Cyber security remains a growing area of risk for Australian organisations this year. We predict seven key cybersecurity trends for 2019, ranging from device-based vulnerabilities, to increased risks within the supply chain.
- Internet of Things (IoT) based attacks
The market for IoT devices has arrived, and is forecast to reach 160 billion USD this year. Consumers and businesses alike are learning to make use of the Internet-of-things. Smart speakers such as Google Home, Amazon Alexa, and Apple HomePod are dragging a new market of smart plugs, lights, and whitegoods with them. IP-connected devices can be found in our buses and trains; on our streets and in other public spaces; and throughout most workplaces, from offices, to mines deep underground.
The biggest immediate downside of IoT is the cyber security risk. People adopt new devices without thinking through the potential for them to be compromised, opening up all kinds of opportunities for the unscrupulous. The convenience of controlling room temperature via an application was turned into a potentially deadly situation by hackers in Finland, who disabled a building’s heating system amid near-Artic temperatures. IoT attacks can cripple an entire city or country by targeting essential public infrastructure such as utilities.
As the market for the Internet of Things (IoT) increases, so will the booming security vulnerabilities that cybercriminals continue to look at exploiting. Many devices that have little or no inbuilt security are connected to the internet and are increasingly linked to corporate IT systems. Security Boulevard estimate that the number of loT attacks will double in the next 12 months and the number of security products available will not serve to protect the loT endpoints and devices already accessible to hackers.
- Increased supply chain attacks
The supply chain is one of the leading security threats that CEOs, IT managers and data security officers have to face.
Enterprises spend money to insure against risk; the same is not true for a large number of SMEs. A supply chain frequently constitutes a significant risk to cyber security. Business partners will have privileged access to systems, but lower information and data security standards – and lack training on the importance of handling sensitive information carefully.
A contract is not enough: even though legal responsibility for a breach sits with the supply chain, there is no guarantee an SME within the supply chain will appreciate the magnitude of cyber risk and manage it accordingly.
- Zero-trust model evolving to digital trust
‘Zero Trust’ refers to a cyber defence model that refuses trust any user, system, or service operating from within an organisation’s security perimeter. Instead, it attempts to verify everyone and anything trying to access a network resource. In times past, the zero-trust model seemed extreme. Now, organisations adopting a ‘zero trust’ approach security model as the enterprise standard is imminent. The increased risk of threats inside organisations means that a sensible business cannot afford the luxury of trust.
Like any model, zero-trust has its own need for improvement. Matthew Gyde, Group Executive – Cybersecurity at Dimension Data has noted that in some instances the zero-trust model hinders the productivity of employees, making it was difficult to implement. We see the zero-trust model evolving into ‘digital trust’.
Digital trust involves combining threat intelligence tools with internal authentication. Automated threat seekers search for fraudulent or compromised user credentials on the dark web, alerting the organisation that the user is not longer to be trusted. Information security teams can then reset the compromised account, and reinstate an accurate version of the user’s digital fingerprint.
- Insurers clamp down on non-compliance
In Australia, 2018 was the year of data privacy regulation. We were introduced to Europe’s GDPR, and our own Notifiable Data Breaches scheme came into effect. This year, these regulations are now a given. What has changed is the number of insurers requesting proof of compliance. Major insurers are painfully aware of the financial risk they are exposed to by insuring non-compliant organisations: their policies give Australian business no choice but to prove compliance to lower premiums.
Some organisations are being requested to provide full penetration test reports on their applications and networks, certified by an external party such as ourselves. Many are now in the market for additional premiums for cyber insurance – requiring their insurer to rate them with a score indicating their likelihood of a breach and charging them in line with the level of risk.
- Implementing cybersecurity at the beginning not end
Another cybersecurity trend is the realisation that organisations need to be secure by design. Usually, building technology solutions come first, and implementing security measures come after. However, not only does this result in deployment delays but it also gives rise to additional costs. Organisations have come to the realisation that cybersecurity measures must take place while technologies are designed and adopted. Achieving cybersecurity is crucial and has to be aligned with business goals and objectives. Organisations must also conduct data risk assessments to identify critical data that is exposed.
- BYOD becomes more strictly policed
Bring Your Own Device (BYOD) has been a significant source of cyber-attacks and is increasingly a security risk. Organisations that allow BYOD for employees must measure increased productivity and saved costs against the inherent risk.
Fortunately, there are many solutions that allow BYOD and mitigate risk. Most of these start with strict multi-factor authentication (MFA) policies, that require staff to verify their identity on multiple devices when accessing organisational resources. Other solutions that involve administrator access to personal devices and impose certain levels of encryption further serve to secure the world of BYOD.
- Sharing of data across the enterprise
Data is born in silos but is most valuable when shared across multiple departments. In information-centric industries such as Financial Services, Retail, Tourism, and FMCG, competitive advantage is obtained through data – so it is vital that data is shared daily and quickly.
These industries also happen to store large amounts of Personally Identifiable Information (PII). Rapidly sharing PII across multiple departments, and sometimes with third parties and business partners, leads to one thing: more risk of data breach. The more important data is to an organisation, the more important data security must be.
To find out more information on how your organisation can improve its cyber security posture, contact us for a confidential consultation.