David Ferbrache, Global Head of Cyber Futures, KPMG in the UK offers 10 cybersecurity predictions for the year ahead
Our world is changing, and with it, the cybersecurity challenges that we all face in securing that world. The coming of a new year is, of course, just another day in the calendar, but it's also a chance to take stock and wonder just what the next few years may bring.
So I thought I would offer 10 predictions for the future. So here goes.
1. The creativity of organized crime continues to challenge us
Extortion through ransomware makes money with losses increasing as criminals become more careful in selecting their targets, spend longer working out how to extort money most effectively and ratchet up their ransom demands into the hundreds of thousands or even millions of dollars. Companies increasingly look to the cyber insurance sector to cover those payments. Expect insurers nursing growing losses to become more selective in just what and who they're prepared to insure as cyber insurance comes of age. With regulatory penalties rising for cyber incidents, also expect criminals to be creative in encouraging clients into paying ransoms rather than risk public disclosure of sensitive data or security weaknesses. I suspect criminals will also have an eye to the potential for deep fakes, which makes it harder to distinguish truth from fiction and open up new avenues for reputational harm and blackmail.
2. The speed and scale of exploitation increases
While the old staples of CEO fraud and business email compromise are still with us, criminals have found new opportunities in poorly configured cloud services, web sites and content delivery networks. Quickly spotting those vulnerable systems using automated tooling has opened the door to attacks at speed and scale, leading to data breaches, installation of payment skimmers and system disruption. And of course, organized crime has an eye to the attack surfaces offered by 5G and interconnected internet of things devices. For their part, law enforcement and tech companies are getting much better at taking down and disrupting criminal infrastructure, with some big and high profile successes recently. Expect digital combat to continue, with more sophisticated analytics and rapid interventions to disrupt criminal infrastructure, as active defense becomes commonplace.
3. The global commons will vanish
The dream of a global commons in cyberspace is dying. Countries are increasingly regulating to create walled gardens and national fortresses to defend their corner of the internet. Some countries demand that personal data be processed in-country. Others seek to limit the use of overseas technologies, yet more erect increasingly sophisticated national firewalls to control and limit access by their citizens to the internet or protect their national networks against malicious activity, however defined. Businesses are being forced to adapt their global models to create in-country or in-region data centers or cloud instances. The extra-territorial ambition of many national legislative instruments on privacy, cybercrime and national security is creating a complex and conflicting network of obligations requiring firms to pay increasing attention to the origin and nature of the data they process and handle. Metadata matters more than ever.
4. The lawyers are moving in
Regulatory sanctions are increasing as many countries implement stricter privacy regimes and also impose greater penalties for service disruption and data breaches. There's an inevitability around the litigation, which follows as companies seek to challenge fines running into the hundreds of millions of dollars. Just what’s good practice, and what represents negligence on the part of a breached organization? A single line in the General Data Protection Regulation states that personal data shall be "processed in a manner that ensures appropriate security." Who's the arbiter of appropriate? Separately the class action suits continue post data security breaches in the US, often taking years to conclude, while other nations establish the norms around group litigation to protect consumer interests, including around the internet of things. Will courts accept expert testimony, or will we see recourse to standards as the only means of organizations providing comfort around their security controls, and will that really make us more secure?
5. The death of anonymity
Countries are demanding the policing of content on social media. But where do we draw the line between free speech and content which is harmful, libelous, subversive or immoral? Every nation will have its views. It'll look to social media giants to police their content in line with those ill-defined norms demanding takedown of content nationally and blocking of content from overseas. Content filtering is becoming a massive industry increasingly reliant on artificial intelligence systems to screen bulk data. The censor bots are arriving. Long-standing debates on end-end encryption will continue as nations demand access to digital platforms for national security and law enforcement reasons, and the tensions between individual rights and those of the state become starker. Fragmentation of the internet seems more and more likely. Amongst all of this, the ability to stay anonymous is disappearing as nations mandate stricter sign-up conditions and authentication mechanisms for access to internet resources.
So that covers the geopolitics and the changing nature of power in cyberspace. These predictions, of course, will have implications for all of us. But I remain an optimist, and I again look to the Internet as providing the heart of our modern world. The technology is neutral—what we do with it is our choice.
Hereafter, I want to focus down more on the changes KPMG member firms are seeing with how clients implement security. And what that means for cybersecurity as a profession and practice.
Let's start with one of the trends that I see in many of my financial sector clients, but increasingly in other sectors too.
6. The budgets are getting tighter
The renaming of information security to cybersecurity, for many, is seen as an afterthought in the process of transforming a business to exploit the opportunities of the digital world. Whether considered an overhead, a risk reduction exercise, or at best a necessary evil – the money is flowing into transformational projects as companies radically re-engineer their business models to seize the opportunities of the digital world. And that places pressure on business as usual activity as the drive for efficiencies grows. Many CISOs are now being asked to achieve cost reductions, particularly in the financial services sector. And many executives may assume that cybersecurity can be 'fixed' by a change program rather than being seen as an integral and ongoing part of running and transforming the business. So the pressure is on to reduce compliance costs, to automate security functions, and to move away from the 'buy it all' approach to purchasing security solutions. Rationalization is becoming the order of the day.
7. The mindset of security is changing for the better
Security is often still seen as an add-on with an additional cost – a suite of new additional software components, hardware boxes flashing away in data center racks, and separate teams of security professionals. This view of security is starting to change. More and more security functionality is being built into the core of operating systems, cloud platforms, and endpoint devices at the point of manufacture. This change is disrupting the security marketplace of vendors who provide those add-on endpoint and perimeter security solutions and operations capabilities, and we'll see consolidation in the market beginning. Also, embedding security into the agile development processes and tools used by developers has started. It's enabling a very different approach that uses standard security libraries, test processes, and tooling integrated into the continuous implementation/ delivery cycles used by developers. Allowing a continuous compliance approach to security that helps embed a secure by design mindset.
8. The ecosystem remains a challenge
The supplier and partner ecosystem, in which most companies operate, is becoming more complex, more integrated, and more interdependent. Software as a service has arrived, creating a web of interdependencies and shadow IT; web servers embed third-party analytics and services; open application programming interfaces allow external partners access into core systems and databases. The potential for a supplier or partner compromise to disrupt your business has grown, and the customers and regulators can be unforgiving when that leads to a breach of your customers' data or a failure of your critical business services. In my opinion, the tick box approach to embedding third-party assurance has become unworkable. It fails to capture the sophistication of modern business interactions while simultaneously being viewed as a costly overhead that limits flexibility and speed to market. Risk scoring services are immature, utility models for assuring suppliers remain nascent and often unsupported by key regulators, and controls on third parties remain inconsistent or ineffective. There's a need for a fundamental shift in the security model to one that takes account of the extended enterprise, which characterizes our businesses today. Will zero trust provide the answer? Will the cloud providers offer security in multi-tenanted environments that implements data-centric security? And will the cyber insurance industry find common cause with major companies in driving the right supply chain behaviors?
9. The consequences matter
While business rightly focuses on reducing the likelihood of a successful attack, regulators are shifting their attention to driving companies to think about what they can do to reduce the impact of an attack, if and when it happens. What are the critical business services that could impact the customer, the broader industry, or even the nation? What can companies do to reduce the harm if disruption of those services occurs? How can they get back to business quickly, offering alternative services, or helping the impacted customers manage without the service? A customer-centric approach agnostic to the cause of the incident, be it cyber-attack, technology resilience issues, or a physical event. Suddenly security finds itself working with strange bedfellows such as business continuity, disaster recovery, and fraud control. At the worst, this will create another compliance overhead, but done well; it'll encourage a focus on critical services and the customer. The UK's financial sector operational resilience regulations will be finalized in late 2020, keenly watched by other financial regulators around the world.
10. And governments remain worried about the unthinkable
Concern over the security issues associated with critical national infrastructure hasn't diminished, and investments are beginning to be made in utility sectors to raise standards, segregate vulnerable systems, and improve monitoring and response actions. Regulatory pressures are increasing as governments move from establishing regulatory frameworks to testing and challenging industry security. In politically sensitive regions of the world, attacks on infrastructure systems are increasing in frequency as part of broader political and military action, and nations continue to build out cyber forces and cyber commands as part of their military-industrial complex. There are perhaps some signs of hope that international norms may begin to coalesce, building on the recent Paris call for Trust and Security in Cyberspace with a consensus emerging around avoidance of the most aggressive behaviors in our interconnected world.
And one last thing. A few years ago, when I made my predictions, I called for the death of the password – I was premature, and it remains alive and well – and as vulnerable as ever. Let me do it again and predict that the time has come for new approaches to authentication, which don't rely on a single guessable and replayable password. Whether that be enabling multi-factor authentication on those internet-facing cloud services, the rise of biometrics, or the embedding of more sophisticated behavioral biometrics and analysis – it's time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.