Each year brings new global cybersecurity risks, and 2019 will be no exception. Expect privacy regulations to start to bite worldwide and more exploits targeting public clouds, while the proliferation of IoT devices will create a bigger attack surface for many organizations. But it’s not all bad news: a bigger emphasis on cloud security, increased collaboration to share threat intelligence, and AI will help organizations fight back.
As the regulatory tide rises worldwide, privacy legislation starts to bite
When the EU’s General Data Protection Regulation went live in May 2018, many people expected the event to be quickly followed by headline news of big fines levied for non-compliance—particularly since the maximum penalty is an eye-popping 4 percent of global revenue. Yet the reality is that it takes time for any new legislation to be tested, says Greg Day, VP & CSO, EMEA at Palo Alto Networks. “I believe that in 2019 we will start to see more penalties applied—and headlines generated—which will finally get the attention of executives that haven’t previously taken the regulation seriously,” he says.
And GDPR is only one element in a rising worldwide tide of regulation. In addition to GDPR, EU nations are slowly implementing the first EU-wide cybersecurity legislation, the NIS Directive. In the U.S., Congress passed the CLOUD Act, giving U.S. law enforcement the right to access data stored by technology companies in other countries, and California passed sweeping online privacy regulation that will likely have a national impact when it goes into force in 2020.
Data protection is also gaining ground in the Asia-Pacific region. Australia and Singapore were among the first to implement data-protection laws, and others may follow in 2019 as they wake up to the urgency of national security and data protection for their citizens. “The reality is that legislation will have an increasing impact on cybersecurity,” Day says. “Your legal counsel should become a close ally, if they’re not already.”
Cloud security woes continue…
2018 saw a growing list of incidents that targeted organizations’ cloud presence, including cryptojacking exploits that hijacked cloud resources for cryptocurrency mining. In many cases, a simple lack of good security fundamentals made compromise possible—perhaps because security teams weren’t engaged early in cloud projects, says Day. “It would be easy to just say be engaged in all cloud projects—but new projects seem to appear like endless rabbits pulled out of a magician’s hat,” he says. Expect those attacks to continue in 2019. The first step for security teams is to gain visibility across public clouds and the ability to spot projects as soon as they start, so they can begin to manage the risks.
But board-level support and cloud security standards can help
However, several trends will help strengthen cloud security. One is that boards and senior executives are prioritizing enterprise-wide cloud initiatives to replace fragmented approaches driven by individual business units, says Matt Chiodi, CSO, Public Cloud at Palo Alto Networks. “Most businesses now realize the cloud allows them to innovate faster, and view it as a differentiator for the organization,” he says. “2019 will be the year that boards begin to require CIOs and CISOs to implement organization-wide cloud initiatives—and hold their feet to the fire to make sure this becomes a reality.”
Chiodi also predicts that public cloud security standards will go mainstream in 2019; notably, the Center for Internet Security benchmark now provides a standard way to configure and measure security across Amazon, Microsoft and Google clouds. “Organizations now have no excuse for failing to adopt a security standard across their public cloud presence,” Chiodi says. “Implementing these standards is not a panacea—but it has the ability to greatly reduce many of the common cloud security issues we saw in 2018.”
And security technology itself will move to the cloud
Security technology will increasingly move from organizations’ premises to the cloud—and not just because companies are moving their applications there. For many organizations, the cloud will be the only practical way to obtain the storage capacity and processing power needed to quickly analyze and respond to the vast and ever-growing torrent of security-related data. “Organizations will need the cloud to run the latest cybersecurity algorithms fast enough to prevent business impact,” Day says. “Cloud can give CISOs and their teams the speed and scale of data analytics to overtake adversaries.”
As the digital mesh of IoT devices grows, so do the risks. And the expansion of connected devices and associated risks will accelerate with the rollout of 5G cellular networks, set to begin in many countries in 2019.
Day points to the security implications of two IoT trends: more interconnection and more data collection. “We must expect adversaries to use IoT devices as hopping-off points to another resource—or even worse, a way to gather data for a bigger, targeted attack,” he says. “We all remember when Alexa mistakenly listened to a couple’s conversation—now think about cybercriminals using voice-activated devices to gather intel on executives, or to generate fraudulent revenue streams.”
In 2019, a key goal for our personal and business lives is to maintain clear insight and control over what is connected and where, and how they share and exchange information, Day says. For organizations, a key concept for IoT cybersecurity is Zero Trust networking, which uses techniques such as micro-segmentation and granular access permissions to prevent cyber attacks from spreading laterally across networks.
Cybersecurity collaboration expands
On the plus side, though, public and private entities will increasingly share intelligence to ward off and mitigate cyber impacts. “Collaboration has the potential to drive a systemic improvement in the use of threat intelligence to prevent cyber attacks,” Day says. Several years ago, for example, a handful of security vendors including Palo Alto Networks formed the Cyber Threat Alliance to provide better outcomes for customers. That alliance now has almost 20 members and continues to grow, Day says.
The information-sharing trend is expanding, enabling a broader range of organizations to gain the benefits, Chiodi says. Examples include MS-ISAC, which includes U.S. states and hundreds of local governments, and other groups that provide multiple membership levels to allow participation by smaller firms as well as larger organizations.
AI battles begin
Global cybersecurity experts will harness machine learning to analyze data and quickly identify attacks, Chiodi says. That’s because as attacks grow more sophisticated and the number of events grows exponentially, humans simply won’t be able to keep up—to decipher the signal in the noise. To date, security has lagged behind other disciplines such as marketing in applying machine learning, he adds—but that’s about to change. “I predict that 2019 will be the year that machine learning algorithms for security move from farm team to the big league,” Chiodi says.
But in security’s endless cat-and-mouse game, expect adversaries to look for ways to trick security AI—and to leverage AI for their own purposes. Indeed, “cybersecurity is moving into a machine-vs.-machine fight—with humans on hand to help and apply judgment,” Day says.
A busy 2019 ahead
In addition to these broad trends, there are other rising threats. Ransomware attacks are increasingly focusing on a smaller number of high-value targets whose technology is vital to serve their customers, which means we’re likely to see more attacks that leave entire organizations unable to operate, notes Alex Hinchcliffe, an analyst at Palo Alto Networks’ Unit 42 threat intelligence team. Hinchcliffe also says that as technologies such as facial and fingerprint recognition finally start to supplant passwords, attackers will follow, aiming to find new ways to gain and take advantage of user credentials.
One thing is for sure: cybersecurity isn’t going to become any less important or less hectic over the next year—which means cybersecurity professionals can look forward to a very busy 2019.