Across the IT security landscape, the year of 2018 was never prosaic or boring. We saw breaches of such giants as British Airways, Macy’s and Facebook, data privacy scandals around Google and Facebook (again), and the GDPR shakeup, to name just a few.
Now it is time to look at what the next year may bring us. Together with Netwrix’s team of security analysts, we have worked out the IT security trends that will likely influence businesses in 2019. Make sure to get yourself covered!
1. Compliance rules will get broader and stricter.
We predict two major trends in the realm of compliance.
First, attention towards protecting personally identifiable information (PII) will continue to rise in 2019, so we will witness the growth of data security and privacy laws. Following the EU’s experience with GDPR, the U.S. states of New York, Colorado and California have already passed local data privacy laws that affect companies storing the personal data of the states’ residents. Just like GDPR, they require organizations to maintain PII security procedures, implement disposal policies and comply with accelerated breach notification requirements.
Within the next five years, we should expect adoption of a national data privacy standard in the U.S. It will echo the GDPR scenario, with scattered local laws being united into a EU-wide regulation. Therefore, companies must ensure that they will be ready to comply by adopting security best practices like ongoing IT risk assessment, regular auditing, and ensuring profound visibility into data repositories and user activity.
Second, with the upsurge in data breaches in 2018, we anticipate stricter enforcement of existing compliance standards. Most likely, the first in line will be data breach notification rules, due to the increased number of incidences in which companies hid breaches — for instance, it took Cathay Pacific seven months to notify authorities about the exposure of 9.4 million passenger records, and it took Google six months to disclose that data on 500,000 Google+ users was leaked.
Indeed, stricter enforcement has already begun. The Office of the Australian Information Commissioner introduced mandatory reporting on data breaches within 30 days. Also, the Gramm Leach Bliley Act (GLBA) is about to enact a requirement to notify consumers of a data breach within six months. We are convinced that more and more standards will tighten in 2019, and stricter breach notification rules are just the start.
2. Security will become more data-centric.
In a cloud and BYOD-enabled world, the concept of a network perimeter fades away. With a borderless environment and far larger amounts of information, IT pros need to turn from perimeter defense to data-centric security. Even if your company does not store super-secret Nutella recipes or national defense plans, it certainly stores personal data — on employees, customers or both — that needs protection due to tightened compliance regulations and increased attention from the public about the security of their PII.
To succeed in 2019, companies should focus on data protection. The biggest challenge is knowing what kind of data you store, where it is located, who has access to it and how it is handled. Thus, data-centric security will drive an increased need for data discovery solutions. Ongoing data discovery will be a must in 2019.
3. Cloud adoption will accelerate.
The popularity of cloud services and solutions will steadily rise. According to LogicMonitor’s study, 83% of enterprise workloads will be in the cloud by 2020. Certainly, the problem of securing data stored in the cloud will become more acute.
General security best practices will stay the same: Encrypt your data; grant access on a need-to-know basis; implement data recovery processes; be on the lookout for open or unprotected APIs; and streamline monitoring of your cloud infrastructure. To automate the execution of certain security operations and minimize human error risk, you will also have to consider AI and machine learning technologies (more on this in #4).
Cloud solutions will be especially popular in large enterprises, which often hire their own DevOps teams to develop in-house software to refine or automate certain processes. For the sake of price and simplicity, this custom software is developed primarily in the cloud. Organizations need to build security into these solutions during the development and testing stages, which means that DevOps must evolve into SecDevOps teams, ensuring that security is not an afterthought but a full-on part of the process.
4. AI and advanced analytics will be more sought-after.
The growing complexity of IT infrastructures, massive data growth, strict compliance regulations and the rising popularity of cloud technologies have been headaches for businesses for a long time. Given the severe shortage of InfoSec skills and employees, businesses will continue to look for ways to automate IT security processes, driving demand for solutions that incorporate advanced analytics, artificial intelligence (AI) and machine learning (ML) technologies.
We expect an increased demand for sophisticated solutions with AI elements, and vendors will respond by inventing more and more comprehensive ways to automate security processes to facilitate decision-making. Within the next few years, we should expect this functionality in all aspects of the security industry. Moreover, traditionally complex and expensive solutions will have to adapt to increasing market demand for more lightweight alternatives. We can expect solutions that are easier to deploy, cheaper and possibly less sophisticated — but still based on ML.
However, before getting sucked in by the buzz around AI, businesses must ensure to have essential security controls and processes in place, such as regular risk analysis, IT environment monitoring, configuration management and so on. Only once their security posture is mature enough should organizations adopt more complex technologies like machine learning or UEBA.
5. Blockchain will be used for IT security.
The potential for applying blockchain technologies for data security will be realized more and more. As a digital ledger of data transactions distributed among a network of computers without a central control hub, blockchain eliminates the problem of a single point of failure and makes it hard for malefactors to compromise large volumes of data. Plus, such solutions help verify data transactions and bring more transparency into a company’s operations.
There are already successful examples. The U.S. Food and Drug Administration (FDA) built a blockchain-based health data sharing platform that facilitates real-time exchange of patient data between the agency and partner hospitals. Meanwhile, Ernst & Young launched its fourth blockchain project. Together with Microsoft, they developed a blockchain solution designed to enable increased trust and transparency of the rights and royalties management process.
Blockchain-based data security would not be widely adopted in 2019, but market penetration will steadily rise. Our advice to data security leaders is to get familiar with the technology and consider adopting it in the future.
6. IoT devices will continue to be at risk.
Connected devices that are capable of data transmission have already become a part of our daily lives. Businesses and consumers use a variety of them: Alexa and other voice-activated home devices, smart locks, insulin pumps, pacemakers, smart air conditioning and so on.
IoT devices are currently too vulnerable to hacking. Vivid examples include St. Jude’s cardiac devices, which a hacker could access in order to deplete the battery or administer incorrect pacing and shocks, and a hijack of the digital systems of a Jeep with a Wired journalist riding it. Also, Ben-Gurion University researchers found that hackers can easily access baby monitors, home security cameras and other devices by cracking the default passwords common for many brands. One of the reasons is that IoT devices are still considered cool, so they attract startups and entrepreneurs who do not always consider security to be essential. Instead, their mantra is get a cool idea, define a minimum viable product (MVP) and ship ASAP. In too many cases, security is not part of that MVP, unfortunately.
We expect that in 2019, hackers will move from testing the waters to initiating new types of attacks aimed at IoT. To be secure, at a minimum, consumers should make sure to have a unique, strong password for each device and never rely on the default one. We also hope that manufacturers will pay more attention to properly securing their products rather than simply being the first to release them at an attractive price. Fortunately, California has already passed an IoT cybersecurity law and these technologies might be regulated by other states and countries before something really bad happens.
7. Personal data breaches will continue.
Hundreds of breaches happened in the last few years, but more importantly, the volume of personal information stolen is growing exponentially. The chances that this data will be used for extortion or other nefarious purposes are extremely high — and other malicious actors need only to claim that they have obtained personal data to blackmail people. The most recent example is an ongoing sextortion scam in which racketeers contact breached email addresses from publicly available lists and then blackmail them with false claims that they were caught viewing porn, even though their computers were not even hacked.
A similar scenario can be used to blackmail an organization’s employees, but instead of asking for money, the bad guys demand the company’s IP or other valuable data. This risk of blackmail victims turning into malicious insiders is another reason for businesses to keep a close eye on employee permissions and activity.
There are plenty of other ways that attackers can benefit from stolen personal data. For example, they can use it for targeted phishing attacks, for accessing corporate and banking systems under a victim’s name, and other types of identity theft.
Some people might say that we live in a creepy Black Mirror TV show era, when your own pacemaker can kill you or a blackmailed employee can trade your company’s IP for silence about their porn habit. But there is no point in panicking. Forewarned is forearmed: To stay safe in 2019, employ basic security controls, be understand and comply with any regulations you might be subject to, and ensure to have visibility into your entire IT infrastructure and data. For even more tips and tricks, be sure to check out the Netwrix blog. Here’s to a prosperous and secure 2019!