David Ferbrache, chief technology officer in KPMG’s cyber security practice, has highlighted ten cyber security trends we can expect to see in 2019. Here they are:
1. Coming of cyber warfare
Countries will continue to invest in attack infrastructure as they have over the past few years. The most recent US intelligence worldwide threat assessment suggests that 33 countries now have cyber attack capabilities, up from just 14 in 2012. So it would seem that cyber forces and commands have become an integral part of any nation’s armed forces, not just their intelligence apparatus. Sadly we may see these tools trialled and occasionally used in anger as geopolitical tensions continue to rise, as well as a shift towards open attribution of such attacks as part of the political and diplomatic response to these activities.
2. Lack of consensus on cyber law
Consensus over international norms of behaviour in the cyberspace will remain elusive with countries creating more intrusive regulatory and legal frameworks to address cyber security concerns. Balkanisation of the internet will continue and global firms will become increasingly frustrated. The Paris call for trust and security in cyberspace was a step in the right direction, but it did not win universal support with many countries holding very different views on what constitutes the core of their national cyber security.
3. Proliferation of ‘fake news’
The battle for cyber space isn’t just about disruption of infrastructure, although that will be a concern for many nations, it is also about the battle for hearts and minds. We expect to see more attention being paid to ‘fake news’ and to the censorship and removal of inappropriate content, however it is defined. We will also see more automated targeting of individuals and specific interest groups through social media, whether that be tailored advertising, trolling or spear phishing. The political debates about the appropriateness of such activities will continue into 2019 and beyond, but so will the build out of the tools and infrastructure required to detect and takedown such content.
4. The future is in the clouds
New business models are emerging to exploit the flexibility offered by cloud solutions as firms continue to migrate legacy services while occasionally beginning to question the long term economics of doing so. Regulators will agonise over the systemic risk that dependency on cloud providers creates while simultaneously recognising the inevitability of that move. Organised crime groups will, however, find creative ways of identifying ill configured cloud instances, and exploit the information and computing power that such access provides. We can expect to see at least one major cloud security breach.
5. Ransomware or crypto currency mining – the market decides
Cybercrime remains big business, a $600 billion a year trans-national entrepreneurial business, depending on what you include in the definition. There is no better illustration than the rise in exploitation of crypto currencies over the last two years, with crypto currency mining on compromised systems proving more lucrative than the old staple of ransomware for extortion. But ransomware will not go away, and we can expect more tailored attacks, greater attention to the best way of extorting payments from organisations and creative blackmail threats using threatened disclosure of information.
6. Privacy drives transparency – but many await the first fines
The General Data Protection Regulation arrived last year and triggered a flurry of activity in order to be compliant. The process resulted in many firms realising that they have more fundamental issues over legacy systems and information architectures which, to address, would be both costly and time consuming. In 2019, firms will have their eyes peeled for the first tranche of regulatory fines and sanctions and they will then ask themselves just how severe an infraction would need to be to justify the 4% of global turnover maximum fine. Nonetheless, we can expect to see more transparency around cyber security incidents, but with that also more class action litigation and political demands for action by firms to improve their security.
7. E-Commence is in the cross hairs
2018 brought waves of cyber-attacks against e-commerce websites, the so-called Magecart attacks. These attacks will continue into 2019 with organised crime increasingly targeting poorly configured and secured web sites to collect customer credentials and payment card details. Millions of payment cards will need to be re-issued by banks as a result of these attacks, forcing them to explore alternative fraud controls. The mobile phone will play an even greater role in our lives as a key authenticator and payment mechanism, but we can expect organised crime to show a growing interest in compromising and intercepting such traffic, racing with the telecommunication companies to block such attacks.
8. Supply networks are seen as growing risk
Security is getting better, end points are far more secure than before in terms of operating system robustness, dynamic patching and more sophisticated anti-virus and anti-malware security. A well-managed IT estate can provide a challenge to many attackers, but that means a change in tactics towards growing attacks on the supply chain. Supplier security has become big business with many firms trying to drive their suppliers to improve security through increasingly demanding contract terms and inspection visits. Firms are looking for new ways to risk score suppliers, whether by monitoring their internet activities and data breaches, or by independent assurance. Those risk scores are beginning to influence credit ratings and costs of insurance, as the market begins to price in cyber risk. Expect more supply network breaches in 2019, as our web of corporate dependencies becomes increasingly complex.
9. Social engineering is getting more and more creative
Expect also more creative social engineering as technical attacks becoming harder. Business email compromise and CEO frauds continue to prove lucrative, and we can expect these cyber enabled confidence tricks to continue in 2019 at scale through transnational networks of call centres demanding international law enforcement collaboration. We also expect to see more use of data analytics and AI by criminals in findings targets for these frauds, and running these operations efficiently. Countering this threat will require much closer links between the cyber security and fraud communities, but those divisions are disappearing as cybercrime becomes a growing component of fraud.
10. Agility matters more and more
We will continue to see technology firms working with governments and broader commerce to takedown criminal infrastructure. Security vendors update anti-virus and email block lists more frequently, the dynamic patching of systems closes off vulnerabilities, and more and more people use DNS services which offer automated checking against blacklisted domains. Active defence by governments has become the order of the day with closer links to telecommunication firms to block and tackle cyber criminals, recognising the insidious nature of low level cybercrime and its impact on our economy and digital lifestyle. For their part, organised crime has become expert at spinning up new attack infrastructure, obfuscating and modifying attack code; learning to exploit their brief window of advantage to the best.
And as we look to the longer term, here is one last prediction for the next decade:
Artificial intelligence (AI) is creeping into many industries augmenting human decision making, automating processes and data analysis. With AI comes new challenges over data integrity, malicious manipulation of algorithms, and the complexity of scrutinising decision logic. We can expect organised crime to find some creative ways to play AIs to their advantage.
Next up on the KPMG Blog: