Equifax, WannaCry, Russian hacking; there were weeks when 2017 was like a cybersecurity Twilight Zone.
A lot of people are justifiably nervous about what might be in store for us next year. The absolute meshing of commerce and the internet creates new opportunities for criminals all the time and we’re seeing some trends in cybercrime right now that could make 2018 a bumpy ride for the ill-prepared.
Are we headed for a cybersecurity storm in 2018, or are we just entering an adjustment phase as we get to grips with the realities of the online world and learn to be better prepared?
It’s hard to overstate the significance of the new GDPR regulations, coming in on May 25.
Under the EU’s ‘General Data Protection Rules’ - GDPR - any company doing business in the EU or selling goods or services to EU citizens, will have to comply with a strict set of cybersecurity standards, or risk having heavy fines levied against them.
The new GDPR regime will mean that data breaches like Equifax will attract penalties based on the number of records compromised and the rules stipulate fines up to 4% of a company’s gross annual revenue. GDPR is expected to change the culture around cybersecurity radically. The intention of the system is to create greater transparency around data breaches and security management, but the transition will be anything but smooth.
Expert commentators are warning that the majority of CxOs will not be adequately prepared when the GDPR regulations come into effect so the regime may end up being very costly for ill-prepared companies.
In a recent interview GDPR lawyer Sue Foster said:
“The definition of personal data under the GDPR is very, very broad. So, effectively, anything that I am saying that a device picks up is my personal data, as well as data about me. So, if you think about a device that knows my shopping habits that I can speak to and I can order things, everything that the device hears is effectively my personal data under the European rules. And Internet of Things vendors do seem to be lagging behind in Privacy by Design. I suspect we’re going to see investigations and fines in this area early on, when the GDPR starts being enforced in May, 2018. And now, we have fines for breaches that range from 2% to 4% of a group’s global turnover. It’s an area that is ripe for enforcement activity, and I think it may be a surprise to quite a few companies in this space.”
GDPR will probably be good news for the average internet user - at least in the longer term - because it will create a greater incentive for corporations to be careful with their customer’s data but for business leaders, it poses a serious challenge. Better security is the way forward but for a lot of companies, achieving GDPR compliance by May 25 2018 will require an intense effort.
IoT Exploits are a Growing Problem
It’s becoming apparent that the explosive growth of home automation and IoT devices is turning into a bonanza for cybercriminals.
This CNBC video highlights some of the more troubling issues emerging around IoT:
‘Botnet kits’ that allow hackers to seize control of IoT networks are widely available on the dark web and the alarming thing about IoT hacking is that it gives criminals access not only to the IoT devices themselves but also an entry point to the WiFi networks that connect them. Once into a WiFi network criminals can introduce malware, worms and spyware that will infect multiple devices without the user’s knowledge.
Andromeda, Gamarue and Wauchos are the most popular botnet kits and based on the large download numbers they are estimated to be compromising more than a million devices every month. And here’s a cheery bit of news: nobody really knows yet what the criminals who control the botnets are planning to do with them.
IoT hacking is such a new phenomenon that it’s still barely understood by regulatory bodies and enforcement agencies. Putting botnets together requires a significant investment of time and money, so whatever the cybercriminals are planning to do with them, they must be expecting it to be profitable. Some obvious applications for IoT botnets would be DDoS attacks or scam email spamming. We are likely to see a sharp spike in these attacks in 2018 driven by the influence that IoT botnets will give to hackers.
Email Scams Will Break Records
It’s not surprising that email-fraud is a growth industry but most people are unaware of the fact that over 90% of cyber-attacks begin with malicious email.
The Federal Bureau of Investigation (FBI) recently issued a report showing that the financial damage from email scams is growing steeply year on year. Scam revenue totalled US$1.2 billion from October 2013 to August 2015 but it isn’t so much the total dollar amount as the rate of growth that’s alarming. Email-based fraud is expected to keep growing unabated next year and based on FBI stats for 2016, industry experts place the projected cost in excess of US$9 billion dollars globally over the next 12 months.
The difficulty with email is that it’s so ubiquitous. Despite the emergence of so many other communication channels on the internet, people still use email for all the key communication of daily business with banks, employees, utility providers, etc.
Email is relatively easy to hack with a combination of forgery and social engineering. The trade in hacking software and compromised personal data on the dark web is driving a cybercrime boom in the underworld. Criminals can easily get the software and intel they need with a few clicks and they know if they send out enough spam there will always be a few people unwary enough to take the bait.
For a clearer picture of how devastating email fraud can be, read this sobering article by MailGuard CEO Craig McDonald: Business Owners Hunted.
There was a time not so long ago when cybersecurity was regarded as the domain of governments and big corporations, but we’re entering a new era. Every business is under threat because we’re dealing with cybercrime that’s targeting machines indirectly through the inboxes of the people who use them.
More Devices = More Crime?
It’s not too hard to see the connection between the explosive growth in technology and cybercrime. Everyday life is increasingly dependent on tech - it’s in our phones, cars, thermostats, and televisions.
More digital devices means more opportunities for hacking. The way cybercriminals use botnets to power their email scam mailouts means there’s a direct connection between digital permeation of infrastructure and cybercrime. Hackers infiltrate networks via poorly secured IoT devices, implant botnet malware and then covertly use these compromised machines to send out their phishing emails en-masse.
2017 might prove to be the most cybercrime intensive year to date, but with the GDPR coming in it might also be a turning point for positive cybersecurity action. There’s a lot of speculation that GDPR may be the catalyst for similar regulations being introduced in other countries. Australia has it’s NDB Scheme due in Feb and US Congress is moving closer to cybersecurity legislation.
Business leaders who optimise their cybersecurity preparedness now are going to be ahead of the curve as the world economy enters this new era. With exponential growth in cybercrime and an unprecedented level of security regulation, no organisation can afford to ignore this challenge.
We may be entering the cybercrime twilight zone, or we may be seeing the dawn of a more secure internet; either way, big changes are coming in 2018 and the pace is going to be brisk.
Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below: