2017 was another banner year for data breaches, with the Identity Theft Resource Center reporting a total of 1,222 breaches as of December 6th and over 172,432,587 records exposed. With another month to go, the totals have already surpassed 2016’s all-time record high of 1,093, which was a 40% increase over 2015’s 780 reported breaches.
2017 Key Cybersecurity Findings
As the year closes, it is important to look back on the cybersecurity landscape of 2017 so that we can be better prepared for what 2018 will hold. Stealthbits Technology’s 2017 Cybersecurity Recap and 2018 Predictions report leveraged industry data to compile key findings and use them as a baseline for 2018 predictions in cybersecurity – considering factors such as the biggest data breaches of the 21st century, the cost and likelihood of a data breach as well as breach settlements, ransomware attacks, and the leading security threats by country. The report reveals some interesting findings, proving that cybersecurity will have a challenging road ahead in the fight against fraud.
- Data breach settlements in 2017 totaled nearly $170 million, with malware, insider threats, hacktivists, and cybercriminals accounting for the main causes for data breaches.
- Cyberattacks in 2017 occurred at double the rate they did in 2016. According to Hackmageddon.com, there were 774 cyberattacks from January through October of 2017, affecting the personal and user information of literally billions of internet users worldwide.
- Cyberattacks are considered a major threat in other countries, with the Pew Research Center report citing cyberattacks as a top concern of 41,953 respondents in 38 countries including Japan, the U.S., Germany and the UK, where many high-profile attacks have occurred.
- The chances of being struck by lightning are 1 in 960,000. According to the Ponemon Institute’s, 2017 Cost of Data Breach Study: Global Overview, the odds of experiencing a data breach are as high as 1 in 4.
- Ponemon Institute’s Overview also reports that the average total cost of a data breach is $3.62 million in 2017, a decrease of 10% over 2016. Additionally, the global average cost per record for this year’s report is $141, which represents a decrease of 11.4% over last year.
- Despite the reduction in cost of a data breach in 2017, the average size of a data breach increased by 1.8% to 24,089 records from 2016.
- In the 2018 Global State of Information Security Survey (GSISS), conducted by PricewaterhouseCoopers (PwC), of the 9,500 executives in 122 countries surveyed, 44% said they do not have an overall information security strategy, 48% do not have an employee security awareness training program, and 54% do not have an incident response plan in place.
- Ransomware attacks have grown by 2,502% this year, with ransomware sales on the dark web increasing from $400,000 in 2016 to a staggering $6.25 million in 2017.
A Summary of 2018 Predictions
The future of cybersecurity will certainly continue to be tested, and Stealthbits Technology’s report predicts that in 2018, while organizations will continue to invest in network endpoint and application security, organizations will also continue to fail in protecting what cybercriminals are searching to obtain – sensitive data and credentials.
Within security organizations, data security teams will need to continue to focus on people, process, and technology. They will need to identify the holes in their organizations, both from a personnel standpoint as well as a processes standpoint, then implement the proper technologies to help with some of those gaps. Ultimately, automation through technology will be key in supplementing the gaps in the people and process problems.
Security Experts Weigh in on 2018 Cybersecurity Predictions
A recent Forbes article highlighted a variety of cybersecurity predictions for 2018, with insights provided by 60 various security technology outlets, experts and organizations. Below is a brief summary of the top cybersecurity concerns for 2018.
Attacks on the US government and critical infrastructure
With attacks on power grids and manufacturing plants already reported in Europe in the last two years, experts fear that 2018 will likely be the first year when a significant attack on the U.S. critical infrastructure will occur. Additionally, tension between the U.S. and other countries could escalate to online cyberattacks.
In October, the FBI and DHS warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks – making them an easy target for politically-motivated attackers – Adi Dar, CEO, Cyberbit
Consumer privacy and the GDPR
Established by the European Commission, the General Data Protection Regulations (GDPR) is a set of rules governing the privacy and security of personal data in Europe but the regulation applies to every country in the world. Companies are expected to be in compliance by May 2018, and those that are not could face fines of up to 4% of their global annual revenue. How companies prepare and how the regulation is enforced will be a top security concern company boards will be talking about in 2018.
Regulations for data privacy and security are a giant step in the right direction in a time where businesses are increasingly becoming data-driven in order to gain competitive advantage, while at the same time the rate and sophistication of security threats continues to rise. Security experts expect to see the new regulations enforced, with clear consequences for those organizations who do not implement a minimum standard of prevention.
Data privacy and data security have long been considered two separate missions with two separate objectives, but all that stands to change in 2018. With serious global regulations kicking into effect, and with the regulatory responses to data breaches increasing, organizations will build new data management frameworks centered on controlling data – controlling who sees what data, in what state, and for what purpose. 2018 will prove that cybersecurity without privacy is a thing of the past – Andrew Burt, Chief Privacy Officer and Legal Engineer, Immuta
The Internet of Things (IoT)
The IoT includes the growing list of connected devices like smart thermostats, smart light bulbs and automated voice activated assistants. Such electronics often come with security vulnerabilities that leave networks open to exploitation from hackers.
Once an IoT device gets synced with a laptop, smartphone or tablet, all of the data on those machines can be compromised. Unfortunately, many of the IoT devices being manufactured today rely on cheap electronics that are incapable of supporting the security protocols that have become standard in other mobile devices. Even if a product is designed to meet the latest security standards, most IoT devices aren’t set up to receive automatic updates, so they remain vulnerable to new types of malware.
Most security breaches are financially motivated, but hackers could use IoT devices with cameras or GPS systems to stalk or spy on users. Cyber terrorism also poses a threat to all humanity since successful attacks on power grids could have deadly consequences if hospitals, subways and other public services get disrupted.
2018 will be a challenging year for the Industrial IOT (IIoT) industry. Hackers know that these companies are now online and more connected than ever, which increases vulnerability. Security is crucial, because a hack could spell life-or-death for consumers. For example, if a car manufacturer’s assembly line was hacked, it could cause vehicle malfunctions, endangering passengers and causing reputational and liability problems for the company. For these reasons, we will start seeing more cyber-security companies targeting this market with solutions. To effectively manage the expected influx in cyber events, IIoT organizations will need to increase spending on cybersecurity initiatives – Shachar Daniel, CEO, Safe-T
It seems as though organizations and cyber criminals are racing each other to use AI to their advantage.
Expect to see more criminals using AI, with ransomware and bank theft attacks using technologies to automate fraud – breaching companies and stealing data. At the same time, large enterprises will use AI to protect against new sophisticated threats, enabling them to increase detection rates and decrease false alarms.
The same technologies that improve corporate defenses will also likely be used to attack them. An AI with all the right information about a target could ultimately trick them into clicking anything or sending out any data desired. Advances in AI and machine learning are a double-edged sword, improving product experience but also useful for hackers and cybercriminals – Gene Stevens, Co-Founder and CTO, ProtectWise
The current talent gap in cybersecurity skillsets is truly massive and in 2018, it will only widen. In 2017, the U.S. had approximately 350,000 cybersecurity openings, up 74% from 2015’s 209,000 openings. At this rate, the U.S. is on pace to hit a half-million or more unfilled cybersecurity positions by 2021. What is worse is that cybercrime is expected to cost the world $6 trillion by 2021, potentially making the lack of qualified cybersecurity employees the greatest cyber risk of all.
Organizations will begin to look at nontraditional roles, experience and education, based on the right attitude and aptitude, to fill these much-needed cybersecurity positions. Other companies will look to create their own cyber talent with increased internal training to create additional talent.
In 2018, more companies will adopt security-first thinking. To adopt such a culture at your organization, get your people thinking about security with regular awareness campaigns, simulated security attacks with phishing and other attack vectors, and improved record keeping policies to manage and encrypt key organizational data — Erik Brown, CTO, GigaTrust.
As 2017 winds down, and we look to the new cybersecurity advancements and challenges we will face in 2018, Bluefin is committed to providing organizations with industry leading secure payment technology that devalues and protects customer payment data. Learn more about Bluefin’s PCI-validated Point-to-Point Encryption (P2PE) and have a safe and secure 2018.