What will the biggest cybersecurity risk be in 2019? We asked a panel of cybersecurity experts how defenders can best prepare for the coming year.
19 Cybersecurity Pros Reveal the Biggest Cybersecurity Risks for 2019
The cybersecurity risk landscape is constantly evolving, and regulations like GDPR are making it even more crucial for organizations to protect their customers' and users' privacy. By failing to implement adequate security protections, companies risk not only the loss of sensitive data, but damage to their reputations as well as regulatory penalties and fines. From ransomware attacks to insider threats, businesses face threats from every conceivable angle, making comprehensive, fool-proof cybersecurity protection an increasingly difficult feat.
As we look to the start of a new year, it's a great time to examine the cybersecurity risk landscape to prepare your defense for the coming year. To find out what threats are looming largest on the horizon, we reached out to a panel of cybersecurity experts and infosec pros and asked them to answer this question:
"What will the biggest cybersecurity risk be in 2019?"
Meet Our Panel of Cybersecurity Experts and InfoSec Pros:
Read on to find out what cybersecurity risks you should be prepared to face in 2019.
Stephen Pao is a consultant and board advisor to early stage companies.
"The biggest security risk will be..."
A more dangerous variant of an old one, which is AI-powered social engineering. At a small scale, social engineering was always possible without technology. However, we are at unprecedented risk of fraud with bad actors now armed with the ability to now mine — and act on — sophisticated machine learning and artificial intelligence using the vast amounts of both voluntarily submitted data through social media and leaked data through hacks. AI chatbots are being deployed aimed to steal from you, the companies you work for, and the governments where you live.
Jody Paterson is a trusted advisor and security thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), a KPMG veteran, and CEO of ERP Maestro – provider of simple, complete, and accurate cybersecurity controls for access risks.
"The biggest cybersecurity risk in 2019 will be internal threats..."
These are threats that come from within the organization and reports that internal threats represent 60% of cybersecurity attacks. Moreover, internal security risks, while not as publicized, are even more damaging for an organization's viability than external risks. Internal threats can go undetected for years as it's difficult to distinguish who should have privileged access and employees could easily cover up their actions. The potential consequences from an insider attack are vast, including a loss of sensitive data and financial assets, not to mention the damage to a company's reputation and the cost to remediate the breach.
Keri Lindenmuth is the marketing manager at KDG. For over 17 years, KDG has been helping businesses improve their processes, their customer experience, and their growth.
"In 2019, the biggest cybersecurity risk will continue to be a business's employees themselves..."
Over 90% of data breaches and cyber attacks aren't caused by hackers an ocean away, but by an employee who accidentally opened a spam email or sent their password over unencrypted email or submitted data to an unencrypted website. Businesses must invest more time and money into training employees on the data dangers they all face. Only when employees are educated can they take steps to avoid little mistakes that turn into big cyber issues.
Cody Cornell is the CEO of Swimlane. Swimlane specializes in security orchestration, automation and response (SOAR), a platform that empowers organizations to manage, respond to and neutralize cyber threats with the adaptability, efficiency and speed necessary to combat today’s rapidly evolving cyber threats.
"Right now, organizations are rapidly adopting some of..."
The newest infrastructure advancements, such as serverless computing, containerization and data streams to deploy new services and capabilities to their customers. While this can be great from a rapid development and capabilities perspective, security and threat detection on these platforms is not as well established and understood. Because of that, organizations can be left with some significant security blind spots.
It’s likely that most teams deploying these new technologies are not as up to speed on how to harden those environments, how to monitor them or how to respond if something bad does happen. Potentially, the teams deploying these capabilities may not even be collaborating with their security teams in the deployment of new infrastructure since they are DevOps driven. The blind spots that come with the lack of security maturity in these areas have the potential to lead to major security risks in 2019.
Sean McGrath is a cybersecurity expert at BestVPN.com.
"To call out a single cybersecurity risk and claim it is ‘the one to watch’ is a false dichotomy..."
The threats remain largely the same, year in, year out. Ransomware, phishing attacks and malware… the usual stuff.
What is changing, and will become only more apparent in 2019, is the size of the attack surface and the velocity of the attacks themselves. The Internet of Things felt like a neat buzzword a few years ago, but literally every facet of our lives is now online. From the cars we drive and the planes we fly to the critical infrastructure we rely on for our energy, water and safety – everything has an IP address. If it’s online, it is susceptible to attack and the larger the attack surface, the greater the real-world consequences will be when things do go wrong.
While this might sound like a problem for governments and businesses to focus on, the reality is that any major threat to critical infrastructure will be powered by the devices in our homes.
Hackers are exploiting the woefully inadequate security on smart home devices to build powerful botnets, capable of delivering devastating DDoS attacks. Again, this is something we’re only likely to see more of. As use of the Internet continues to balloon at an exponential rate, we will see both the number of attacks and the fallout caused by them grow in severity.
A New York native, Victor graduated Western New England College with a focus in computer information systems and business administration. As the CEO at Proven Data, Victor utilizes his 15 years of industry experience and expertise.
"The biggest cybersecurity risk in 2019 will be at the intersection of social engineering and AI..."
Traditionally, social engineering focuses on the less-technical approach to data breaches by preying on the weaker human element in business organizations (phishing and business email compromise). With the introduction of more AI based attacks that target vulnerable areas in data systems, this could become the new standard for advanced hackers. If AI and social engineering continue a unifying strategy, even the most modern and hardened digital security defenses will have a difficult time preventing these attacks.
Our team just recently attended the Infosecurity 2018 North America conference at the Javits Center in New York City where there was buzz around AI and social engineering. Software companies are attempting to resolve this issue by developing software that can detect and deter such behavior on computer systems. However, if used in combination with social engineering, hackers can find the exposed security gaps and execute attacks. Because social engineering creates a deceitful advantage for hackers, and AI focuses on the technical weakness of a business, used in conjunction these forces will result in disastrous breaches for businesses around the world.
Idan Udi Edry
Idan Udi Edry is the CEO of Trustifi, a software-as-a-service company offering a patented postmarked email system that encrypts and tracks emails.
"When consumers think of cybersecurity..."
They often think of their credit card information on apps and websites, but what often doesn't come to mind is email security. This past year there have been multitudes of data compromises all due to the theft of consumers PII, otherwise known as your online identity. In 2019 this will continue to be one of the biggest risks for businesses and consumers.
Outside of social media, email security is one of the top ways we communicate online. A consumers' email address is their online ID. Think of the information people send over via email: address, bank information, health information and documents, legal information, etc. Tracking and postmarking electronic communication is a great way to secure your emails to make sure they are going where they should-and to whom they should.
At the very least, make sure you're sending a secure email by encrypting your attachments. Consider the types of attachments commonly sent over email: legal records, driver's licenses, W4 forms, real estate records, corporate financial records, credit card information, addresses, health records, social security numbers, etc. These sensitive pieces of data and information are exactly what hackers target.
Austin Norby is a Computer Scientist at Blue Star Software.
"The biggest cybersecurity risk in 2019 will be..."
Regarding embedded devices, namely the smart devices and gadgets that are growing into mainstream popularity. Most of these devices run a Linux kernel and have a few user applications installed to facilitate our use with them and their ability to connect back to the company's infrastructure. These devices are definitely not secure and many instances of default or even hard-coded passwords have been found in other embedded devices over the years. Lastly, collecting and processing consumer data has greatly risen in practicality over the past few years as a result of a hyper-connected internet and increased use of Artificial Intelligence (AI) and Machine Learning (ML) algorithms for businesses. The increase in smart devices' popularity combined with the stagnation of security practices for smart devices and companies' desire to capture user details will definitely lead to embedded (smart) devices being the highest cybersecurity risk for 2019.
Shane MacDougall is the Senior Security Engineer at Mosaic451. Mosaic451 is a managed cyber security service provider (MSSP) and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.
"The biggest cybersecurity risk for 2019 will be social engineering..."
As we continue to build defense in depth and deploy security appliances utilizing AI and other emerging technologies, attackers will continue to pivot to the perennial weak spot: the users. Recently I hosted the Social Engineering Capture The Flag competition at Hackfest in Quebec, and similar to last year, the results were sobering. Every single targeted company had employees that gave detailed information over the phone on their OS and service pack level, and 88 percent gave detailed information on the browser they were using. Three quarters went to a URL that they were given over the phone. The information that the companies bled was disheartening but not shocking. Until we train employees to trust their instincts and tell them it's okay to say no to a customer, things won't change. In the current environment where companies ask their customers to leave a positive review online, employees increasingly feel less empowered to terminate a call they feel is suspicious. Your friendly neighborhood hacker is happy to exploit this weakness.
Brandon is founder of Tiger Mobiles and has a keen interest in cyber security, specifically around mobile devices and smartphones. He frequently writes about mobile phone scams and how users can protect their devices.
"The most significant cybersecurity risk or threat I foresee in 2019 is..."
Cryptocurrency hijacking and crypto jacking.
This risk takes three primary forms:
Unwanted crypto mining or crypto jacking
Crypto jacking is the process by which users’ computers (or the websites they visit) are used to mine cryptocurrencies using a hidden code, for the benefit of other parties. For the uninitiated, mining is the process by which new digital currency is created. Mining uses a computer’s processing power to solve increasingly tricky cryptographic puzzles. The more puzzles a miner can solve, the higher the rewards. So tapping into other peoples computing power makes perfect sense to those looking to exploit the system.
With cryptocurrency all over the mainstream media, many people have found themselves investing in the crypto market. As a result, you are more likely to be targeted by cyber attackers if you're known to hold cryptocurrency. A smart way of doing this is via SIM hijacking or a port-out scam.
Crypto-ransomware is a malicious malware type program that encrypts files stored on a computer or mobile device to extort money. The program 'scrambles' files, so that they're unreadable to the user. To restore it for normal use, a decryption key is needed to unencrypt the file.
With all those three threats on the rise, it's essential organizations have a ransomware recovery plan in place, but first and foremost they need the right tools to detect and contain attacks before they happen.
Dr. Zahid Anwar
Zahid Anwar is a cybersecurity expert and faculty member at Fontbonne University. His research interests include cyber threat intelligence and the security of the Internet of Things. He specializes in data-driven as well as formal analytics of cybersecurity data has a number of scholarly articles and publications to his name in this field.
"The biggest cyber-security threat in 2019 will be..."
Data breaches, particularly to financial services. Phishing attacks—a type of social engineering that exploits the human nature of trust and has no reliable defense thus far—will be the primary mechanism employed. We will see these get extremely targeted both at the organizational and at the individual level. Moreover, we will see phishing attacks being used in conjunction with sophisticated malware such as ransomware and bots especially ones that target personal devices.
Cindy Murphy is the President of Gillware Digital Forensics, a data recovery company and digital forensics lab.
"We negotiate several ransomware and cyberattacks weekly as a digital forensics and incident response firm..."
Businesses are forced to make exceedingly difficult decisions. On one hand, it feels wrong to negotiate with the cybercriminals and give them what they want. On the other hand, the looming financial hit and business interruption is typically far more detrimental than the payoff amount. If business owners don’t engage with the ransomers, they face the prospect that they, and their employees, may lose their livelihood. I see ransomware as a continuing cyber threat in 2019 and beyond. It’s up to business owners to implement the best security practices and ensure that their employees are properly trained to identify and avoid potential threats.
Ian McClarty holds an MBA from Thunderbird School of Global Management. He has over 20 years of executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Solutions.
"This threat has been increasing in popularity over the last few years, and in 2019, it will continue to grow in size and scope..."
As a form of extortion, ransomware takes over a computer or a network of computers and leaves its users locked out unless they (usually) pay large sums of money to regain functionality. The payments requested typically involve the use of cryptocurrency. It is important to note, that due to the way cryptocurrency works by implementing anonymity, that it makes it virtually untraceable.
Ransomware is also reasonably easy to use which is another benefit and reason why cybercriminals are using it more often.
These are the two primary reasons why ransomware will become the biggest threat to companies in 2019.
Adam Stern, founder and CEO of Infinitely Virtual, is an entrepreneur who saw the value of cloud computing a decade ago. Stern’s company helps businesses move from obsolete hardware investments to an IaaS cloud platform, providing them the flexibility and scalability to transition select data operations from in-house to the cloud. Stern is a member of the Forbes Technology Council.
"For small and midsize businesses, the major, looming cybersecurity risk in 2019 is their intrinsic vulnerability..."
For SMBs, external threats may be less pernicious than the simple fact that significant risks may continue to elude their awareness or ability to respond. Consider one recent development:
In May, the FBI issued an advisory recommending that users reboot their routers to thwart a Russia-linked malware infection responsible for compromising half a million devices. Cisco's Talos threat intelligence team revealed the existence of the sophisticated malware – known as VPNFilter – that infected some 500,000 devices across at least 54 countries, affecting products made by Linksys, MikroTik, NETGEAR, TP-Link and QNAP.
On June 6, Talos updated its findings to show that VPNFilter has more capabilities than initially reported and has compromised more routers in small businesses and home offices. Among the additional home network vendors targeted: ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. According to Talos, the malware can intercept network traffic and inject malicious code into it without the user's knowledge.
VPNFilter is capable of collecting information, blocking network traffic or disabling the infected device completely and rendering it unusable. The latter destructive capability can be triggered on individual infected machines or en masse to cut off internet access for hundreds of thousands of victims. VPNFilter, which effectively turns the firewall against the user, is a silent killer. It was repurposed expressly to attack these devices. Both of these ought to be wakeup calls to small business owners. Without the early warning systems to monitor and log traffic, the days of having a server and feeling secure may be over in 2019.
For SMBs, the perils of shortchanging security are clear. As in the case of VPNFilter, the firewall is supposed to be hardened against these kinds of threats, but how do you protect the network when your shield is vulnerable? Vigilance must be heeded. Given that hacks can be toxic, doing anything less is capitulation.
Nir Gaist is an expert on cyberattacks and information security. He is founder and chief technology officer of cybersecurity company Nyotron. He was 17 years old when he began to develop Nyotron’s PARANOID, a OS-Centric Positive Security solution for strengthening endpoint protection.
"The rise of adversarial artificial intelligence (AI)..."
AI and Machine Learning (ML) have been the “silver bullets” of the security industry for the past few years. Malicious actors are taking note. For instance, just like security vendors can train their ML models on malware samples to detect them, malware writers can “train” or tune their malware to avoid detection using the same exact algorithms. Attackers can also poison the data that ML models use in training. Because algorithms need massive amounts of data to work, it can be difficult to weed out efforts to poison your learning set with false information. This type of AI weaponization was demonstrated by IBM scientists in a proof-of-concept of a highly targeted and evasive attack tool powered by AI earlier this year. We believe a significant attack or strain of malware will leverage AI in 2019.
Avani Desai is the President of Schellman & Company, Inc., a global independent security and privacy compliance assessor.
"I believe the biggest risk will be the lack of talent that..."
Understands, and is educated on, technology. We are currently in an environment that most business groups, such as HR, Compliance, Legal, need to also be technologists or at least understand technology and how to mitigate risk. If we do not have the talent force to safeguard our data in technology such as IoT, blockchain, artificial intelligence, machine learning, and other emerging technologies, we are going to see a risk of breaches and loss of data. Technology is outpacing current regulations and compliance frameworks, so we need to make sure developers and manufactures that the onus on themselves for the good of the consumer.
Allan N. Buxton is the Lead Forensic Examiner of Secure Forensics. Allan is a key component to what makes Secure Forensics an industry leader in the computer forensic and cyber security sector. Over his 17+ years of experience, Allan has logged nearly 600 hours of training in computer and mobile forensic software and techniques. He started working in the Ohio Attorney General’s office in 2002, and has had 16 years of courtroom testimony experience since then.
"The biggest cybersecurity risk in 2019 will remain the same risk as years prior..."
Users and their passwords. Although weak passwords benefit no one, enforced complexity and rotation rules drive a hatred of the password that still compels users to cheerfully hand them over to an outsider for a Snickers (note the different dates in the articles to see just how far back the trend goes). The reuse of passwords across multiple services and sites still plagues both users and providers, as do predictable and easily obtainable answers to password reset and security questions. Alternatives exist, but their limited adoption has slowed any progress to replacing the password and its accoutrements. Devices like Yubico's YubiKey product line or Google's Titan Security Key are tailor made to replace or secure the password (with local 2FA) in both corporate and private roles but remain a niche product at best. Even strong password generators and password managers have a disappointingly low adoption rate. Despite 2 billion Android devices active throughout the world, the three most popular password managers have a mobile user base of 15 million at best. Unless the cybersecurity industry drives some compelling initiatives that actually spark awareness amongst their users, user authentication will remain the most glaring hole in tech for the foreseeable future.
Sean Si is the CEO and Founder of SEO Hacker, Qeryz, Sigil, and Workplays. Sean is a start-up, data analysis and urgency junkie who spends his time inspiring young entrepreneurs through talks and seminars.
"Since 2018 has seen a rise in..."
The cryptocurrency trend, cryptocurrency hijacking, or more commonly known as cryptojacking, has been a major concern for cryptocurrency enthusiasts. Cryptojacking is the process wherein people infect a victim’s computer with a virus that utilizes the victim’s hardware – like processors – to be used for cryptocurrency mining. This enables the attacker to gain financial benefit passively while drastically slowing down your computer’s performance.
Additionally, just this 2018, there has been a drastic rise in crimes related to cryptocurrency since cryptojacking can produce much more money than other cybersecurity attacks such as ransomware. 2019 will not be different, and the cases of cryptojacking can even increase since more and more people are upgrading their PCs for different reasons – gaming, streaming, etc.
Laura Lee leads multi-disciplined teams in the development of new capabilities for cybersecurity training and assessment. She shares her cyber expertise with our artificial intelligence advisors in order to build in-game avatars that help instruct players.
"Supply chain cyber risk will be one of the biggest issues in 2019 and..."
Will require a coordinated effort to address. Risks from third party service providers with physical or virtual access to information systems, poor information security practices, compromised software or hardware components, are only a few of the vulnerabilities that stem from this issue. Since breaches tend to be less about technology and more about human error, IT security systems won’t secure critical information unless employees throughout the supply chain use secure cyber practices.
Compass image via the Marco Verch's Flickr photostream, Creative Commons 2.0