The calendar has already rolled over to 2019, but just barely, so there's still time for some 2019 cybersecurity predictions. What follows are few pretty safe bets for 2019 when it comes to cybersecurity. For this article, I focused on broad trends, not point solutions -- like using AI to spot suspicious behavior -- that may or may not enter widespread adoption.
So, here are five things that, reading the tea leaves (i.e., surfing the web looking for an informed opinion as well as looking back on articles and interviews I've done in 2018) I think will come to pass in 2019.
With the EU's General Data Protection Rule (GDPR) finally coming into force on May 25, 2018, the fines for data breaches of personal information are about to become substantial -- GDPR calls for fines of up to four percent of a company's previous years earnings or 20M EUR, whichever is more. So far, the supervisory authorities overseeing GDPR in each EU country have taken a light-handed approach to imposing penalties. This is expected to change as companies that hold EU citizen data, come under increased scrutiny for their lack of proper security controls.
The fines are "the teeth that were lacking before," said Cory Cowgill, CTO of Fusion Risk Management, a provider of cloud-based risk management software. "You are going to see bigger fines over time."
This also impacts companies that do not do business directly in the EU since third-party processors of EU citizen data also must be compliant with the law.
Another potentially expensive but overlooked aspect of GDPR could be the legal fees companies will spend to defend themselves against excessive fines and, potentially, the class action-style lawsuits the new law allows for. While well known in the US, class actions are new in the EU and may take some time to take hold.
"That provision is in there, but it's not entirely clear what it means or how it will be brought to life," said Todd Hinnen, the head of National Privacy and Data Security for the international law firm Perkins Coie, in an interview conducted for SC Magazine. "It does give consumers the ability to sue as a class, but there's no historical precedent for that. It's one area one of at least two where European lawyers and commentators should look to the US as a source of experience for what that might look like."
Because securing the corporate network with a castle and moat approach is no longer effective, many companies today are looking to adopt a Zero Trust cybersecurity approach that basically assumes all users are compromised all the time, said Justin Forbes, penetration testing team lead in the CERT division of the Software Engineering Institute at Carnegie Mellon University.
"A lot of organizations are moving to not trusting user systems. That way they can focus on securing servers and data instead of having to focus on every single user laptop, phone, and workstation in the network," he said.
Basically, Zero Trust means securing data and having strong identity and access management (IAM) controls in place to identify users as being who they say they are. Once inside the network, access to data is granted by role and based on a least-privilege access strategy, meaning people only access to data and applications they need to do their jobs.
"There's no reason a SharePoint admin should have access to classified documents on the SharePoint site itself," he said.
According to IDC's 2018 Security Priorities study, Zero Trust is the No.1 most researched new security approach of 2018. A SophosLabs 2019 Threat Report concludes that, "[m]ulti-factor authentication is an amazingly effective tool for preventing the abuse of stolen
credentials. If you’re not using it now, you should be."
Expect Zero Trust to increase, writes Tim Steinkopf, president of Centrify, in SC Magazine: "For today’s enterprises, the concept of Zero Trust is rapidly moving from interest to adoption, and savvy organizations will adopt Zero Trust approaches to stay ahead of the security curve."
As in most systems, human error, not technology, is usually to blame for failures. For many, cybersecurity is all about sophisticated hackers using high-end technology to crack supposedly impenetrable walls set up to savvy InfoSec teams in a constantly evolving game of cat and mouse. In reality, most attacks occur for all too human reasons: unpatched systems and users clicking on malicious links in their emails. (Poor system design, like hardcoding admin/admin as the user name/password combination into IoT device firmware, is also an issue. But that too is a human failing. Just one that occurs much earlier in the value chain.)
According to the same SophosLabs report, "[m]any malware infections start with an email message, which may or may not have either a link, an attachment, or both."
The advice they offer is pretty straightforward and easy to implement, yet breach after breach continues to make headlines: "Use a password manager and never reuse passwords. Keep up to date with operating system patches and app or software updates. Change the default administrator passwords on things like home routers, modems, and network-attached storage servers. Add a passcode or password pattern to your phone. Use multi-factor authentication for everything you can use it for. Stay mindful and practice reflexive distrust of unknown files, messages, or links."
Given human nature, don't expect 2019 to see much of an improvement to these issues. This is also why Zero Trust will gain in popularity throughout the year; it takes the human out of the loop by assuming they already are compromised.
This really shouldn't come as a surprise. Long the poor step-child of IT and often looked upon as a boy-who-cries-wolf inconvenience by employees and management; cybersecurity has always struggled to get proper funding (it's hard to point to something that didn't happen and ask for more money after all).
But, as high-profile breach after high-profile breach eats into corporate reputations and profits (see the GDPR prediction), spending on cybersecurity will go up again in 2019. Also, cybersecurity is now, finally, a boardroom-level concern. That drives a lot of spending.
According to Gartner, 2019 will see worldwide cybersecurity spending increase by 8.7 percent to $124B. This is slightly less than 2018's 12.4 percent uptick but still represents a significant overall increase of real dollars spent to defend corporate data and systems -- 2019's spend is expected to exceed 2017's by over $23B. Thirty percent of that spending will be driven by GDPR.
"Security leaders are striving to help their organizations securely use technology platforms to become more competitive and drive growth for the business," said Siddharth Deshpande, research director at Gartner, in a statement. "Persisting skills shortages and regulatory changes like the EU’s Global Data Protection Regulation (GDPR) are driving continued growth in the security services market."
As more companies turn to the cloud for everything from applications to storage, they are increasing their attack surface exponentially. Cloud security has long been a concern of CISOs, but cloud providers have done a pretty good job of keeping attackers from causing major issues or breaches – at least on their end. The main problem for cloud users isn't the provider's infrastructure; it's their own users and misconfigured workloads and accounts.
According to Gartner: "The naive belief that cloud providers are entirely responsible for their customers’ security means that many enterprises are failing to address how their employees use external applications, leaving them free to share huge amounts of often-inappropriate data with other employees, external parties and sometimes the entire Internet."
Despite these concerns, cloud usage is growing rapidly. This includes hybrid-cloud deployments (where workloads are split between on-premise, corporate-owned infrastructure, and cloud provider infrastructure) and multi-cloud environments where companies are utilizing multiple cloud providers for a host of things from app/dev to co-locating content delivery network (CDN) servers nearer their customers in edge data centers.
Expect to see the demand for cloud workload protection platforms that address these concerns in a holistic way, taking into account the entirety of the cloud ecosystem – on-prem and cloud – gain market share. According to MarketsandMarkets, "the market size [for CWPP] is expected to grow from USD 2.25 Billion in 2018 to USD 6.70 Billion by 2023, at a Compound Annual Growth Rate (CAGR) of 24.4% during the forecast period."