The past 12 months have been packed with geopolitical incident, global malware threats and ubiquitous big-name data breaches. From the CIA Vault7 and NSA Shadow Brokers leaks at the start of the year, to the WannaCry and NotPetya ‘ransomware’ campaigns, and Uber’s shock revelations just last month, there’s been plenty for CISOs to ruminate on. But now the year is nearly at an end, it might be useful to recap some of the biggest themes of 2017 — with an eye on fortifying systems for the 12 months to come.
Here’s our top five, in no particular order:
- Ransomware evolves
Ransomware has been causing organisations headaches for several years now. But in 2017 we saw the threat used in an unprecedented way to cause chaos on a global scale. The WannaCry and Petya/NotPetya attacks of May and June may have had featured slightly different targets, attack groups and tactics, but they highlighted how ransomware could be used in combination with nation state-developed exploits to spread dramatically through networks. Bad Rabbit showed us another variant on this theme, designed to infect victims on a massive scale using watering hole attacks.
These incidents taught us the importance of patching known vulnerabilities as soon as a fix becomes available, whilst warning what can happen when governments seek to undermine security for hundreds of millions of users by researching exploits in popular software.
- BEC is costing firms billions
Of all the cyber-related risks facing organisations today, Business Email Compromise (BEC) seems on the face of it one of the easiest to mitigate. Yet according to the FBI, losses from the period October 2013 to December 2016 topped a massive $5.3bn. We predict it will grow to $9bn by next year as organisations continue to show how exposed their staff and processes are to social engineering.
There may be no malware to detect in most BEC scams, but with better staff training and something as simple as ensuring two senior finance members sign-off any large fund transfers, organisations can better insulate themselves.
- Big-name firms still making rookie mistakes
When will they learn? The past 12 months has seen another roll-call of “they-should-have-known-better” organisations suffering damaging data breaches and privacy incidents. Yahoo (3bn), Uber (57m) and Equifax (145.5m) spring to mind as the most egregious examples of firms that had the resources but not the right corporate culture or strategy to keep the hackers at bay. Many more organisations were embarrassed after finding sensitive customer or proprietary information exposed to the public internet via cloud database misconfigurations — often at the hands of a third-party partner. The likes of Verizon, Accenture, WWE and even the US Department of Defense were all found wanting. In one case, a Republican data analytics firm managed to leak the PII of 198 million US voters dating back a decade.
If nothing else, these incidents tell us once again that firms still aren’t getting the basics right when it comes to cyber security, and are failing to extend policies to partners and contractors.
- GDPR compliance is still not up to par
As the year has progressed, the clock has been steadily ticking down to 25 May 2018, the date when the EU General Data Protection Regulation (GDPR) finally comes into force. It’s difficult to remember a new law with quite as far-reaching cybersecurity and privacy implications for firms. Yet widespread lack of awareness and boardroom buy-in remains a concern, despite the potentially huge fines in the offing for non-compliance. Gartner estimates that less than half of all businesses will be fully compliant by the deadline.
Trend Micro research this year revealed a worrying lack of interest from the C-suite: senior execs shun responsibility in 57% of businesses. Firms need to better understand what data they hold, create a breach notification plan and invest in the right state-of-the-art technologies to keep threats at bay.
- From IoT to the cloud, vulnerabilities remain the number one Achilles heel
We’ve said it before but it’s worth mentioning again, vulnerabilities are one of the biggest security threats facing firms. It doesn’t matter if they’re in IoT device firmware, web applications, on-premise software or your cloud infrastructure — if there’s an exploitable hole in your computing environment it could be targeted. We’ve seen organisations as diverse as the NHS and Equifax severely impacted by their failure to patch known bugs swiftly. In the case of the Health Service it led to WannaCry-related outages which forced the cancellation of an estimated 19,000 operations and appointments.
From Devil’s Ivy to KRACK, new vulnerabilities and attack methods are being unearthed every month, some with huge implications for the security of the systems many organisations run. CISOs must ensure they have a comprehensive, automated approach to patch management and the agility to respond quickly and effectively to any newly discovered threats.
To find out more about Trend Micro’s predictions for 2018, read our new report: Paradigm Shifts.