Let’s face it: 2017 was a terrible year for cyber security with more phishing scams, ransomware, state-sponsored attacks, and new attack vectors. Will 2018 be better?
By Michael Nadeau Senior Editor, CSO
Given what’s happened in 2017 — the Equifax breach, state-sponsored attacks, Russian manipulation of social media, Wannacry, and more phishing scams than we can count — you might not be looking forward to 2018. Breaches will be bigger, hackers will be smarter, and security teams and budgets won’t seem to keep pace.
There is reason to be optimistic, though. Yes, some things will get worse before they get better, but we expect real progress in a few areas. Here’s what we think will happen next year.
1. Many, if not most, U.S. companies will not meet GDPR compliance by deadline
Surveys show that U.S. companies subject to the European Union’s (EU) General Data Protection Regulation (GDPR) are far behind where they need to be to make the May 25 compliance deadline. For some, it might not matter.
Regulators will not audit for GDPR compliance, so companies are vulnerable to fines only if there is a breach or EU citizens file complaints. Even if a company experiences a breach or complaint, regulators will likely treat it leniently if the company can document good-faith efforts to comply.
rganizations that don’t take GDPR seriously and experience an event that triggers an investigation by regulators are at real risk of a heavy fine. That leads us to our next prediction.
2. GDPR regulators will quickly make an example of an organization
There are two schools of thought about whom regulators will target first. Some say they will set a precedent first with an EU company because they are perceived to be less likely to fight a fine. Others believe that regulators will not only go after a U.S. company early, but they have specific companies in mind.
It’s not hard to guess which companies they might be. Google, Apple, Amazon, and Facebook have all had contentious relationships with the European Commission on privacy and antitrust issues. If any of these four show signs of non-compliance with GDPR, EU regulators might well seize the opportunity to make a statement.
Other companies are not likely to be early targets unless an especially egregious event occurs that could have been prevented or minimized had GDPR rules been followed. The safe plan is to make your best effort to be in compliance by May 25.
3. The decline of password-only authentication will accelerate
The Equifax and Anthem breaches were wake-up calls for many consumers, who are now asking questions about the safety of their online accounts. Most still have no idea about password alternatives or enhancements
like multi-factor authentication (MFA) or risk-based authentication, but they are more aware that passwords alone no longer are enough. In fact, research done by Bitdefender shows that U.S. citizens are more concerned about stolen identities (79 percent) than email hacking (70 percent) or home break-ins (63 percent).
This is important, because companies often cite a lack of demand for stronger authentication as a reason for not offering it. They are reluctant to do so, in part, because they don’t want more complicated authentication degrading the user experience.
That worry will be eased by risk-based authentication tools that are becoming widely available. These tools work in the background to assess behavior and other data to determine the likelihood that the person attempting access is actually authorized. Coupled with MFA, risk-based authentication puts up a strong barrier to unauthorized access.
Risk-based authentication is often bundled with identity and access management (IAM) tools. According to Stratistics MRC, the IAM market is projected to grow at a compound annual growth rate of 14.8 percent in 2018, which is another indicator that password-only authentication is headed to extinction.
Liability concerns over compromised credentials are also driving companies to stronger authentication. In its Data Breach Industry Forecast, Experian points out that, after a major data breach at one company, credential reuse affects other companies. They are forced to notify users when hackers use their stolen credentials to fraudulently access services.
Experian calls this an aftershock breach, and the report urges organizations to deploy secondary authentication methods. “Given the continued success of aftershock breaches involving username and passwords, we predict that attackers are going to take the same approach with other types of attacks involving even more personal information, such as social security numbers or medical information,” the report stated.