An unfortunate occurrence over the past few years has been that data breaches just keep getting bigger and impacting more people. This year, Equifax, Verizon, Wonga, Bell Canada and Hipchat were just a few of the companies that suffered from successful cyberattacks or leaks that resulted in sensitive data getting compromised.
Even intelligence agencies such as the CIA and NSA are getting hit with data leaks – reaffirming that no one person or company can avoid the possibility that their data gets into the wrong hands.
With 2018 approaching, I have been thinking about what will happen in the cybersecurity landscape and would like to make some predictions for the year ahead. I also tapped some of my expert colleagues John Grimm, Sol Cates, Jose Diaz and Jon Geater to share their thoughts on a few areas including IoT, established and emerging technologies, and payments. They will take the time to expand on in more detailed posts later this month, but here is a high-level, general overview.
First, John Grimm, our Senior Director of Security Strategy writes, “As we look at the IoT, especially at OT-type environments and manufacturing plants, where there are industrial-type systems that are all connected, we’re starting to see how the operational world and the traditional IT world will come together. We will see continued merging of traditional safety (e.g. safety of employees) and IT security. And the more connected devices we see, the more prevalent this integration will become.”
For a technical perspective and prediction, our VP of Technical Strategy, Sol Cates sees a significant shift towards micro-services in the technology space. This shift has increased in popularity in the last couple of years, and is increasingly becoming the starting point for any newly designed application. Organizations are now starting to invest more widely in this framework. In 2018, Sol says we are likely to see a greater desire among organizations for more secure micro-services. He adds, “With this comes lots of questions from security groups about where the trust is, how do we do cryptography, how do we protect information etc.”
Switching gears to a specific vertical, payments. Jose Diaz, Director of Payments Strategy, sees financial institutions keeping a close eye on fraud that could impact its customers. He says that transaction limits are likely to increase, since they are based on contract and fraud analysis, rather than technical issues. Fraud will also become easier to spot, due to better background analytics involving device fingerprinting and customer payment behaviors. For example, Apple Pay is already potentially limitless, although most retailers will have a maximum spend of about 40 dollars, which is linked to the liability that most issuers are prepared to accept for a single transaction.
Finally, our CTO Jon Geater says the cloud will cause major headaches for companies in 2018. More major breaches will be announced that can be traced back to purely misconfiguring the Cloud (just like the NSA trove this week – simply forgetting to encrypt or even set access controls on remote storage). However, claims of ignorance of controls will not be tolerated as much as they have been up to now.
Just recently, it was reported that Estonia abruptly suspended 760,000 national ID cards because they were affected by a ROCA attack that created a crypto vulnerability. These ROCA-like attacks will mostly likely occur again, but next time it will be on a cloud system that was caused by VM duplication or similar.
Another headache comes from IoT Industrial use cases will grow and connections to consumer devices will prove to be the weak link in security.
I’m in agreement with my colleagues when it comes to IoT security. 2018 is very likely to see larger and more customer impacting IoT-based breaches. Right now, the approaches to securing IoT devices are unacceptable and outright dangerous. IoT manufacturers need to have a new approach that does not make security an afterthought in a rush to market, but instead integrates it early into the product vision and design process.
These are very interesting times for data security. What data security trends or developments do you expect to see in 2018?