Just as WannaCry and NotPetya were the top IT security challenges of 2017, the discovery of the Meltdown and Spectre microprocessor vulnerabilities, and several similar vulnerabilities in the months that followed, were probably the single most challenging developments for enterprise IT security teams in 2018.
As enterprise teams raced to patch their systems, they faced patches that are incompatible, leading to crashes, reduced performance and lock-ups. And months after the bugs were disclosed, security experts are still divided over their significance, with some saying they opened up a dangerous new avenue of attacks, while others believe Meltdown and Spectre are not nearly as threatening as other recent bugs.
Otherwise, IT security news was dominated by the growing number of potential cyber threats to the enterprise and the resultant challenges facing IT security teams. A common theme throughout was that any organisation that has any online presence should consider itself a potential target for cyber attack, regardless of its size and industry sector, underlining the importance of IT security for the vast majority of organisations and businesses.
The top challenges for IT security teams highlighted during 2018 include ransomware, illicit cryptocurrency mining, fileless malware, cross-operating system attacks, hardware vulnerabilities – including Spectre and Meltdown – and vulnerabilities in internet-connected devices making up the internet of things (IoT), as well as other emerging technologies enabling digital transformation such as machine learning and artificial intelligence (AI).
But a recurrent theme in 2018, as in previous years, was that many organisations are still failing to get the basics right when it comes to cyber security. This was shown to be true with report after report linking cyber breaches to basic security failings or oversights. Allied to this, industry experts throughout the year pointed to the fact that organisations are failing to learn the lessons from past attacks to identify weaknesses and improve cyber defences.
One of the key goals for IT security teams identified through the year is to have visibility of where data lives and moves, and who has access to it, as well as ensuring that their organisations are cyber resilient, in the sense that they are able to recover normal business operations after any information security incident.
Other industry reports underlined the importance of cyber resilience as well as adopting a more proactive approach to security, with a growing number of information security suppliers providing the opportunity for IT security teams to switch to an intelligence-led approach to capitalise on the insights gained from all the security-related systems deployed throughout the enterprise.
Artificial intelligence in the context of cyber security has received a lot of attention in the past year, and while there are clear cases where AI technologies can help organisations to improve their cyber security capabilities, security experts have consistently warned that AI is not the answer to all information security threats, with some urging businesses not to put too much faith in using AI, but to focus instead on educating users on cyber hygiene and managing risks.
While AI was among the most discussed technologies in relation to cyber security, the zero trust model was among the most discussed approaches to security as an alternative to the traditional approach to address many of the new and emerging challenges. Supporters of the zero trust approach claim it is finally gaining traction because of the development of enabling technologies and the business benefits that appeal to business leaders. However, experts say IT security teams should be wary of marketing hype and focus instead on security architecture best practices to realise the benefits of the zero trust model.
Once the microprocessor exploits dubbed Meltdown and Spectre were made public in January 2018, security experts warned that malicious actors would be quick to incorporate them into their cyber attack arsenals, and advised IT security teams there was no time for enterprises to delay taking action. However, when patches were made available, IT security teams faced several challenges, with some patches proving to be problematic, leading to crashes, reduced performance and lock-ups.
Months later, however, security experts are divided over the significance of Meltdown and Spectre, with some arguing that laws opened up a dangerous new avenue of attacks, while other say the flaws were over-hyped, noting that there is no evidence that the flaws have been exploited successfully in the wild.
In July, we reported that IT security professionals were more worried about data breaches and cyber attacks than they were in 2017, with most fearing that Meltdown-Spectre attacks were becoming the norm.
The top concerns among IT security professionals, a report revealed, were system compromises and ransomware, closely followed by distributed denial of service (DDoS) attacks, financial theft and attacks on intellectual property. The report underlined the importance of IT security teams getting to grips with all the potential threats against their organisations and taking steps to mitigate the impact on the business of the top threats.
The top cyber threats facing IT security teams, according to Europol, include ransomware, mobile malware, illicit cryptomining and exploitation of vulnerabilities in internet-connected devices (IoT).
IT security teams need to assess their vulnerability to these threats and take action to mitigate against them. The number of internet-accessible industrial control systems is increasing every year, researchers warned, highlighting throughout the year the importance of IoT security in industrial environments.
In July, we reported that UK firms were too confident about cyber security, with three-quarters of UK companies saying their cyber protection was above average, and nearly half saying they were a “top performer”, despite the growth in data breaches. However, only 36% of organisations said they were carrying out regular cyber security risk assessments, and according to analytics firm FICO, data shows that most firms are not above average.
Corroborating this view, cyber security veteran Ed Tucker said most security teams were generally blissfully unaware or ignorant of the inefficiencies of their security controls. The reason so many organisations suffer breaches, said Tucker, is simply down to a failure in doing the very basics of security.
In addition to not getting the basics right, businesses are still not learning from past security incidents, according to world-renowned security blogger and trainer Troy Hunt, citing as an example the BrowseAloud compromise that hit thousands of government websites and organisations in the UK and around the world. Despite the fact this had a fairly significant impact, many organisations have not learned the lesson, and 97.5% of the world’s top one million websites have not applied the free and simple fix that is available.
Speaking to Computer Weekly in October, McAfee head of cyber investigations John Fokker said organisations should use every cyber attack as an opportunity to learn, identify weaknesses and improve security posture.
Although the financial sector is often held up as being the most progressive in terms of IT security, we reported that UK financial sector IT security teams are facing immense challenges that are undermining business opportunities and continuity in financial services. In fact, two-thirds of UK information security practitioners admitted to cyber security practices in their organisation that would “shock outsiders”, according to a survey, which indicated that IT security professionals in financial services firms are losing the battle to keep vital data safe against a rising tide of cyber threats, with 90% of respondents stating they have to make compromises which could leave other areas exposed.
A key challenge to IT security teams, and by implication their colleagues in other sectors, is that as industries continue to digitise, too great a focus is placed on protecting the more visible consumer services, such as customer websites, potentially leaving exploitable holes surrounding internal systems and data.
In December, we reported that the rush to embrace innovative technologies was creating new attack surfaces through cloud, internet-connected devices (internet of things), mobile, blockchain, machine learning and artificial intelligence.
A narrow gap between CEO, CIO and CISO roles means no single executive function is stepping up to take responsibility for cyber security, and that this lack of cohesion at the top means organisations are struggling to secure most important digital assets, we reported in November.
Earlier in the year, we reported on another study that found that there is a critical disconnect between the cyber security behaviour that top executives recommend and the way they behave themselves, while many firms do not know where their data lives and moves. Analysts said the findings indicated that the time has come for the enterprise to make itself resilient and for IT, security and business leaders to arm themselves with facts about how the emotional forces that drive employee work styles affect data security policy.
In the light of the convergence of threats and technologies and an increasingly complex regulatory environment, we reported in October that McAfee chief Chris Young believes there is a need to implement new cyber security protections. It is time for IT security teams to speed up their ability to implement new methods of protection, to unify threat defence and data protection in new ways, to reap the benefits of every connected sensor, and to eliminate the silos that inhibit their ability to manage and change security controls in response to a changing operating environment.
In line with McAfee’s advocacy of intelligence or insight-led security, 451 Research claimed that the cyber security market had reached an inflection point and organisations needed to shift their strategies to a new, proactive approach to security. Opting to “monitor and respond” at the expense of “prepare and protect” was a poor strategy from the standpoint of security performance and cost, the report said, especially where the cost of containment and response could far exceed the investment in resilience.
Cyber security risks are growing in complexity and volume, but in our feature on artificial intelligence techniques in cyber security, we explored how AI can help businesses track and fight cyber risks in real time. AI is emerging as one of the front-runner technologies in the battle against cyber attacks, enabling organisations to automate defences against common attacks and make sense of huge volumes of security intelligence data to identify the risks that need the attention of human analysts.
However, the feature warned that AI may pose some challenges of its own, and may even be used by attackers to augment and automate their capabilities too. While AI appears to be starting to become a prevalent force in the cyber security industry, experts warn that businesses need to be mindful that AI is still relatively nascent and that for the foreseeable future, AI is no silver bullet for cyber security. Businesses are advised to manage the risks of adopting new technologies and improve their cyber hygiene, rather than see artificial intelligence as a panacea for their security woes
Traditional approaches to security are failing because enterprises continue to be breached despite spending billions of dollars a year on security technologies, and for this reason, the zero-trust model of security is finally gaining traction as security professionals tap into new tools and executive buy-in to support this approach in an effort to improve security posture and practices.
Advocates of this approach say there is growing evidence that organisations can no longer rely on endpoint security and firewalls, which is where zero-trust security comes into play because it assumes that untrusted actors exist both inside and outside the corporate network and every user access request has to be authorised.
But analysts warn that although the zero-trust security model is a business enabler, it is not an off-the-shelf product, but an approach to security that needs to be supported by a strategy and security architecture. According to KuppingerCole analyst Paul Simmonds, IT security teams should be wary of marketing hype and claims that security products are based on the zero-trust security model and should select products with care.