Digital Threats In 2019
In analysis / By Phil Muncaster / 25 February 2019
As we move through Q1 of the new year, what’s most noticeable in cybersecurity terms is the sameness of it all. Data breaches, ransomware outages, apocryphal warnings from leading consultancies. It all seems very much like 2018 in disguise. The fact that we’re already seeing major incidents just two months into 2019 tells you all you need to know about the determination of modern cyber-criminals.
Against this backdrop, organisations are spending ever greater amounts of money on digital transformation. This year, Gartner predicts a staggering $3.8 trillion will be spent globally on technologies designed to fuel innovation, agility and growth. As a new report reveals, this digital change is also exposing firms to greater IT complexity and cyber risk.
To regain the initiative, IT bosses must adopt a more proactive approach, considering security from the outset of any major project.
Types Of Cybersecurity Threats
IT Complexity Risks
The report itself, from Thales eSecurity, is gleaned from interviews with 1,200 IT/IT security executives in nine countries. Over a third (39%) regard themselves as in the advanced stages of digital transformation. It finds that IT complexity is driving up cyber risk in two ways: because data is now stored or processed in multiple cloud systems; and because it makes a coherent security strategy appear more difficult to achieve. In fact, “complexity” was given as the number one perceived barrier to implementing data security.
Some 60% of those polled said their organisation had suffered a data breach, over a third of which happened in the past year. Those further along in their transformation efforts are said to be more likely to have reported one.
Digital Landscape Threats
As for the threat landscape so far this year, it appears to be business-as-usual for the black hats. Airbus, and Houzz have all reported data breach incidents, while researchers spotted a new group using the infamous Magecart digital skimming code in a supply chain attack affecting hundreds of sites. Daily Motion reported a major credential stuffing attack on its users, while Kwik-Fit appears to have been on the receiving end of a serious ransomware attack which caused service outages for the best part of a week.
There have however been some positive stories for 2019 - Europol hailed the determination of the UK’s National Crime Agency (NCA) and other law enforcers in chasing down users of infamous DDoS-for-hire site webstresser. It also trumpeted the shut-down of xDedic, a notorious marketplace selling access to compromised servers, while in Leeds, three dark web drug dealers were jailed for 43 years.
Not to be outdone, security researchers have banded together to help hosters expedite takedowns of dodgy domains: info-sharing project URLhaus managed to shut 100,000 malicious websites in just 10 months.
That said, the cybercrime underground continues to run with menacing efficiency. Recent revelations that hackers have their hands on over two billion breached/leaked passwords confirms what we already knew - the dark web is an unstoppable source of cyber threats. In fact, Accenture recently estimated that global firms could lose over $5 trillion to cybercrime over the next five years. The laws of supply and demand will continue to drive this well-oiled money-making machine.
Lack Of Security In Design
As organisations increase their reliance on IT, the opportunities will only continue to grow for those that ply their trade on such dark websites and forums. It shouldn’t be a surprise that most business leaders and risk experts expect data and monetary theft (82%), attacks and cyber-related disruption to operations and infrastructure (80%) to increase in 2019. So, what’s to be done?
Thales eSecurity bemoans low levels of encryption: less than 30% of respondents said they use it in datacentres, the cloud, in big data environments, databases, mobile devices, and IoT environments. Although the vendor has a vested interest in highlighting the issue, it’s an important point, given the prominence that encryption is given as one of only two security technologies mentioned by name in the GDPR.
However, IT bosses need to look not just at encryption but the whole gamut of best practice security: from multi-factor authentication access controls to network monitoring, anti-malware, incident response, user awareness and much more. Using frameworks like ISO 27001 and Cyber Essentials can be a good place to start. Help can also come for smaller firms from managed service providers — as long as IT bosses scrutinise contracts and do their due diligence on providers.
According to the Thales report, even organisations classed as being more sophisticated - in terms of higher security spending and/or digital adoption - get breached more. This could be because they’re a bigger target and/or have better insight into threats, but it could also be because security is treated as an afterthought, subordinate to business demands around digital roll-outs.
If there’s one thing IT teams must get better at in 2019, it’s fighting for security to be included in any project from the very start. It’s not just a nice-to-have, it’s written into the GDPR.