue to be hard. But we’ve done nothing in 2018 to make it easier, said Tyler Ward, IGI’s VP of Security, because organizations fail at the basics. This allows cybercriminals to carry out pretty simple attacks. They know where our failures are going to be.
“A majority of data breaches this year and in past years were caused by employee errors, whether that employee fell victim to a phishing scam, downloaded a malevolent attachment, and so on,” said Keri Lindenmuth, marketing manager with KDG.
But is there hope on the horizon? Yes, because employers are finally starting to realize that the biggest cybersecurity problems aren’t in the great unknown, but in our own offices. Maybe it is because of an increasing consumer backlash against data breaches and probably because of GDPR’s strict privacy regulations, in 2018, security training and education now has a higher priority in business settings.
Making cybersecurity an organizational responsibility has taken on an even greater importance because 2018 continued a trend we’ve been seeing for a while – the shortage of a skilled cybersecurity workforce.
“We are seeing an increase in apprenticeship programs and more diverse training and recruiting practices to bridge this enormous talent and diversity gap the industry has today,” said Jason Albuquerque, CISO of Carousel Industries.
“We are in the midst of a ‘corporate enlightenment’ to the magnitude of risk that the human factor brings to arguably all companies,” he added. “CEOs and Boards of Directors are requiring more visibility into their organization’s security posture in terms of insider threats, cyber awareness training, and end-user education.”
Cryptojacking: A Lucrative Trend for Criminals
Cryptojacking is another popular trend that we're seeing right now, according to Stu Sjouwerman, CEO with KnowBe4. “There are a few reasons why cryptojacking is so interesting to criminal organizations - it's lucrative, it's tough to detect, and it's tough to get caught.”
Cybercriminals are finding a foothold on the network or even browsers and installing the crypto-mining software to maintain persistence, added Ron Pelletier, founder of Pondurance. “They can remain in the network undetected – and are often successful – because they may not be looking to steal data, and they may not be looking to infect the organization further. They just want to use that processing power to fuel the crypto-mining process.”
We’re also seeing that cryptojacking runs in tandem with the value of cryptocurrency. The more valuable a cryptocurrency is on the market, the more value it has to a cybercriminal and the more likely it is you’ll see an uptick in cryptojacking incidents.
It’s All About Privacy
Honestly, perhaps the biggest security trend in 2018 surrounded data privacy. Yes, this was jump-started by GDPR, but American consumers are demanding action here, too. Surprisingly, the government is listening.
States were the first to pick up the challenge, most famously with the California Consumer Privacy Act, but Vermont, Colorado, Ohio, Illinois and other states are passing their own legislation meant to protect consumer data. Congress has called executives from some of the largest tech companies to testify about their data privacy efforts, and members of Congress have been introducing legislation to address privacy issues.
“Rep. Hank Johnson has two bills that he will be re-introducing on cybersecurity and data privacy,” said J. David Sims, managing partner with Security First IT. “One is The Application Privacy, Protection and Security Act of 2018 (H.R. 6547), which deals with data collection and security for mobile devices. The other is the Data Broker Accountability and Transparency Act of 2018 (H.R. 6548), which, among other things, would allow U.S. citizens to have their data erased from corporate servers.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba