Cybersecurity Predictions – How did we do – We made eight predictions for 2018, covering topics such as GDPR, the implications of ubiquitous encryption, aggregated data defence, ransomware, and how insider threats will impact cloud security.
We also talked about the dangers of data aggregators and the specifics of cryptocurrency hacks. We predicted that many of these predictions would have a significant impact on privacy, and the events of 2018 proved us correct.
After careful consideration, we assigned the following scores to the Report Card:
Frequently and early [Cybersecurity Predictions – How did we do]
As we looked for evidence to support or refute our 2018 predictions, it became clear that our 2018 forecasts were extremely accurate, with several predictions coming true within the first six months of the year.
Our 6-month report was published on our blog. At the 6-month mark, we assigned a solid “B+” grade. [Cybersecurity Predictions – How did we do]
Proof of Support
Privacy Strikes Back
Prediction: In 2018, there will be a broad and polarising debate about privacy, not just among governments, but also among ordinary people.
With several key moments in 2018 that had far-reaching global implications, privacy concerns were thrust into the spotlight.
The use of private customer data provided by Facebook by Cambridge Analytica will most likely be remembered as the event that brought privacy and data protection into the public consciousness. Facebook was fined for “serious breaches of data protection law” and a “failure to adequately protect its users’ privacy.” [Cybersecurity Predictions]
Indeed, in a 2018 Forcepoint customer survey, “concerns about privacy” were ranked as the top security issue. (TVID: 680-CB3-AE1) (Source: TechValidate). The European Union implemented its General Data Protection Regulations in May 2018. The EU initiative to consolidate varying data protection regulations across EU member states while emphasising personal data protection is now being debated in the US Senate, with input from Silicon Valley technology organisations.
Further reading:
Amazon was forced to respond to reports of virtual assistants sharing personal information (in this case personal conversations).
British police began using biometric data to identify individuals on the streets of the United Kingdom.
The performance of online ads was mapped to physical in-store purchases by online advertising brokers, sparking debate about the implications of such data collection and its intended or unintended consequences.
In August 2018, Mozilla announced plans to take a more proactive approach to privacy-protecting features (such as blocking third-party tracking cookies) in Firefox 63.
The EU ePrivacy Regulations proposals sparked further discussion and action on the issue of protecting an individual’s privacy in electronic communications. [Cybersecurity Predictions]
GDPR Prediction:
Procrastination Now, Panic Later Most organisations will be unprepared by the GDPR’s implementation date, and panic-driven policies will stifle businesses as they struggle to become compliant.
According to a 2018 Forcepoint survey, only 14% of those polled felt “completely prepared” for GDPR’s implementation in 2018. (Image courtesy of TechValidate. 4E0-A7D-76A (TVID). Many businesses struggled to implement the intent of the regulations on or around GDPR-day (25 May 2018), blocking EU citizens en masse from accessing their non-EU web properties. GDPR is also being recognised, with 16% more websites implementing cookie consent policies than at the start of the year.
The threat of large monetary penalties appears to have done little to stem the tide of data breaches in 2018. While Facebook was fined the maximum amount allowed by regulators at the time of the Cambridge Analytica incident, the fine would have been much higher if the breach had occurred after GDPR. [Cybersecurity Predictions]
Further reading:
During the year, major airlines were accused of losing credit card information due to web scripts intercepting personal data and hacks of back-end systems resulting in passport data leaks.
Facebook made headlines once more after it was revealed that software bugs allowed access to the accounts of 50 million users. The threat of large monetary penalties appears to have done little to stem the tide of data breaches in 2018. While Facebook was fined the maximum amount allowed by regulators at the time of the Cambridge Analytica incident, the fine would have been much higher if the breach had occurred after GDPR. [Cybersecurity Predictions]
Further reading:
During the year, major airlines were accused of losing credit card information due to web scripts intercepting personal data and hacks of back-end systems resulting in passport data leaks.
Facebook made headlines once more after it was revealed that software bugs allowed access to the accounts of 50 million users.
The UK’s Information Commissioner’s Office (ICO) encouraged students to use their data subject rights to request information about themselves and their exam performance, including the examiner’s comments on the paper. [Cybersecurity Predictions]
Things are being disrupted.
Prediction: IoT will not be held hostage, but will instead become a target for widespread disruption.
According to our 2018 survey, 76% of customers are concerned about the security of Internet of Things (IoT) devices or infrastructure within their organisation or supply chain. TechValidate TVID: 6B7-B75-241.
Because of the replaceable nature of the devices, we predicted that IoT would be immune to ransomware, reducing the likelihood that affected organisations would pay the ransom. As 2018 progressed, we saw several attacks targeting IoT, but not on the scale we expected. [Cybersecurity Predictions]
Further reading:
The threat of cyberattacks is causing havoc in the IoT market. According to Bain & Company, enterprise customers would buy 70% more IoT devices if their security concerns were addressed.
Radiflow discovered their first cryptocurrency miner in an ICS network, indicating what is to come for ICS/SCADA/IIoT environments.
Sophos discovered a denial-of-service (DDOS) bot that targets IoT devices.
The FBI warns that cyber threat actors can use unsecured IoT devices as proxies to conduct malicious cyber activities anonymously.
Prediction for the Rise of Cryptocurrency Hacks: Attackers will look for flaws in systems that use blockchain technology, which is associated with digital currencies. [Cybersecurity Predictions]
The number of and unfortunately successful attacks against cryptocurrency exchanges last year resulted in millions of dollars being lost to cybercriminals. This prediction came true just a few weeks after we released our 2018 report.
Here are some examples:
Tether announced a $31 million loss due to an external attacker, causing other cryptocurrencies to fall in value against the dollar.
Bitcoin Gold revealed that their GitHub-hosted Windows app had been hacked. For more than four days, a suspicious version of the app was hosted online.
For $60 million, the Japanese cryptocurrency exchange Zaif was hacked.
According to the National Police Agency of Japan, cryptocurrency thefts totaled 60.5 billion Yen in the first half of 2018, with the majority aimed at cryptocurrency exchanges. [Cybersecurity Predictions]
Aggregators of Data
Prediction: In 2018, a data aggregator will be breached using a known attack method.
Data aggregators are a natural target for attackers because they combine data from disparate sources. These data collectors had their fair share of incidents and vulnerabilities, but these were the result of unintentional errors rather than malicious attacks.
In our 2018 survey, we discovered that 59% of Forcepoint customers surveyed had privacy concerns raised by employees or customers in 2018 regarding data collection, sharing, and storage. (Image courtesy of TechValidate. 73D-087-B4E (TVID)
Further reading:
As previously stated, Facebook was fined the maximum allowable under the regulations in effect at the time for its involvement in the Cambridge Analytica case. If the incident occurred after May 25, 2018, the fine could have been several orders of magnitude higher.
When aggregated, Strava’s collection of users’ fitness-related activities was shown to reveal information about sensitive locations. Personal data may also be viewed as having an impact on user privacy.
Census and voter data sets are two excellent examples of aggregated data. A researcher discovered a large repository of 14.8 million records containing US Texan voter records on an unsecured server in 2018.
While GDPR is concerned with the protection of personal data, it is also critical to safeguard intellectual property. The automotive industry discovered this to their detriment when it was revealed that a supplier used by many manufacturers had stored data on an unsecured server.
Cloud Safety
Prediction: The adoption of cloud technologies will increase the risk of a trusted Insider breach.
We mentioned the importance of credential management for cloud-based systems in our predictions. Spoiler alert: we revisit password habits and the risks posed by insiders in our upcoming 2019 Cybersecurity Predictions Report. While cloud users struggled with security configurations, they also had difficulty restricting access to data stored in the cloud.
Further reading:
Deloitte’s corporate email server was accessed using administrator credentials. Two factor authentication (2FA) had not been implemented, with access controlled solely by a password.
A 2016 Uber breach can still provide insights (and lessons learned) into how a chain reaction of credentials left on a GitHub repository can be used to gain access to an AWS account.
According to Gartner, the global IAAS public cloud services market grew 29.5% in 2017, highlighting the preference to move to the cloud and the importance of security for those systems.
The Implications of Encryption by Default
Prediction: More and more malware will become MITM-aware.
While our specific prediction about MITM-malware did not pan out, our prediction about ubiquitous encryption across the web did. HTTPS adoption was enthusiastic, and politicians and software vendors encouraged the realisation that secure communication was now a basic requirement.
Further reading:
Google Chrome’s development team laid out their strategy to encourage HTTPS adoption and began delivering it with each new version of Chrome. Chrome users will now see clear warnings when sharing personal information with non-secure websites, and HTTPS-enabled websites will be treated as the norm.
Despite this, major web properties struggled with HTTPS. Governments failed to renew certificates, banks did not migrate to HTTPS on their homepages, and common website implementations were flawed.
Senators in the United States have called for the use of DoT (DNS over TLS) or DoH (DNS over HTTPS) technologies to protect citizens’ privacy when they interact with US government websites.
The Industry’s Next Giant Step
Prediction: CISOs will prioritise workforce monitoring and the use of UEBA in 2018.
CISOs use a top-down approach to understand business processes and then translate them into technology and process requirements as they evangelise their security and risk-management plans throughout the organisation.
We saw several examples of ideal use cases for workforce monitoring and UEBA, such as the US government’s Continuous Diagnostics and Monitoring programme. However, our data indicates that there is still a gap in perceptions of effectiveness between those managing the programme and those implementing it.
The events of 2018 highlight IT teams’ struggle to find the right balance of resources for detection, mitigation, and prevention. We’ve been working hard to make it easier for you. Forcepoint is leading the charge to provide human-centric security solutions powered by behavior-based analytics. Our most recent addition is Dynamic Data Protection, which provides risk-adaptive protection.
Final Score for Cybersecurity Predictions for 2018.
Overall, we’d give ourselves a solid B+ because the majority of our predictions were correct. This year has been defined by a theme of privacy preservation and data protection, which was evident in our forecasts.
Predictions for Cybersecurity in 2019
We are just a few weeks away from releasing our 2019 Forcepoint Cybersecurity Predictions, which will highlight cyber risk and trust themes for the coming year.
We consulted our global cybersecurity research and intelligence teams, as well as our CTO and CISO teams, once more. What do they predict for 2019, and do their predictions match yours?
Register to Hear from Our Experts
Forcepoint experts will break down our cybersecurity predictions and what they mean for your organisation in the coming year in an international series of webcasts beginning on Wednesday, November 14th.
Tune in to a webcast by selecting a time slot from the webcast registration page.