Unless you’ve been living under a rock for the last few years, you’ll already be familiar with the buzzwords du jour: Blockchain and the cloud.
One has become an established reality of modern business. The other is set to change everything… but nobody seems quite sure how, or why.
As it happens, we believe both cloud and blockchain technologies will have a tremendous impact during 2019 — albeit to solve completely different problems — but will bring with them a host of new concerns for security professionals.
Few technologies have changed corporate IT infrastructure as much as the cloud. But for all its benefits, cloud technology — and multi-cloud in particular — dramatically increases the attack surface of organizations.
Simply put, the more complex an organization’s IT infrastructure is, the harder it will be to secure. Modern multi-cloud environments add tremendous complexity to the average corporate network, and many organizations simply don’t have the skills and resources in place to adequately secure their cloud environments.
Which brings us onto our 2019 predictions for the cloud:
- Organizations will take cloud security more seriously in the wake of several high profile breaches. Uptake of Cloud Access Security Brokers (CASBs) will increase, and there will be tremendous demand for security professionals with the skills and experience to work in a multi-cloud environment.
- Even more stress will be placed on the skills shortage. In our first 2019 trends post, we noted that the need for cybersecurity professionals vastly outweighs the number available. When it comes to cloud security, which is a specialized field, that imbalance becomes even more acute. Our prediction, which is really more of a statement of fact, is that organizations will be forced to upskill existing security personnel, as finding experienced cloud security professionals will be extremely difficult.
- There will be more cloud security incidents. Again, this is our prediction, but in reality, it’s a near-certainty. Cybercriminals will go wherever they can make money, and once organizations start storing valuable data in the cloud you can be sure cyber activity will follow. It’s also worth noting that cloud services have a larger attack surface than traditionally-hosted systems, making them a more appealing (though not necessarily easier) target for cybercriminals.
- There will be at least one major cloud breach where the affected organization blames its cloud service provider. This one has been on the cards for a while, and we believe the wait will come to an end in 2019. It remains to be seen how regulators will determine fault, but it seems unlikely that pointing the finger elsewhere will be enough to avoid repercussions.
Even more than the cloud, blockchain is the buzzword of the moment. Organizations all over the world are clamoring to become early adopters, and blockchain technology is already being adapted to fit the needs of every major industry. And, naturally, as the adoption of blockchain technology rises, it will increasingly be targeted by cybercriminals.
Perhaps the most important thing for early adopters to understand is that blockchain technology is not inherently secure. In order to withstand cyber attacks, blockchain architecture must be developed and configured with security in mind. While some organizations are understandably in a hurry to realize a use case for blockchain technology, security cannot simply be added as an afterthought.
So far the vast majority of blockchain attacks have been financially motivated, and have consequently targeted the public blockchains utilized by popular cryptocurrencies. However, as organizations start to trust blockchain technology more, and use it to store sensitive (and therefore valuable) information, we can expect to see an increase in attacks on private blockchains.
In terms of 2019 predictions for blockchain technology, we have four:
- There will be a lot of investment in blockchain technology. We’ll continue to see heavy investment in financial applications of blockchain, but we should also start to see financiers taking an interest in the technology’s wider applications.
- Security industry players will aim to develop a unified framework for integration in blockchain. Whether this will be completed during 2019 is difficult to say, but ultimately there will be an agreed set of security protocols and best practices for blockchain technology.
- There will be a rise in blockchain uptake for the identity management space. Nobody likes giving away their personal information, and passwords are inherently a bad security protocol. Blockchain technology can solve both of these problems, so expect to see plenty of activity in this space during 2019.
- Privacy poisoning will become a thing. One of the major selling points of blockchain technology is that once information is recorded, it’s extremely difficult to remove it. Unfortunately, this will leave poorly implemented blockchains open to so-called “privacy poisoning,” where personally identifiable information (PII) is stored in a non-compliant way, but can’t be easily removed. There’s a simple solution to this problem (privacy by design and a ban on free text) but we can expect to see cases of privacy poisoning in 2019 nonetheless.
Whatever You Do, Do It Properly
New technologies are exciting, but they can (and usually do) also cause problems for organizations. Even relatively mature technologies like the major cloud platforms can be tricky to administer and require careful planning and development to ensure there are no major security flaws.
Ultimately, an organization’s ability to safely adopt new technologies will come down to one thing: Whether security is considered at the outset, or simply “bolted on” at the end.
The former, while more costly and time-consuming, is a strategy that will enable organizations to realize the benefits of transformative new technologies without drastically increasing their risk profile.
The latter, however, is a recipe for disaster.
In our last post, we looked at the strategic cybersecurity trends we expect to see in 2019.
Now it’s time to concentrate on the technologies underpinning cybersecurity (and cyber attacks) and think about how they’re likely to evolve during the next year.
As always, the cybersecurity industry is replete with buzzwords and jargon, leaving many to wonder which technologies are truly about the takeoff, and which are no more than hype. In this post, we’re going to look at two of the four technologies we think are genuinely going to change the future of business and security.
The Internet of Things and Operational Technology
So far, the Internet of Things (IoT) and Operational Technology (OT) have been a mixed blessing for organizations.
On one hand, Internet-connected devices and machinery have the potential to significantly improve efficiency in business and manufacturing processes. In 2019, we can expect to see greater integration of IoT and OT devices with the broader IT and security landscape, as organizations look to improve productivity. At a domestic level, we will no doubt also see IoT devices expand into more homes and cities.
However, as we’ve started to see, IoT and OT devices also have the potential to introduce significant weaknesses to otherwise secure networks. From hacking WiFi kettles in a lab to breaching a casino through its Internet-connected fish tank thermometer, smart devices and machinery have already been heavily exploited, and we’re anticipating the trend to continue in 2019.
The addition of large numbers of network-enabled devices — many with dubious in-built security — to already unwieldy corporate networks will cause difficulties for security professionals, who will need to develop a strategy for securing IoT and OT devices if they haven’t already.
In light of this, cybersecurity vendors are already hard at work developing systems to secure the modern workplace, and we’ll no doubt see more products coming to market in 2019 that have been designed with IoT and OT security in mind.
Finally, in terms of predictions, we’re anticipating at least one major IoT attack during 2019, along with further exploitation of IoT botnets. Since it has such a large attack surface, the manufacturing industry seems a likely target for this form of attack, which depending on motivation could even be perpetrated or sponsored by one of the six major nation-state actors — Most likely China or Russia.
Artificial Intelligence and Machine Learning
Artificial Intelligence (AI) and Machine Learning (ML) have been widely touted in recent years as the future of technology. And for good reason. In the security world, AI and ML have a tremendous number of applications, including the identification of anomalous network activity, updating rule-based systems, and reducing false positives.
In 2019 we expect to see AI and ML increasingly being used by security vendors to enhance their product offerings, and by organizations to reduce the work burden of security personnel.
However, as valuable as AI and ML are to security initiatives, they also have plenty of “black hat” applications, such as using it to solve CAPTCHAS. Both criminal hackers and state cyber actors will inevitably utilize AI and ML techniques to enhance the sophistication of their campaigns, and we’d be very surprised if there isn’t at least one high profile case of these next-generation attacks in 2019.
Stay Tuned for Part 3: Blockchain and the Cloud
Every year new technologies are developed that have the potential to revolutionize the way we live and work. For organizations, jumping on new technologies early can be hard to resist, as it promises an opportunity to pull ahead of close competitors.
But new technologies are never perfect, and problems arise time and time again when new technologies are adopted but security is only considered as an afterthought. Poor implementations of new technologies can be facile to compromise by those with enough motivation, so it’s important to ensure security personnel are involved at the earliest possible opportunity whenever new technologies are to be adopted.
In the third and final post in our 2019 cybersecurity trends mini-series, we’ll cover the two biggest buzzwords of the moment — blockchain and the cloud — and look at some of the advantages and concerns we expect to see from them in the coming months.
2018 was a year of ups and downs in the cybersecurity world.
On one hand, we saw some of the biggest data breaches ever recorded, including almost a billion records leaked in September alone.
But on the other hand, organizations across all industries took cybersecurity more seriously than we’ve seen in the past, and committed more resources than ever to protect their digital assets.
Now, with 2018 done and dusted and security professionals preparing to start the cycle all over again, we thought we’d cast our gaze forward, and cover some of the cybersecurity trends we expect to see in the coming months.
In this post we’ll be covering strategic cybersecurity trends — Keep an eye out for our follow-up posts, which will delve into the technologies you can expect to see flourish (or not) in 2019.
CISOs and Cybersecurity Leadership
The role of Chief Information Security Officer (CISO) has evolved tremendously over the last few years. In 2019, we expect to see a continued expansion of responsibility for CISOs, particularly in their capacity as primary security advisors to executive boards. cybersecurity has become a widely accepted topic at board level, and CISOs will be expected to advise on major concerns such as brand protection and compliance.
On that note, executive boards will increasingly want to see objective measurement of cybersecurity programs. Most organizations have invested heavily in cybersecurity over of the last few years, and there will be an expectation that security programs deliver measurable ROI. Senior executives, who are almost exclusively non-technical, will rely on CISOs to keep them up to date on key security concerns, and CISOs will need to develop a strong communications strategy with regular KPI updates to achieve this.
At the same time, cybersecurity has been identified as a top three area for increased technology investment across all industries. Gartner predicts global spend on cybersecurity will grow by a further $10 billion in 2019 to a total of $124 billion — an 8.7% increase — and boards will be relying on CISOs to identify and justify the most important areas for investment. Historically it has been difficult even for experienced security leaders to penetrate the marketing hype surrounding security solutions. However, with the market stabilizing, CISOs will be expected to provide concrete evidence of anticipated ROI when recommending further investment.
In addition to the continued expansion of the CISO role, we anticipate an increase in the use of independent cybersecurity contractors to advise on specific areas of concern. In particular, external advisors will be called upon to identify areas of cyber weakness — e.g., via risk assessment, penetration testing, and threat hunting — and provide vendor-neutral advice on how to close any identified gaps. Similarly, as larger organizations look to be at the forefront of newer technologies such as blockchain and IoT, they will engage expert contractors for advice and support.
Finally, in line with the increasingly mature nature of the cybersecurity landscape, in the coming year CISOs will be focused on the business logic surrounding cybersecurity programs. They’ll be aiming to answer questions such as:
- Who is doing what, where, when, and why?
- How do existing components of a cybersecurity program fit together?
- How can systems and processes be better integrated?
- What gaps exist, and how can they be filled?
The answers to these questions will inform further investment, and ultimately lessen the burden placed on overloaded security professionals.
The Cybersecurity Skills Shortage
With substantial increases in cybersecurity investment expected, it should be no surprise that the widely-publicized skills shortage will continue to cause headaches for security leaders across the board in 2019. Unfortunately, it seems there is no end in sight, as industry analysts forecast a shortfall of 3.5 million cybersecurity jobs by 2021.
In addition to insufficient numbers of skilled security personnel, three other factors will contribute to the skills shortage conundrum:
- An ever-increasing volume of cyber threats
- The corresponding rise in the number of technologies required to hold threats at bay
- Broader attack surfaces due to adoption of new technologies, e.g., cloud, IoT, and BYOD
Since 3.5 million new security practitioners aren’t going to appear anytime soon, existing security personnel are going to be faced with heavier workloads than ever in 2019.
So how will organizations respond to these challenges?
First, a focus on upskilling existing security personnel will be essential. As there is no guarantee new skilled personnel will be available to organizations looking to expand their cyber programs, there will be little alternative but to invest in training and support to help junior security practitioners develop in-demand skills.
Traditionally organizations have shied away from heavy investment in upskilling programs for two obvious reasons:
- cybersecurity training programs are often very expensive
- Once trained, security personnel have many opportunities for career advancement, and may simply leave
These concerns, while understandable, will need to be put to bed, or organizations simply will not have the necessary skills and experience to maintain a strong cybersecurity program.
Of course, not all security personnel requirements are permanent. Some security functions, such as penetration testing, threat hunting, and gap analyses can instead be filled by security contractors. While this approach is already popular, we expect to see a rise in the use of consultative security services across a range of temporary needs.
Increased Nation State Activity
Depending on the industry you’re in, nation state cyber activity may be either very important or totally irrelevant. Either way, 2019 is set to be a year of increased nation state activity in the cyber realm.
Over the past decade, nation states have continually pushed the boundaries of what could be considered acceptable cyber activity. However, now that some actors (Russia, China, and North Korea in particular) have been allowed to continually push the boundaries without repercussion, we can expect to see a further increase in nation state and state-sponsored cyber activity in 2019.
If you aren’t sure whether you’re likely to be a target, it may help to have a basic understanding of each of the major nation states’ motivations:
China — Economic, technological, and industrial espionage
USA — National security, both offensive and defensive
Russia — Geopolitical influence and financial gain
Iran — Military, political, and nuclear advancement
Israel — Political and military disruption (primarily directed at Iran)
North Korea — Open to speculation
Functionally, most organizations in the Western world need only concern themselves with the activities of Russia and China, since the other major nations have a very narrow focus for their cyber activities. In particular, organizations focused on technology innovation, telecommunications, research (e.g., universities), and national infrastructure should be aware they are very likely to be targeted by one or more nation state actors.
So what makes cyber activity so appealing for nation states? There are a number of factors:
- There are effectively zero consequences, even when activities are definitively tied to a particular nation — At a minimum, Russia, China, North Korea, Israel and the US have all carried out widely reported cyber attacks and suffered no consequences whatsoever.
- It can be highly effective. Russia successfully crippled the Ukrainian financial sector by deploying NotPetya. The USA and Israel managed to disrupt Iran’s nuclear program with Stuxnet. By releasing WannaCry into the wild, North Korea caused mass disruption.
- It’s cheaper, faster, and less committal than military intervention. And, as Russia has proven repeatedly, cyber activity also works well in conjunction with traditional military action.
Given all of the above, it’s no surprise that the idea of a cooperative international agreement (sometimes described as a “Digital Geneva Convention”) has been floating about for several years now.
But do we think it’s likely to happen in 2019? Probably not. At least, not in any meaningful capacity.
The difficulty is that while some countries will no doubt be happy to sign such an agreement — particularly those countries without an established cyber program — none of the six most active countries would be willing to do so.
As if to highlight this point, toward the end of 2018 French President Emmanuel Macron launched an international agreement on cyber activity at the Paris Peace forum. While the agreement was signed by 51 countries, none of the “usual suspects” were willing to put pen to paper. And if China, Russia, the USA, Israel, Iran, and North Korea won’t sign, there really isn’t much value to such an agreement.
Next Up: Technology Trends for 2019
2019 is going to be a busy year for security professionals as the cyber landscape continues to evolve.
Although cybersecurity budgets are rising, the corresponding rise in attack velocity means that in real terms security leaders stay in precisely the same position they have been in for the past several years — Never quite being in a position to cover all of their bases.
As before, then, a risk-based approach will be essential as CISOs and security teams look to build out their cyber programs.
This has been part one of our 2019 cybersecurity trends mini-series. In the next post, we’ll take a closer look at some of the technologies that will impact the cyber landscape in 2019, and provide insight into how you can expect to see them evolve.