Digital Transformation At Risk In 2019 As Cyber Threats Evolve
In insight / By Phil Muncaster / 02 January 2019
Organisations across the UK are joining the digital transformation revolution. From transport and healthcare, to government and retail - no sector has been left untouched by the push to digitise for greater agility, cost savings, productivity and growth. Yet security is often left as an afterthought in this drive and could be a costly mistake as we head into 2019, when IT teams will be under greater pressure than ever to deliver the secure foundation on which newer ways of working must be based.
Here are my top five predictions for the year ahead:
Cloud Under Attack
Cloud and app-driven development is helping to fuel much of this digital transformation, but there are increasing risks associated with this infrastructure. We recently saw the first major flaw in popular container orchestration platform Kubernetes. More will surely follow as microservices grow in popularity among DevOps teams which makes prompt patching a must in 2019.
Cloud databases will also become a bigger target. Errors in misconfiguration leaving key data stores publicly accessible will be punished by attackers scanning the internet for gaps in security. Many will look to extort victim organisations by stealing that data and offering to return it for a fee, as we’ve seen in the past with MongoDB attacks.
The Dark Side Of AI
This time last year I predicted that machine learning would increasingly be used for both good and bad. Well, half of that prophecy came true: it’s hard to find a vendor today not touting its own AI capabilities. However, we’ve yet to see any reports of the black hats using similar techniques to make their own attacks more successful. I’d expect this to change over the coming 12 months. The value of the technology becomes particularly clear in targeted attack scenarios, when AI can be used to monitor executive communications and then insert virtually flawless spear-phishing messages.
Same Old Breaches
The success of digital transformation is fundamentally built on data, and lots of it. As these efforts gather momentum, organisations will inadvertently expose themselves to greater risk of that data being stolen, if they don’t take appropriate steps. Breaches have become the new normal of doing business today and in 2019, the roll-call of brands that should have known better will continue. Boards need to remember that it’s not just the big names that are targeted. Nearly half of UK businesses have experienced a breach or attack in the past 12 months, according to a government survey in April 2018.
To focus the attention of senior executives, we can expect to see the first major GDPR fines start to roll in over the course of 2019.
When IoT Goes Wrong
The Internet of Things (IoT) is also at the vanguard of the digital transformation revolution, helping organisations to become more efficient, cost effective and responsive to rising consumer expectations. But these technologies continue to be produced without enough attention paid to cybersecurity. It’s a complex ecosystem with many moving parts, and points of weakness to exploit, from the networks they run on to the back-end cloud platforms, app-based controllers, and the devices themselves. A recent report highlighted major systemic flaws in two popular messaging protocols used by many devices, exposing organisations to targeted attacks, denial of service and industrial espionage.
A related risk is the convergence of IT and OT systems: the latter historically not designed with security in mind but now exposed to the public-facing internet. One vendor revealed a 30% increase in SCADA vulnerabilities discovered in H1 2018 versus the same time in 2017. Expect a surge in attacks targeting vulnerable systems with data theft, extortion and sabotage in mind.
A First Fine For CNI Providers
Finally, let’s consider the impact of the NIS Directive in 2019. This lesser known cousin of the GDPR has not garnered much publicity since it came into force in May 2018. That’s in part because it’s taken a few months for governments to notify all those critical infrastructure providers who are covered by it. In the coming 12 months we can expect to see regulators take a harder line on non-compliance. Once again, digital initiatives may be unwittingly exposing organisations in this sector.
This is not just about data loss, as per the GDPR, but serious attacks leading to critical service outages. As the impact of WannaCry on the NHS showed, it takes just one incident to cause potential chaos. That attack caused an estimated £92m of damage to an organisation already severely stretched by government austerity.
Security By Design
All of which should reinforce the message that investing in security must partner any wider digital change initiatives. It must be built in by design from the start — a little outlay now could prevent a much bigger expense down the line if an attack is successful. If it’s a struggle to get board-room buy-in, remember to articulate those security concerns in a language of business risk.
For many, the answer will be to outsource some or all of their cybersecurity function to a third-party, in the form of a managed security service. This can be a good option but security chiefs must remember to do their due diligence carefully, and ensure any provider is accredited to government and international standards and regularly audited for GDPR and other compliance requirements.
It’s the only way to keep data and systems safe, and customers and regulators happy as we head into 2019.