As dismal as it sounds, cybercrime is outpacing cybersecurity advancements. 2018 will bring unprecedented IT security threats and challenges for all businesses. If you are your company’s chief information security officer, or just the person responsible for keeping your systems safe, the right time to make preparations is now, and the most important risks to protect your enterprise from are listed for you in this guide.
Crime as a Service
2017 was a year when cybercrime groups started mimicking the ways of large private companies. Among other things, criminal groups went into partnerships and collaborations and have developed complex hierarchies. Even in 2018, the Information Security Forum (ISF) predicts that Crime as a Service (CaaS) will continue to pose grave security threats to enterprises and individuals alike. Here are some key things to be aware of:
- CaaS groups will look to enter into new markets and transform their activities into commodities of sorts.
- Some of these groups are already using robots to execute cybercrime acts.
- The worst risk of them all — newbies will now have access to tools, technologies, and technical know-how to single-handedly unleash cybercrime attacks.
- Cryptoware will witness a surge in 2018 because newbies will use these malwares for their experiments and attacks.
- CaaS will slowly but steadily put everyone — enterprises, SMBs, individual businessmen, and personal Internet users — at an equal level of risk exposure.
Security threats for IoT
IoT devices are everywhere around us, from smart speakers to autonomous drones. IoT, in fact, is being imagined as the next big thing to happen after the industrial revolution. IoT devices, however, are not inherently secure by design. As we step into 2018, enterprises must realize the risks associated with their IoT ecosystem. Here’s some information to help you improve your understanding of the security threats IoT faces:
- Enterprises are exposed to legal liabilities in case data theft happens from their IoT ecosystem.
- Any hacked IoT device, in the enterprise setting, could quickly escalate into a scenario of physical damage to the extent of loss of human life, because of the lost control on industrial machinery.
- Focus on speed to market and launch of upgraded products will cause the existing breed of IoT products left exposed to newer security risks, particularly because manufacturers don’t focus on continuous firmware and software upgrades.
Note: IDC predicts that by 2019, 75 percent of IoT device makers will be able to improve their privacy and security capabilities. Enterprises, however, need to be wary when they sign up contracts with IoT device and tech vendors.
Risks to supply-chain processes
The ISF’s focus on risks to IT-heavy supply chains is not new. With time, more and more enterprises have made their supply chains extremely dependent on web-powered apps. Also, the expanse and coverage of these technologies have multiplied, as enterprises continue to integrate with suppliers, co-packers, manufacturers, warehousing teams, and procurement service providers.
The amount of information flowing in and out of company’s systems, for a supply-chain management process, is massive. Sharing of information, however, causes your control to be compromised, leading to risks to confidentiality and integrity.
- There have been instances where large manufacturing units have had to be halted because of system hacks.
- Even a single weak link in the supply-chain technology poses a risk to the operations just like the weak link of the dodgeball team in the eponymous movie “Dodgeball” had a weak link known as Justin. This is a movie; most real-life businesses will not be successful with someone this weak on the team.
- Taking your vendors and suppliers along with you, on a journey of continually improving supply chain management applications, is difficult.
- Supply -hain information risk management needs to be embedded within the existing vendor management processes.
Noncompliance with GDPR
On May 25, the General Data Protection Regulation (GDPR) comes into force. The regulation is applicable to every organization that does business in the European Union (EU). Naturally, most leading companies in the world come under the ambit of this regulation, as do many small and medium-sized businesses.
The key focus of GDPR is to unify and strengthen data protection of individuals whose data is managed by an organization. GDPR is aimed at bolstering the data-security readiness of organizations. However, noncompliance risks are what’s keeping CISOs awake at night. Some key points you need to know are:
- GDPR is not a “do it once and it’s done” activity. It will require continuous upgrades to remain compliant.
- It’s very likely that there will be strict implementation and enforcement of the hefty fines provisioned in GDPR.
- For most organizations, GDPR compliance practically means changing the way they do business!
- To develop capabilities of controlling and managing every bit of personal information stored within the enterprise’s systems, companies need to make massive upgrades and investments.
- Some companies will need to create and fill new roles such as data protection officer (DPO) to be GDPR compliant.
- GDPR requires enterprises to report any data breaches without “undue delay.” This changes how companies tend to manage data breaches today (Uber, for instance, didn’t report a data breach it suffered from in 2016 until November 2017).
Shrinking and disappearing cyber-insurance coverage
In 2017, WannaCry ransomware outbreak exacted damages valued at more than $4 billion. It’s unfortunate but very likely that there will be more such cyberattacks in 2018. The cyber-insurance industry is likely to respond sharply to this. Because of the massive surge in risk exposure of IT systems, these companies will realize that they’ve underpriced the risks for themselves, and will look to:
- Completely withdraw their services from the market.
- Set very stringent prerequisites for policyholders.
- Shrink the scope of coverage from existing insurance products.
- Sharply increase premiums.
- Only cater to markets with low IT dependence and, hence, lower risk exposures.
These potential security threats and risks will increase the exposure of all enterprises — even those that are currently breathing easy. CISOs in these organizations have their work cut out for them. And that work must start now.
Photo credit: Pexels