The digital revolution is pushing innovation forward, causing the digital threat landscape to expand exponentially. However, there is one critical factor that is all too frequently overlooked – security. It is essential to be on top of the most significant trends in cybersecurity and have an effective cybersecurity plan in place. As the scale and quality of cyberattacks evolve, businesses and governments must know how to protect themselves. In this article, Phoenix Chen, marketing manager of TÜV Rheinland, examines eight cybersecurity trends for 2018 that companies should be aware of.
1. The increased price of regulation
A rising tide of cybersecurity regulation and recommendations adds complication. These new requirements are often inconsistent from country to country, among the agencies of the same government and from industry to industry. The European Union’s (EU’s) General Data Protection Regulation (GDPR) goes into effect on 25th May 2018. Its aim is to protect the data of EU citizens and it introduces hefty penalties for those that fail to comply.
The GDPR has spurred a global trend as European regulators have started mandating greater accountability when it comes to protecting data. The United States (US), Argentina, Brazil, Switzerland, India and China are revising their existing regulations and are focusing on informed user consent and data breach notifications. Yet this has also led to regulatory fragmentation driven by territorial requirements for data protection and cross-border data flows. For global organisations, this will make international operations increasingly costly and complex.
2. The convergence of safety, cybersecurity and data privacy
The impact of data breaches now extends far beyond simple data monetisation to ‘kinetic’ threats to health and safety, as devices and systems are directly connected to open networks. The state of Internet of things (IOT) security is poor and, with homes expected to have more than 500 connected devices working by the year 2022, major risks to safety, cybersecurity, and data privacy are anticipated.
Many IOT devices are fundamentally insecure, leaving product manufacturers and customers exposed to cyberattacks. Manufacturers are under increased pressure to out innovate the competition while protecting their margins. This entails producing devices that are functional, connected and secure, while limiting power consumption in order to extend battery life. To save time and money, software developers use open-source code libraries. However, these third-party libraries can also be a source of critical vulnerabilities. A good example is the ‘Devil’s Ivy’ vulnerability, recently found in the gSOAP toolkit used by manufacturers to connect their devices to the Internet. It is estimated that over one million devices are potentially vulnerable to this exploit.
3. Operational technology as a frontline for cyberattacks
As utility companies seek greater operational efficiency and effectiveness, they are introducing internet connections to their existing operational technology network. Moving process equipment online can unwittingly expose component vulnerabilities to cyberattacks. The spectre of a worst-case scenario, where attackers trigger a breakdown in systems that underpin society, was highlighted this year at the World Economic Forum.
The industrial Internet is impacting global industry and infrastructure. For the past 15 years, the Internet has been transforming business-to-consumer relationships by democratising information-based industries such as media, retail and financial services, and is set to disrupt physical industries in manufacturing, energy, transportation and agriculture. This trend will bring unprecedented opportunities along with new risks.
For decades, measurement data has been used by industrial sectors to not only improve productivity and competitiveness but to save energy as well. At its most basic, current data is compared with historical data to determine how processes should be run, and analytics provide recommendations, enhancements and warnings to support decision making. The next big step is to move measurement data into the cloud. This way, information from around the globe can be appropriately utilised.
4. The shift in focus to threat detection and response
In the aftermath of recent cyberattacks on high-profile organisations, attention is shifting from setting up defences to shortening the time it takes to detect and respond to an attack. Today, on average, organisations take over 191 days to detect a data breach, and the longer the lag time the more damage is done. Organisations are plagued by costly dwell times due to incumbent technologies, the ineffective use of threat intelligence, an inability to monitor IOT devices and having employees with insufficient expertise on cybersecurity.
5. Increasing the use of artificial intelligence (AI)
Traditional methods of detecting malware and cybersecurity threats are failing, as cyber criminals constantly coming up with new ways to bypass firewalls and threaten an organisation’s security. AI is poised to change this. Attacks and responses will be faster, more precise and more disruptive. Threats will be dealt with in hours, not days or weeks.
6. Certifications are becoming necessary
There is a growing concern surrounding trust in cybersecurity, as evidenced by existing and emerging standards. For chief information security officers and product manufacturers alike, certifications validate someone’s knowledge and experience. Today, however, product security assurance certification schemes tend to focus on critical infrastructure and government sectors only. Organisations need to demonstrate their commitment to cybersecurity both in the public and private sectors.
7. Passwords are being replaced
The password-only approach to security authentication is on the verge of revolution. To protect data inputted into an application, selecting an obscure and complex password, and changing it often, is good practice but quite rare. In addition, since stolen, hacked and traded, passwords have never before been so openly available, biometric authentication has the potential to ameliorate many of these security concerns.
8. Industries under siege
The value of information on the dark web depends on the demand for it, the available supply, its completeness and ability for it to be reused. As a result, healthcare and financial personal information are highly sought after. Medical records can fetch United States dollar (USD) 1–1,000, depending on how complete they are, while credit cards can fetch only USD 5–30, if bundled with the information necessary to do immediate damage.
A disruption to critical services through attacks on the energy sector has been a key problem in 2018, as evidenced by the recent news of Russia’s cyberattacks targeting the US power grid. Particularly at risk are companies engaged in alternative energy development, coal mining, nuclear energy development, natural gas distribution, oil and gas exploration and production, oil and gas field equipment manufacturing, and oil and gas petroleum refining. They are important targets given their importance to national and economic security, and it is no wonder that concerns over potential cyberattacks have become increasingly acute this past year.
“Public Awareness has to be raised to increasing cybersecurity risks impacting business and safety” said Frank Luzsicza, executive vice president of ICT & Business Solutions at TÜV Rheinland. “We should focus on where we see the most significant threats and opportunities emerging. We should also highlight the implications of our increasingly connected world, how global regulation is responding, the need to inject trust into cybersecurity, ways to protect ourselves from ‘intelligent’ cyberattacks and what we should do to close the skills gap in an environment starved for cybersecurity talent yet overwhelmed by volumes of data.”
TÜV Rheinland is a global leader in independent inspection services, founded over 140 years ago. The group employs 19,300 people in 69 countries worldwide. Our independent experts stand for quality and safety for people, technology and the environment in nearly all aspects of life. TÜV Rheinland inspects technical equipment, products and services, and oversees projects and processes for companies.