Data protection is no longer just a technology issue—its political and commercial impact is far-reaching.
In 2018, we saw the Europe Union introduce sweeping data protection legislation under the General Data Protection Regulation (GDPR). And in the United States, leaders of tech giants testified before Congress regarding data privacy and protection. There’s a heightened awareness of and expectation for better information security and that’s a good thing.
But just as a new data protection baseline has been established, the complexity and frequency of cyber security threats is increasing. Threats that were novel a few years ago are now available as-a-service and with little technical expertise. 2018 saw an increase in hijacking IT resources for mining cryptocurrency, but ransomware, insider attacks and malware aren’t letting up. While these threats will continue, here are some key trends to keep a close eye on in the year ahead.
1. Operational technology and critical infrastructure security
Large industrial and critical infrastructure installations now depend on the Internet for remote management and monitoring. At the other end of the scale, cardiac pacemakers embedded in patients have required software updates to fix security vulnerabilities. This trend is set to continue, and we’ll see an increase in attacks and security flaws being identified in technology that aren’t traditional targets. Internet of Things devices will continue to be targeted given their low level of security, and we’re likely to see some more significant operational technology and critical infrastructure security incidents in the coming year.
2. The two faces of cloud security
As application delivery continues to migrate to a software-as-a-service delivery model, security around cloud-based applications will need improvement. Enterprises are getting better at securing these apps, but ease of access consistently introduces risks to organizations where the necessary level of security hardening hasn’t been applied. This is difficult to manage, however, as the use of some apps are undertaken as Shadow IT.
Enterprise applications should continue to integrate with centralized identity and access management tools such as Azure Active Directory, but applications that fall outside of enterprise IT responsibility will continue to experience incidents due to poor security consideration.
3. Commercial espionage and political warfare
Whilst most developed countries have laws against cyber-attacks, the Internet is a global network. More governments are recognizing attacks and cyber defense as key elements to their military capability. Commercial organizations need to be conscious their digital assets must be protected from competitors, especially those operating from countries with weak data protection and security laws. The future will see increases in commercial espionage and intelligence capturing in order to provide competitive advantage.
4. Boardroom concerns (again) for GDPR and the US
The GDPR became effective in May 2018 and carried with it an intense focus by boardrooms. Since then, there’s been great anticipation as to how the enforcement of the law will play out. Company boards are likely to redouble this focus once the first substantial fines are handed down by regulators following breaches. As talks of a US version of GDPR continue for another year, US-based companies will be watching for trends in enforcement overall effectiveness of the law to improve data protection.
5. Increased security integration
Securing an organization requires an undertaking of many different practices. With the rise of the perimeter-less corporate network (data and systems outside of the corporate network), it’s an even greater challenge to secure all enterprise assets. We’ll see a gradual improvement in integration and management tools, so that enterprises can manage their digital assets wherever they’re hosted; on-premise, in the cloud or even on personal devices.
It comes as no surprise that more security incidents will be reported in 2019 and beyond. This is due to mandatory reporting requirements in the EU and other jurisdictions, non-traditional systems being successfully targeted and sophisticated corporate and government-driven attacks becoming more common and widely reported. To stay secure, leaders will grow their IT investments, but may find themselves to be too far behind; the current security skills shortage will only intensify as demand outpaces the available talent pool. The security journey for organizations will become even more pervasive with expanding needs for skills and the cost for security compliance—this is one demand curve that will only continue to increase over time.