Cybersecurity in 2018: What will the new year bring?

3 Jan 2018

New year, new cybersecurity rules. Image: Olga Gorevan

2017 saw election interference speculation, a slew of data breaches and major ransomware attacks. What should we be keeping an eye out for as the new year begins?

Cybersecurity has never occupied the public consciousness quite the way it did in 2017. From the Equifax breach to the devastation caused by the WannaCry ransomware attack, barely a month went by that didn’t involve a faux pas of some kind.

As technology shifts and evolves, new challenges will be presented in the world of cybersecurity, so Siliconrepublic.com spoke to some experts about what to expect over the next 12 months.

IoT security will continue to be an issue

According to Ian Kilpatrick, executive vice-president of cybersecurity for Nuvias Group, IoT acceleration in 2018 will bring convenience and benefits, but also its fair share of problems. “Manufacturers are not yet routinely building security into IoT devices,” he said, adding that 2018 will see further problems thanks to unsecured IoT devices.

“IoT is a major threat and possibly the biggest threat to businesses in the coming years.

“Unfortunately, it is not easy – and, in some cases, impossible – to bolt on security as an afterthought with IoT, and many organisations will find it challenging to deal with the consequences of such breaches,” Kilpatrick said.

For many businesses, IoT will become the ultimate Trojan horse threat.

David Harley, senior research fellow at ESET, explained that the number of networked devices, from fridges to toys, could create more opportunities for bad actors, widening the attack surface.

Calling the potential phenomenon the “Ransomware of Things”, Harley said that while there is plenty of hacker interest in monetising unsecured IoT devices, attack methods could be utilised if traditional ransomware methods become less effective over time.

Harley added: “We shouldn’t underestimate the digital underworld’s tenacity and ability to come up with surprising twists.”

Critical infrastructure attacks will continue into 2018

In January of 2017, ESET researchers discovered a new piece of malware capable of controlling electricity substation switches and circuit breakers directly – in some cases “literally turning them off and on again” – which they dubbed ‘Industroyer’.

An attack like this could cripple transportation, turn out the lights on a massive scale or halt critical manufacturing. In terms of data centres, it could cause massive outages and create unforeseen costs.

ESET’s Stephen Cobb said: “The ability to carry out cyberattacks on the power grid will tend to increase through 2018 unless blocked by pre-emptive measures like system upgrades, early detection of network probing, and drastic improvement in phishing detection and avoidance.”

As well as staff training in phishing avoidance, Cobb also recommended that firms be aware of the increased risk of supply chain attacks.

Security literacy will increase across organisations

Randy Battat, CEO of US encryption software firm PreVeil, told Siliconrepublic.com that cybersecurity is finally becoming a priority outside of the IT department. “At first, cybersecurity was the domain of IT. Then, it migrated to the board of directors, where it became part of the fiduciary duty to protect the company.

“In 2018, everyday business users will become fed up with all the attacks and will demand that their companies do a better job of protecting their data.”

Battat added that system admins would also be outed as a central point of attack. “The dirty little secret in IT is that every system has administrators, and these admins have very broad privileges to access data.

“Compromising an admin is a great way to compromise an entire organisation’s data, and this vulnerability has been exploited in some of the biggest breaches to date.”

Mitigating this risk will require some structural reorganisation and cooperation by entire teams.

Those four little letters

With the General Data Protection Regulation (GDPR) just a few months away, citizens will gladly harness the new power they will have over their own data.

While non-compliance will result in major fines, the application of these fines on firms and organisations from outside the EU is not clear yet. Many are predicting that the EU will make an example of an extraterritorial company soon after 25 May in order to dissuade companies from taking a laissez-faire approach to compliance.

Expect to see the beginning of a cultural shift in terms of how people view the value of their data.

Cybersecurity and global politics

Electronic communication has caused a seismic shift in the political landscape, with cyber-espionage taking up inches of media space throughout 2017 and 2016.

Electronic ballot procedures were shown to have been faulty, and national cybersecurity is becoming a much higher priority in an increasingly fraught global landscape.

The death of the password?

New technologies such as blockchain, biometrics and encryption tools look set to turn the tide against traditional passwords towards shared authentication and responsibility for information security in organisations.

The days of easily guessed seven-digit passwords and sharing information on a Post-it in the office could be coming to a close.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com