Let’s be frank: 2017 was a banner year for cyberinsecurity.
The world experienced a rising tide of everything from ransomware to advanced persistent threats to state-sponsored cyberattacks. It was a year in which organized and disorganized cybercriminals, script kiddies, hacktivists, covert military units, disgruntled employees, and a wide range of other bad actors leveraged technology as never before to create havoc and ruin lives. Experts warned of a global feeding frenzy of disruption and damage, fueled by massive breaches and catastrophic thefts of personal information and online identities.
Some would say that came to pass. 2017 was a year to learn from, a year to take stock of, and to take strength from. Here are a few takeaways from our Cyberinsecurity Year of Living Dangerously.
The public is really starting to “get it,” cybersecurity-wise
Breaches at Equifax and Anthem exposed the inadequacy of password-only authentication. The public is becoming more aware of risks to the safety of their online accounts and the momentum for password alternatives and multi-factor authentication is starting to build. As people recognize the value of embracing stronger authentication procedures, even though it means accepting a more rigorous user experience, the security mindset of the public will begin to encourage industries to promote and adopt better security measures, rather than avoiding the inconvenience strong barriers to unauthorized access can impose.
There’s a new Euro sheriff in town: General Data Protection Regulation
The EU’s panoramic General Data Protection Regulation (GDPR) was rolled out (it goes into effect in 2018), with enormous potential fines in place to punish noncompliance. Many businesses around the world, still unprepared, will scramble to achieve compliance before someone makes an example of them, but all but the biggest organizations are already having a devil of a time finding consultants available to help them, and the going rate from experts will be high. Resources are already booked solid.
IT infrastructure must be defended against attacks from the Internet of Things
With millions of devices (cameras, controllers, monitors, appliances, industrial equipment…) already in the Internet of Things, massive device armies rose up this year to launch cyberattacks at the stroke of a key. Botnet kits (Andromeda, Gamarue and Wauchos) are estimated to be responsible for compromising more than a million devices a month, and Gartner estimates that more than 50% of major new business processes and systems will include an IoT component by 2020. If what we’ve seen so far continues, botnets could become the infrastructure for a future darknet.
We learned that, going forward, higher levels of security must be incorporated into any device that will be connected to the web, with auto-updates becoming a more common security measure for new products. IoT security requires a comprehensive approach spanning people and policies—and definitely including technological solutions such as data encryption.
Trust is in short supply
As breaches are becoming more common, we see more companies demanding security audits of their partners, suppliers, and service providers. Today no organization can unconditionally reassure its customers that their data is safe because too many risks may lurk within the organizations it does business with. Use of Kaspersky software has been banned in U.S. government agencies because of suspicions of risk of Russian influence. At the beginning of the past year, China passed a far-reaching cybersecurity law that requires access to vendor source code. There were many other examples of a world waking up to the fact that no one should ever assume information is secure as it traverses data networks and public/private clouds.
We expect that the asset of trust will become more and more precious in the coming year. The rule will be “do not trust, verify.”
There’s always a silver lining
On the positive side, 2017 was a year in which general awareness of cyber dangers grew exponentially, and effective action began to be taken to thwart the rise of devastating cybersecurity attacks. Businesses everywhere are realizing that “we’re in this together.” Cooperation is more important than competition when it comes to protecting the privacy and security of our shared information assets.