Cybersecurity Predictions 2018 – How did we do?
One year ago we released our 2018 Cybersecurity Predictions report. As the year closes we can now reflect on our statements and review the accuracy of our predictions.
We made eight predictions for 2018 where we discussed regulations such as GDPR, the implications of ubiquitous encryption, the defence of aggregated data, ransomware and how insider threats will impact cloud security. We also discussed the threat to data aggregators and the specifics of cryptocurrency hacks. We believed that many of these predictions would also have a profound impact on privacy, and the events of 2018 largely showed that we were spot on.
Upon reflection we assigned scores as per the Report Card below:
Early and Often
As we sought evidence either supporting or contradicting our 2018 predictions, it became apparent that our 2018 forecasts were incredibly timely with a several predictions playing out within the first 6 months of the year.
Our 6-month summary was documented in our blog. Overall we assigned a solid “B+” grade at the 6 month stage.
Privacy Fights Back
Prediction: 2018 will ignite a broad and polarizing privacy debate not just within governments, but between ordinary people.
Privacy concerns were pushed into the limelight with several key moments in 2018 that had far-reaching global impact.
Cambridge Analytica’s use of private customer data provided by Facebook will likely be remembered as the event that thrust privacy and data protection into the public consciousness. Facebook was fined for “serious breaches of data protection law” and a “failure to sufficiently protect the privacy of its users.”
Indeed, in a 2018 survey of Forcepoint customers “Concerns over privacy” ranked as the top security issue. (Source: TechValidate. TVID: 680-CB3-AE1). In May 2018, the European Union enforced its General Data Protection Regulations. The EU initiative to consolidate varying data protection regulations across EU member states and place an emphasis on the protection of personal data has now been discussed in the US Senate with input from Silicon Valley technology organizations.
- Amazon was forced to address reports of virtual assistants oversharing information (in this case personal conversations).
- British police started to use biometric data to identify individuals on the streets of the UK.
- Online advertising brokers mapped the performance of online ads to physical in-store purchases leading to discussions around the implications of such data collection and its intended or unintended consequences.
- In August 2018 the Mozilla organisation announced steps to a take a more proactive stance on privacy preserving features (such as blocking third-party tracking cookies) in Firefox 63
- The EU ePrivacy Regulations proposals continued to spark debate and action on the topic of preserving an individual privacy in electronic communications.
GDPR: Procrastination Now, Panic Later
Prediction: Most organizations will not be ready prior to the GDPR enforcement date, and panic-driven policies will stifle businesses as they struggle to become compliant.
A 2018 survey by Forcepoint found that only 14% of those surveyed felt that they were “completely prepared” for the roll-out of GDPR in 2018. (Source: TechValidate. TVID: 4E0-A7D-76A). On or around GDPR-day (25 May 2018) many businesses struggled to implement the intent of the regulations blocking EU citizens en masse from accessing their non-EU web properties. GDPR is also accredited with 16% more websites deploying cookie consent policies compared with the start of the year.
The possibility of large monetary fines seems to have done little to stem the tide of data breaches during 2018. While Facebook was fined the maximum fine as permitted by the regulators at the time of the Cambridge Analytica incident the fine would have been much higher had the breach occurred post-GDPR.
- During the year large airlines were alleged to have lost credit card details via web scripts intercepting personal data and hacks of back-end systems leading to leaks of passport data.
- Facebook was again in the headlines after it was revealed software bugs permitted access to the accounts of 50 million users.
- The UK’s ICO encouraged students to make use of their data subject rights to request information about themselves and their exam performance including the comments made on the paper by the examiner.
Disruption of Things
Prediction: IoT is not held to ransom, but instead becomes a target for mass disruption.
Our 2018 survey showed 76% of customers are concerned about the security of Internet of Things (IoT) devices or infrastructure either within their company or supply chain. (Source: TechValidate. TVID: 6B7-B75-241). Our prediction suggested IoT would not be subject to ransomware given the replaceable nature of the devices and so reduced likelihood that affected organizations would pay the ransom. As 2018 unfolded we saw several attacks targeting IoT but not at the scale in which we anticipated.
- The threat of cyberattacks is disrupting the IoT marketplace. Bain & Company found that enterprise customers would buy 70% more IoT devices if their security concerns were addressed compared with if not.
- Security company Radiflow made their first discovery of a cryptocurrency miner in an ICS network, an indication of things to come for ICS/SCADA/IIoT environments.
- Sophos identified a denial-of-service (DDOS) bot targeting IoT devices.
- The FBI warns that cyber threat actors can use unsecured IoT devices as proxies to anonymously pursue malicious cyber activities.
The Rise of Cryptocurrency Hacks
Prediction: Attackers will target vulnerabilities in systems that implement blockchain technology associated with digital currencies.
This last year was notable by the number of, and unfortunately successful nature of, attacks against cryptocurrency exchanges resulting in millions of dollars being lost to cybercriminals. We saw this prediction come true just a few short weeks after we published our 2018 report.
Here are but a few examples:
- Tether announced a $31 million loss due to an external attacker which had a knock-on effect for other cryptocurrencies against the dollar.
- Bitcoin Gold announced that their GitHub-hosted Windows app had been tampered with. A suspicious version of the app was hosted online for over 4 days.
- Japanese cryptocurrency exchange Zaif was hacked for $60 million.
- The National Police Agency of Japan announced that cryptocurrency thefts totalled 60.5 billion Yen in the first half of 2018 with the majority targeted towards cryptocurrency exchanges.
Prediction: A data aggregator will be breached in 2018 using a known attack method.
As data aggregators combine data collected from disparate sources they naturally become a target for attackers. These data collectors certainly dealt with their unfair share of incidents and vulnerabilities but these were more the result of unforced errors rather than malicious attacks. In our 2018 survey we discovered that 59% of Forcepoint customers surveyed had privacy concerns such as data collection, sharing and storage raised by employees or customers in 2018. (Source: TechValidate. TVID: 73D-087-B4E)
- As noted above Facebook was fined the maximum permissible fine under the regulations of the time for its involvement in the Cambridge Analytica case. Had the incident occurred post-25 May 2018 the fine could have been orders of magnitude higher.
- Strava’s collection of user’s fitness-related activities was shown to reveal information about sensitive locations when aggregated. Personal data could also be viewed impacting user privacy.
- Census and voter data sets are prime examples of aggregated data. A large repository of 14.8 million records containing US Texan voter records was found on an unsecured server by a researcher in 2018.
- While GDPR relates to the protection of personal data it is also vital to protect intellectual property. The automotive industry found this to their cost when it was reported that a supplier common across manufacturers was found to have held data on an unsecured server.
Prediction: Adoption of cloud technologies will increase the risk of a breach from a trusted Insider.
In our predictions we spoke of the importance of credential management for cloud-based systems. Spoiler alert: in our upcoming 2019 Cybersecurity Predictions Report we revisit password habits and the risks posed by insiders. While cloud-adopters struggled with security configurations they also struggled to lock down access to data stored in the cloud.
- Administrator credentials were used to access the corporate email server at Deloitte. Two factor authentication (2FA) had not been deployed with access gated by only a password.
- A 2016 breach at Uber can still offer insights (and lessons learned) on how a domino effect of credentials left on a GitHub repository can be used to access a AWS account.
- The worldwide IAAS public cloud services market grew 29.5% in 2017 according to analyst firm Gartner highlighting the preference to move the cloud and the importance of security those systems.
Encrypted by Default – Implications for All
Prediction: An increasing amount of malware will become MITM-aware.
While our specific prediction around MITM-malware did not transpire in the way we anticipated our prediction centred on ubiquitous encryption across the web. The adoption of HTTPS was enthusiastic and a realisation that secure communication was now a base requirement was encouraged by politicians and software vendors.
- Google Chrome’s development team set out their plan to encourage adoption of HTTPS and began to deliver it with each new version of Chrome. Chrome users now see clear warnings when sharing private data with non-secure websites and HTTPS-enabled websites are treated as the accepted norm.
- Even so major web properties still struggled with HTTPS. Governments forgot to renew certificates, banks had not migrated to HTTPS on their homepage and implementations of common websites showed problems.
- US Senators have called for the adoption of DoT (DNS over TLS) or DoH (DNS over HTTPS) technologies to further preserve privacy when citizens interact with US government websites.
The Next Giant Leap for the Industry
Prediction: Workforce monitoring and employing UEBA will be a top priority for CISOs in 2018.
As CISOs evangelise their security and risk-management plans around the business they are using a top-down approach to understand the business processes and then translate that into technology and process requirements. We saw several examples of ideal use cases for workforce monitoring and UEBA, such as the Continuous Diagnostics and Monitoring program of the U.S. government. However, our own data suggests there is still a divide in the perceptions of effectiveness for those managing the program and those implementing it.
The events of 2018 highlight the struggle for IT teams to balance the right mix of resources between detection, mitigation and prevention. We have been working hard to make that easier. Forcepoint is leading the charge to deliver human-centric security that delivers solutions driven by behaviour-based analytics. The latest among these are our recently launched Dynamic Data Protection for risk-adaptive protection.
Final Grade for 2018 Cybersecurity Predictions
Overall, we would give ourselves a solid B+ grade as for the majority of predictions we were spot on. This year has been underpinned by a theme of privacy preservation and data protection; a theme that was apparent in our predictions.
2019 Cybersecurity Predictions
We are just a few weeks away from releasing our 2019 Forcepoint Cybersecurity Predictions, highlighting themes of cyber risk and trust for the forthcoming year.
We have once again consulted our global cybersecurity research and intelligence teams as well as our CTO and CISO teams. What will they predict for 2019 and will those predictions match with yours?
Register to Listen to our Experts
In an international series of webcasts starting on Wednesday, November 14th, Forcepoint experts will break down our cybersecurity predictions and what they mean for your organization in the year ahead.
Tune in to a webcast by choosing an available time slot via the webcast registration page.