Contents

• 1 Cybersecurity Predictions 2018, How did we do?
  • 1.1 It’s important to start early and often
  • 1.2 Evidence to Support
    • 1.2.1 Privacy is a fight for our back
    • 1.2.2 GDPR: Panic Later, Procrastination Now
    • 1.2.3 Disruption of Things
    • 1.2.4 Cryptocurrency Hacks are on the Rise
    • 1.2.5 Data Aggregators
    • 1.2.6 Cloud Security
    • 1.2.7 Encrypted By Default – Implications For All
    • 1.2.8 Industry’s Next Big Leap
  • 1.3 Cybersecurity Predictions 2018 Final Grade
  • 1.4 2019 Cybersecurity Predictions

Cybersecurity Predictions 2018, How did we do?

Our 2018 Cybersecurity Predictions Report was published one year ago. We can now look back on our statements and assess the accuracy of our predictions as the year draws to a close.

Eight predictions were made for 2018, where we discussed regulations like GDPR, the consequences of ubiquitous encryption and the defense of aggregated data. We also discussed ransomware, insider threats, and cloud security. We also discussed the potential threat to data aggregators as well as the details of cryptocurrency hacks. Many of our predictions were based on the belief that privacy would be affected by many of them. The events of 2018 proved us right.

After reflection, we assigned scores according to the Report Card below.

 

It’s important to start early and often

We sought evidence to support or refute our 2018 predictions. It became clear that our 2018 forecasts were extremely timely, with several predictions being fulfilled within the first six months of the year.

Our 6-month summary is documented on our blog. At the six month stage, we gave a solid B+ grade.

Evidence to Support

Privacy is a fight for our back

Prediction: 2018 will see a wide and polarizing privacy debate, not only between governments but also between people.

Privacy issues were brought to the forefront with key moments that had a global impact in 2018.

Cambridge Analytica’s private customer data was likely to be remembered as the moment that raised privacy and data protection in the public consciousness. Facebook was penalized for “serious violations of data protection laws” and “failure adequately protect its users’ privacy.”

According to a survey by Forcepoint customers, privacy was ranked the number one security concern in 2018. (Source: TechValidate. TVID: 680-CB3-AE1). The General Data Protection Regulations were implemented by the European Union in May 2018. The EU initiative to consolidate the various data protection regulations across EU member countries and place emphasis on personal data protection has been discussed by the US Senate with inputs from Silicon Valley technology organisations.

Additional reading:

• Amazon was forced by reports that virtual assistants were sharing personal conversations (in this instance, personal information)
• British police began to use biometric data for identifying individuals on the streets of the UK.
• Online advertising brokers have mapped the performance and physical in-store sales, leading to discussion about the implications of such data collection as well as its unintended consequences.
• In August 2018,, the Mozilla organization announced that it would take a proactive stance regarding privacy-preserving features (such blocking third party tracking cookies) in Firefox63
• The EU ePrivacy Proposals continue to ignite debate and action around the topic of protecting individual privacy in electronic communications.

GDPR: Panic Later, Procrastination Now

Prediction – Most businesses will not be ready before the GDPR enforcement date. Panic-driven policies and practices will make it difficult for companies to comply.

Forcepoint’s 2018 survey found that only 14% felt “completely prepared” for GDPR’s roll-out in 2018. (Source: TechValidate. TVID: 4E0-A7D-76A). Many businesses failed to comply with the EU regulations that prevented EU citizens from accessing non-EU websites on or around GDPR Day (25 May 2018). The GDPR accreditation includes 16% more websites that have adopted cookie consent policies than at the beginning of the year.

Large monetary fines may not have been enough to stop the flood of data breaches in 2018. Although Facebook was given the maximum penalty allowed by regulators for the Cambridge Analytica breach, the fine would have been significantly higher if the breach had occurred post-GDPR.

Additional reading:

• Large airlines were accused of having lost credit card information during the year via Web scripts intercepting personal details and hacks to back-end systems resulting in leaks of passport data.
• After it was revealed software bugs allowed access to accounts of 50,000,000 users, Facebook was once again prominent.
• The UK’s ICO encouraged students use their data subject rights to obtain information about themselves, their exam performance, and the comments made by the examiner.

Disruption of Things

Prediction: IoT will not be held hostage, but rather becomes a target of mass disruption.

According to our 2018 survey, 76% of customers were concerned about security of Internet of Things devices and infrastructure within their company or supply chains. (Source: TechValidate. TVID: 6B7-B75-241). Given the nature of the devices, which are easily replaceable, and the reduced chance that ransomware would be applied to IoT, our prediction was that it would not. We saw many attacks on IoT in 2018, but not on the scale we expected.

Additional reading:

• Cyberattacks are disrupting the IoT market. Bain & Company discovered that enterprise customers would purchase 70% more IoT device if they had security concerns addressed.
• Radiflow, a security company, made the first discovery of a cryptocurrency miner within an ICS network. This is a sign of what’s to come in ICS/SCADA/IIoT environments.
• Sophos discovered a bot that was attempting to denial-of service (DDOS), IoT devices.
• FBI warns cyber threat actors that unsecured IoT devices can be used as proxy to anonymously pursue malicious Cyber activities.

Cryptocurrency Hacks are on the Rise

Prediction – Attackers will target systems that use blockchain technology to create digital currencies.

The number and unfortunately successful nature attacks on cryptocurrency exchanges in the last year was a highlight of the past year. This led to cybercriminals losing millions of dollars. This prediction was realized just weeks after our 2018 report was published.

These are just a few examples.

• Tether reported a loss of $31 million due to an attacker externally. This had a knock on effect for all other cryptocurrencies that were against the dollar.
• Bitcoin Gold reported that the Windows app they had hosted on GitHub was tampered with. The suspicious app was available online for more than 4 days.
• Japanese cryptocurrency exchange Zaif was hack for $60 million.
• The National Police Agency of Japan reported that cryptocurrency thefts totalled 60.55 billion Yen during the first half of 2018, with most of them targeting cryptocurrency exchanges.

Data Aggregators

Prediction: In 2018, a data aggregator will have its security breached using a well-known attack method.

Data aggregators, who combine data from different sources, are naturally a target for hackers. While these data collectors had their fair share of vulnerabilities and incidents, they were also subject to unforced errors. Malicious attacks are more common than those made by attackers. Our 2018 survey revealed that 59% of Forcepoint customers had privacy concerns, such as data collection and sharing. (Source: TechValidate. TVID: 73D-087-B4E)

Additional reading:

• Facebook was fined the maximum amount allowed under the regulations for its role in the Cambridge Analytica investigation. The fine could have been several orders of magnitude greater if the incident had occurred after May 25, 2018.
• When aggregated, Strava’s data collection about user’s exercise-related activities was shown to reveal sensitive locations . User privacy could also be affected by personal data.
• A prime example of aggregated data is voter and census data sets. In 2018, a researcher discovered a large repository of 14.8 millions records containing US Texan voting records . This was on an unsecured server.
• While GDPR is about protecting personal data, it is equally important to protect intellectual property. This was evident to the automotive industry when it was revealed that a common supplier to multiple manufacturers had data stored on an unsecure server.

Cloud Security

Prediction – Cloud technologies will increase the chance of Insiders being hacked

Our predictions highlighted the importance of credential management in cloud-based systems. We will be revisiting password habits and the dangers posed by insiders in our 2019 Cybersecurity Predictions Report. Cloud-adopters had difficulty with security configurations, but they also struggled with locking down access to cloud data.

Additional reading:

• To access the corporate mail server at Deloitte, administrators used administrator credentials. Two-factor authentication (2FA), which was not accessible by password, had not been implemented.
• A 2016 hack at Uber may still provide insights (and lessons learnt) about how a domino effect can be used to gain access to an AWS account via credentials left on GitHub repositories.
• According to Gartner, the global IAAS public cloud service market grew by 29.5% in 2017. This highlights the desire to move to the cloud and the importance security systems.

Encrypted By Default – Implications For All

Prediction – An increasing number of malware will be MITM-aware.

Our prediction about MITM-malware didn’t come to pass in the way that we expected, but it was a prediction about ubiquitous encryption on the internet. Politicians and software vendors encouraged the adoption of HTTPS.

Additional reading:

• The development team of Google Chrome created their plan for encouraging HTTPS adoption and began to release it with every new Chrome version. Chrome users are now able to see warnings about sharing private information with non-secure websites. HTTPS-enabled sites are accepted as the norm.
• Even major websites still struggle with HTTPS. Governments failed to renew certificates and banks hadn’t migrated to httpS on their homepage. Common websites also had problems.
• US Senators called for the adoption DoT (DNS Over TLS) and DoH (DNS Over HTTPS) technologies in order to preserve privacy as citizens interact with US government sites.

Industry’s Next Big Leap

Prediction – Workforce monitoring will be a priority for CISOs in 2018.

As CISOs promote their security and risk management plans to the business, they use a top-down approach. They first understand the business processes then translate it into technology and process requirements. There were many examples of best use cases to monitor the workforce and implement UEBA. These included the Continuous Diagnostics Monitoring program of U.S. government. Our data shows that there is still a gap in the perceptions and effectiveness of program managers and implementers.

IT teams face a challenge in balancing the right mix between prevention, mitigation, and detection. 2018’s events highlight this struggle. That is why we have worked hard to make it easier. Forcepoint is leading the charge for human-centric security solutions that are based on behaviour-based analysis. Dynamic Data Protection, which provides risk-adaptive protection, is the latest of these.

Cybersecurity Predictions 2018 Final Grade

Overall, we give ourselves a solid grade of B+ as we were accurate in most predictions. The theme of data protection and privacy preservation was the underlying theme for this year’s predictions.

2019 Cybersecurity Predictions

Just a few weeks remain before we release our 2019 Forcepoint cybersecurity predictions, which highlight themes of trust and cyber risk for the coming year.

Once again, we consulted our global cybersecurity intelligence and research teams as well our CTO-CISO teams. What predictions will they make for 2019? Will their predictions be compatible with yours.

source https://www.forcepoint.com/blog/insights/cybersecurity-predictions-2018-how-did-we-do