2017 was the worst year yet for cyber security with more phishing scams, ransomware, state-sponsored attacks, and new attack vectors.
Given what’s happened in 2017 — the Equifax breach, (application vulnerability on one of their websites led to a data breach that exposed about 143 million consumers) state-sponsored attacks, Russian manipulation of social media, Wannacry, and more phishing scams than we can count — you might not be looking forward to 2018. Breaches will be bigger, hackers will be smarter, and security teams and budgets won’t seem to keep pace.
Security events declined in 2017 but they became far more sophisticated. Locking up your machine with a crypto locker was nowhere near as lucrative as getting into your systems and working out how you transfer funds.
There is reason to be optimistic, though. Yes, some things will get worse before they get better, but we expect real progress in a few areas.
Here’s what we think will happen this year.
1. Many, if not most, Australian organisations will not be ready for the Mandatory Data Breach Disclosure legislation being in place on the 22nd of February 2018.
Office of the Australian Information Commissioner (OAIC). If you have a data breach and you are in health and medical in any organisation you have to notify the OAIC if you have had a data breach. If you are in any type of other organisation that turns over greater than $3m you also have to make a notification and work out how to advise everyone that is vulnerable. Fines of up to $1.8m apply.
2. Also companies will not meet the European Union’s (EU) General Data Protection Regulation (GDPR) which comes into effect on May 25th 2018.
Again regulators will not audit for GDPR compliance, so companies are vulnerable to fines only if there is a breach or EU citizens file complaints. Even if a company experiences a breach or complaint, regulators will likely treat it leniently if the company can document good-faith efforts to comply. Organizations that don’t take GDPR seriously and experience an event that triggers an investigation by regulators are at real risk of a heavy fine. That leads us to our next prediction. The big 4 will be immediate targets: Google, Apple, Amazon, and Facebook Both the OAIC and GDPR regulators will quickly make an example of an organization. Best not to have a data breach.
3. The decline of password-only authentication will accelerate.
The massive data breaches in 2017 were wake-up calls for many consumers, who are now asking questions about the safety of their online accounts. Most consumers have now idea about password alternatives. Password-only authentication is dead. Combine passwords with multi factor authentication, social login, biometrics, or risk-based authentication to better protect users and your reputation.
Most still have no idea about password alternatives or enhancements like multi-factor authentication (MFA) or risk-based authentication, but they are more aware that passwords alone no longer are enough. In fact, research done by Bitdefender shows that citizens are more concerned:
- About stolen identities (79 percent) than
- Email hacking (70 percent) or
- Home break-ins (63 percent).
This is important, because companies often cite a lack of demand for stronger authentication as a reason for not offering it. They are reluctant to do so, in part, because they don’t want more complicated authentication degrading the user experience.
That worry will be eased by risk-based authentication tools that are becoming widely available. These tools work in the background to assess behaviour and other data to determine the likelihood that the person attempting access is actually authorized. Coupled with MFA, risk-based authentication puts up a strong barrier to unauthorized access.
- Note: This is why we recommend all our clients use Business/Office365 for their emails and also get the Advanced Threat Protection module. This is very sophisticated backend security solution provided by Microsoft for an additional $2.86 per month
Risk-based authentication is often bundled with identity and access management (IAM) tools. The IAM market is projected to grow at a compound annual growth rate of 14.8 percent in 2018, which is another indicator that password-only authentication is headed to extinction.
Liability concerns over compromised credentials are also driving companies to stronger authentication. In its Data Breach Industry Forecast, Experian points out that, after a major data breach at one company, credential reuse affects other companies. As mentioned above they are forced to notify users and the government when hackers use their stolen credentials to fraudulently access services.
Experian calls this an aftershock breach, and the report urges organizations to deploy secondary authentication methods. “Given the continued success of aftershock breaches involving username and passwords, we predict that attackers are going to take the same approach with other types of attacks involving even more personal information, such as social security numbers or medical information,” the report stated.