How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?

Cybersecurity Predictions for 2019

Around this time of year, it seems as though everyone publishes their predictions about what they think will happen during the next 12 months. Being one in that “everyone”, I decided to follow suit:

Boards of directors will be a focus for security education
Boards of directors’ knowledge about business issues is generally quite good, but knowledge about security issues is typically not their strong suit. As a result, CISOs, security managers and others charged with providing security for their organizations often feel overstressed and under supported. However, we believe that 2019 will be a turning point during which boards will get serious about security. This enlightenment will be driven by high profile data breaches (the Marriott data breach of 500 million records figuring prominently in this awakening) and will take the form of making more CISOs board members, discussing security issues at most or all board meetings, and accelerating funding for security in most organizations.

Ransomware will make a comeback, but with low ransom demands
The ransomware problem was terrible in 2016, got worse in 2017, softened a bit in 2018, but will make a comeback in 2019. However, we believe that the focus of ransomware authors in 2019 will be low level ransom demands, perhaps on the order of $20 to $40. The goal of cybercriminals will be to make ransom demands low enough to make paying the ransom an easy decision akin to an impulse buy at a supermarket check stand. Moreover, these ransom demands will come with full instructions about how to pay the ransom using Bitcoin or other cryptocurrencies.

Cryptocurrency mining will become a much more serious threat
Osterman Research believes that the price of Bitcoin will recover significantly from the significant drop it has experienced during 2018. This will motivate more external cybercriminals to infiltrate corporate systems for the purpose of installing cryptocurrency mining malware on various corporate servers, and it will motivate some insiders to do likewise.

Home routers will become a greater focus of corporate security managers
The large number of employees who work some or all of the time from home, coupled with the fact that 83 percent of routers in the US have unpatched vulnerabilities, leads us to believe that a rapidly growing threat focus will be employees working from home. The relatively low use of VPNs, which ranges from 18 percent to 30 percent worldwide, will contribute significantly to this threat and will motivate corporate security managers to address the security of their employees’ home-based security infrastructure in a much more serious way.

Malware will be used to damage the reputations of celebrities and high level government officials
A tool commonly used to tarnish the reputations of celebrities, nominees to high level government positions and others is to reveal information they have posted to social media in the past, sometimes many years past. Osterman Research believes that in a few cases during 2019, some will go one step further and use malware to install compromising content on the computers, social media accounts or cloud accounts of celebrities and others. For example, while malware has been used in the past to install child abuse images on the computers of victims, such as in a 2009 case involving an employee for the Commonwealth of Massachusetts, we believe this approach will be used to discredit a few high-profile individuals in 2019.

The market for security awareness training will grow significantly
Employees are the last line of defense in any security infrastructure. Because technology-based solutions cannot block 100 percent of malicious content 100 percent of the time, employees need to be trained to deal with the phishing, spearphishing and other threats that will inevitably reach them. While the market for security awareness training has been growing at a healthy pace over the past several years, the fairly recent spate of acquisitions in this space by mainstream security solution providers will accelerate the trend at an even faster pace.

The market for web isolation technology will explode
A significant share of malware and other threats enters the corporate network through web browsing, webmail access and the like. To combat this, organizations of all sizes will increase their use of web isolation technology to prevent this avenue of attack from being effective. While these technologies have been available for several years, we believe that 2019 will be the breakout year for them.