Ensuring data privacy became the main challenge for many organizations in 2018. While Europe was desperately getting ready for GDPR compliance, the rest of the world was deeply affected by data privacy scandals around Google and Facebook. In the foreseeable future protection of data privacy and security will become a key target for the majority of organizations. Seven IT security trends will likely influence businesses in 2019.
#1. Stricter compliance rules.
There are two major trends in the realm of compliance.
First, attention towards protecting personally identifiable information (PII) will lead to creation of new data security and privacy laws. Within the next five years, we should expect adoption of a national data privacy standard in the U.S., which would echo the GDPR. Organizations can get ready in advance by adopting security best practices like ongoing IT risk assessment, regular auditing, and ensuring profound visibility into data repositories and user activity.
Second, we anticipate stricter enforcement of existing compliance standards. Most likely, the first in line will be data breach notification rules, due to the increased number of incidences in which companies hid breaches — for instance, it took Cathay Pacific seven months to notify authorities about the exposure of 9.4 million passenger records, and it took Google six months to disclose that data on 500,000 Google+ users was leaked. The Office of the Australian Information Commissioner has already introduced mandatory reporting on data breaches within 30 days. Also, the Gramm Leach Bliley Act (GLBA) is about to enact a requirement to notify consumers of a data breach within six months. We are convinced that more and more standards will tighten in 2019, and stricter breach notification rules are just the start.
#2. Focus on data security.
The concept of a network perimeter has faded away, but the mindset of perimeter defense still dominates over data-centric approach. Even if an organization does not store national defense plans, it certainly stores personal data — on employees, customers or both — that needs protection due to tightened compliance regulations and increased attention from the public about the security of their PII.
To succeed in 2019, organizations should understand what kind of data they store, where it is located, who has access to it and how it is handled. Thus, data-centric security will drive an increased need for data discovery solutions. Ongoing data discovery will be a must in 2019 and beyond.
#3. Faster cloud adoption.
According to LogicMonitor’s study, 83% of enterprise workloads will be in the cloud by 2020. Certainly, the problem of data security in the cloud will become more acute.
General security best practices will stay the same: Encrypt your data; grant access on a need-to-know basis; implement data recovery processes; be on the lookout for open or unprotected APIs; and streamline monitoring of your cloud infrastructure. To automate the execution of certain security operations and minimize human error risk, you will also have to consider AI and machine learning technologies (more on this in #4).
Large enterprises will focus on developing in-house software to refine or automate business processes, primarily in the cloud. To ensure that security is not an afterthought but a full-on part of business enterprises would expand recruitment of their own SecDevOps teams to build security into custom solutions during the development and testing stages.
#4. AI and advanced analytics complement security solutions.
Due to the severe shortage of InfoSec skills and employees, organizations will continue looking for ways to automate IT security processes. Therefore, we expect an increased demand for solutions that incorporate advanced analytics, artificial intelligence (AI) and machine learning (ML) technologies. Vendors will provide more and more comprehensive ways to automate security processes so within the next few years we should expect AI, analytics and ML to become an integral part of the security industry. Moreover, traditionally complex and expensive solutions will have to adapt to increasing market demand for more lightweight alternatives. We can expect solutions that are easier to deploy, cheaper and possibly less sophisticated — but still based on ML.
Before getting into AI, organizations are advised to ensure they have essential security controls and processes in place, such as regular risk analysis, IT environment monitoring, configuration management and so on. Only once their security posture is mature enough should organizations adopt more complex technologies like machine learning or UEBA.
#5. Blockchain is used for IT security.
The potential for applying blockchain technologies for data security will be realized more and more. Blockchain eliminates the problem of a single point of failure and makes it hard for malefactors to compromise large volumes of data. Plus, such solutions help verify data transactions and bring more transparency into a company’s operations. Successful examples include the U.S. Food and Drug Administration (FDA) that built a blockchain-based health data sharing platform to facilitate real-time exchange of patient data between the agency and partner hospitals.
Blockchain-based data security would not be widely adopted in 2019, but market penetration will steadily rise. Our advice to data security leaders is to get familiar with the technology and consider adopting it in the future.
#6. Raising cyber threat for IoT devices.
IoT devices will continue to be a target for hacking. One of the reasons is that IoT market is on the rise so startups and entrepreneurs often sacrifice security for time to market. Vivid examples include St. Jude’s cardiac devices, which a hacker could access in order to deplete the battery or administer incorrect pacing and shocks, and a hijack of the digital systems of a Jeep with a Wired journalist riding it. Also, Ben-Gurion University researchers found that hackers can easily access baby monitors, home security cameras and other devices by cracking the default passwords common for many brands.
We expect that in 2019, hackers will try new types of attacks aimed at IoT. To be secure, consumers should at least make sure to have a unique, strong password for each device. To encourage manufacturers adopt security by design approach government imposes new compliance requirements, e.g. California has already passed an IoT cybersecurity law, so similar regulations are likely to appear in other states and countries.
#7. Personal data is at risk.
The volume of personal information stolen is growing exponentially. Hackers are still experimenting with the ways to leverage it, like targeted phishing attacks or identity theft, sometimes it results in blackmailing people. The most recent example is an ongoing sextortion scam in which racketeers contact breached email addresses from publicly available lists and then blackmail them with false claims that they were caught viewing porn, even though their computers were not even hacked. A similar scenario can be used to blackmail an organization’s employees, but instead of asking for money, adversaries demand corporate data. This risk of blackmail victims turning into malicious insiders is another reason for businesses to keep a close eye on employee permissions and activity.
To stay safe in 2019, organizations are encouraged to employ basic security controls, understand and comply with any regulations they are subject to, and ensure to have visibility into the entire IT infrastructure and data.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.