A look back at cyber breaches in 2018 provides three big lessons for companies,. Third party data access, leaky web apps, and risks from mobile and IoT devices provide some insight into where you will want to button up your data ecosystem in 2019. Automaion, AI, and employees training are the three things to focus on in the New Yeak.
The future of technology is today. Whether you’re a Star Trek fan who wanted a tablet version of a tricorder, or a Star Wars fan who wanted to find the droids you were looking for, futuristic technologies do exist in our world. Those new technologies, however, come with new threats. Tablets, smartphones, and Internet of Things (IoT) act as new threat vectors for cyber hackers. Artificial intelligence too can be used to both protect information and breach systems. With this in mind, we look back at 2018’s biggest cybersecurity issues to offer some predictions for 2019.
People say, “fool me once, shame on you. Fool me twice, shame on me.” This adage holds truer in cybersecurity more than anywhere else. 2018’s worst data breaches shared several commonalities. Understanding what caused those breaches can help you take steps forward in 2019 to learn from the failures of others.
Between Cambridge Analytica inappropriately using data after approved collection and the case of the comprised access token, Facebook placed more than 130 million accounts at risk. In both cases, Facebook’s data events arose out of insecure authorizations. Cambridge Analytica accessed data through applications that users allowed to link to their profiles and then exploited an outdated sharing setting that allowed the company to access users’ friends’ data. The access token exploit arose out of single-sign-on features wherein users log into other applications with their Facebook accounts.
Lesson #1: Beware of third parties business partners who access user information.
Initially estimated at 380,000 customers compromised, more recent numbers indicate 565,000 British Airways customers had credit card information compromised. With only 22 lines of javascript code, hackers extracted payment information when users submitted it through the British Airways website.
Lesson #2: Beware of web application threats to your e-commerce website.
Under Armor’s popular MyFitnessPal smartphone app experienced a breach that left 150 million users at risk. The leaked data included usernames, passwords, and email addresses, although the company assured users that payment details like credit card information, social security numbers, and drivers’ licenses remained secure.
Lesson #3: The lesson here: Mobile apps and IoT lead to risks arising from new and evolving threats.
In response to increased data breaches, governments and standards organizations attempted to take control by adding more regulations and oversight.
The European Union implemented its General Data Protection Regulation (GDPR) in May 2018. Businesses struggled to meet the deadline which incorporated not only cybersecurity protections but the right to be forgotten. Email marketers, marketing automation specialists, and public relations executives were hit hardest by the new compliance requirements because their databases now require both consent and tracking to ensure data deletion aligns with the regulatory requirements.
Although originally released in mid-2017, the New York Department of Financial Services (NY DFS) Cybersecurity Rule required organizations to meet their first benchmarks in 2018 with compliance certifications due by February 2019. The rule applies to any organization operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, Insurance Law, or Financial Services Law. Limited exemptions exist for organizations with fewer than 10 employees working in New York State, organizations with less than $5 million in gross annual revenue, and organizations with less than $10 million in year-end total assets. However, even these organizations need to have cybersecurity programs, cybersecurity policies, risk assessments, and third party service provider security policies, among other requirements.
Establishing seven objectives, the NIST RMF added a step called “Prepare” and listed seven objectives for the new RMF. Although distinct from the NIST Cybersecurity Framework, the NIST Risk Management Framework now specifically provides guidance for aligning the two. Additionally, it focuses on communicating risk within the organization, creating critical risk management preparatory activities across all levels, including privacy risk management, promoting trustworthy secure systems, and integrating supply chain risk management.
Taking a security-first approach to cybersecurity compliance means starting with the controls that secure your data then aligning them to new compliance requirements. With this in mind, you need to consider the following predictions for 2019 as part of your information security budget.
According to the 2018 Ponemon Cost of a Data Breach report, the average total cost of a data breach is $2.88 million for organizations with fully implemented security automation while those without automation spend on average $4.43 million, a cost savings of $1.55 million. These numbers make sense since the longer it takes to identify and contain a breach, the higher the cost of that breach.
With automation leading to a 35% reduction in average cost, organizations will be looking for solutions that allow them to continuously monitor their data environments and prioritize alerts.
Artificial intelligence (AI) and machine learning (ML) aren’t going anywhere any time soon. However, it’s important to keep in mind that hackers continue to employ the same AI/ML to gain entry to your systems and networks that you use to protect your environment. AI/ML work to learn normal network and system behaviors and then block abnormal ones to stay ahead of new ransomware or malware threats.
While the Verizon Data Breach Investigations Report noted that only 4% of users in a phishing campaign click (down from 11% in 2014), it still led to malware attacks. General training events no longer work, and cybersecurity professionals are suggesting that companies make it personal for 2019. Innovative cybersecurity awareness training needs to be something your employees actively learn from rather than sit through and check the box.
Whether your 2019 plans are to migrate to the cloud or to rapidly grow your organization, Zeguro offers a platform that makes cybersecurity transparent for small and mid-sized businesses. Focused on needs specific to SMBs, we value transparency as a core value. For the future of cybersecurity, this means:
For more information about how we can help you, check out our risk management platform or contact us at Zeguro to learn more.