The 2017 Qatalyst Global CyberSecurity Predictions.
It’s that time of year again – the Internet is awash with rumours, predictions, talk and more. We don’t like feeling left out, so here are ours. Do you disagree? Let us know.
IoT Security will become a real issue
According to John Vladimir Slamecka, EMEA President, AT&T, IoT security will dominate the landscape, and he predicts that ‘connected wearables and smart coffee pots’ will be of increasing interest to the hacker community. Research has indicated that a small town of 10,000 ‘smart homes’ will generate in excess of 150m discrete data points each day – whether it be intelligent fridges, smart thermostats, a connected baby monitor or more – and each of those represent an opportunity for a hacker to gain access to a private network.
Should consumer IoT devices continue to prioritise ease of use and simple setup over enhanced security? As consumer IoT devices fall in price, a new user-base is opening up with very little cybersecurity education, and failures to implement even the most basic standards are common. A 2016 report from Canonical shows that 40% of consumers have never performed any firmware update on their connected devices.
Cyberattackers are well aware that these IoT devices are much easier to compromise than a traditional PC or laptop, and can be networked into vast armies of infected devices and participate in large-scale DDoS attacks. Criminals can therefore count on much greater capability to launch attacks faster and at larger targets.
The industry is beginning to realise that consumers expect manufacturers to bear the responsibility of protecting themselves against cyber threats. The popular Nest range of smart products, that include a camera, thermostat and more, are all encrypted by default and automatically monitor and install firmware updates. We expect to see government regulation pushing for vendor responsibility in this area in 2017.
The healthcare industry will be faced with new, more sophisticated attacks in 2017
More than 113 million records have been stolen from hospitals and healthcare facilities around the world. Healthcare data routinely contains insurance details, social security numbers, billing information and diagnosis codes. Medical identity theft is big business and is much harder to identify by the patient, meaning that unlike credit cards, the fraudsters can continue to profit from the stolen data for several years after the initial hack takes place by obtaining credit cards, loans, committing tax fraud or sending fake bills to insurance providers. Reports this year surfaced of hackers ransoming hospital records for as little as $15,000. The low amounts increase the chances of the ransom being paid exponentially. According to industry journal *Modern Healthcare*, almost one in eight Americans have had their medical records compromised in some way.
The 2016 IBM Cyber Security Intelligence Index found that 60% of healthcare cyberattacks in 2015 involved members of staff with access to organisation systems. The healthcare industry has been trailing behind in terms of cybersecurity strategy and hackers are exploiting these vulnerabilities as doctors and hospitals push to increase adoption of cloud-connected devices for patient monitoring and more. The medical community must take steps to enable closer information-sharing, best-practice discussions and more. By stark contrast, the finance industry have pioneered the use of noncompetitive secure spaces to share cyberthreat information with each other, revealing very detailed information about their business with the ultimate aim that their competitors aren’t hacked in the same way.
The GDPR, its ‘long arm’ approach to jurisdiction & the debate about breach notification
The GDPR (General Data Protection Regulation) is due to come into force on 25th May 2018. Amongst its many rules is the requirement to publicly disclose any data breach within 72 hours, which will have a far-reaching impact on public perception of cybersecurity and the seriousness with which firms approach their cyberdefence strategy. Fines for non-compliance stretch to €100m or 5% of global turnover, whichever is greater.
There is ongoing debate around the right approach to breach notification, especially having watched the aftermath of the 2013 Target breach play out across the media. As many as 110 million customers were believed to have been affected, and Target later reported a 46% drop in quarterly profits, with costs directly related to the breach reported to be over $252m, and the breach also led to the resignations of both the chief executive and the chief information officer.
Expect to see more behaviour-based authentication
As the dangers of password recycling take up more headline inches following large-scale cyberattacks, hardware manufacturers are looking at biometric options including sensors built into touchpads, measurement of typing speed through keystroke dynamics, pressure and other behavioural detection systems. Software vendors including BioCatch and BehavioSec already offer fraud protection based on factors including geolocation, networks used, device usage patterns, hand-eye coordination, physiological factors including muscle usage, arm size, press size and more.
In the UK, the Nationwide Building Society, HSBC and other leading financial institutions have already undertaken extensive testing this year in trying to strike the right balance between ease of use and appropriate security for user authentication on a mobile device. Their testing involved reading accelerometer sensors to determine how a user typically handles their mobile device, how quickly and hard a keyboard is pressed and the way that a user moves between screens to build a cognitive fingerprint.
Look out for more innovative access management and identity verification solutions in 2017, and wider adoption from consumer manufacturers.