2019 trends: Security limited to the perimeter offers minimal safety
Homeowners go to great lengths to protect their property from intruders: home alarms, lock boxes, the residential Rottweiler.
The "protect the perimeter" mindset doesn't differ much for businesses, but sometimes their best efforts fall short and consumers, the victims of security incidents, are rightfully upset.
Facebook, GDPR and Marriott contributed to the conversation around privacy last year. But for many companies, high-profile failures to maintain proper security has led to emboldened strategies. And as more companies declare data as a company's most valuable asset, increased security initiatives closely follow.
Here are what companies should keep a careful eye on this year in cybersecurity:
Cybercriminals are partnering up
Malicious actors are fairly bold, but their confidence knows no bounds. Companies can expect cybercriminals to openly discuss partnerships and collaborations on the dark web.
The underground network of bad actors is consolidating, which means "stronger malware as a service families," or criminal groups, will collaborate, according to McAfee.
The largest families attract the families of lesser capabilities, so the smaller ones will begin to die off. This is "more of a fundamental shift in the way things are evolving," said Raj Samani, chief scientist and McAfee fellow for the company's advanced threat research, in an interview with CIO Dive.
The larger families know this and advertise their abilities or services. They won't do everything needed to carry out an attack. Instead they'll offer components and find a partner to finish the attack. They collaborate openly on forums because cybercriminals think it's a "no-risk enterprise," said Samani.
"These partnerships are making it easier for people to get into crime, but compounded by the fact they don't think there's any risk to them," he said.
Transitioning to Zero Trust security
Zero Trust and blockchain were the top two researched security terms for 2018, according to IDG. CISOs are now saying "that's a viable strategy, my company's working on it," said Andy Smith, VP of product marketing at Centrify, in an interview with CIO Dive.
Zero Trust addresses lateral threat movement. Companies that operate using Zero Trust don't assume everything in their network can be trusted. It's outdated to protect assets solely from what's outside of the network.
"One of the challenges [Zero Trust] has is a full understanding," according to Smith, because Zero Trust begins with changing how a company thinks. Enforcing access control, securing accessibility based on users and improving authentication solutions all contribute to effective Zero Trust security.
Companies are living in a "breach culture," making the case for Zero Trust easier than ever, said Smith. It makes it easier for leadership to go to the board and justify further security investments.
Misinformation campaigns will spread like wildfires
Campaigns carried out by malicious actors make employees vulnerable, test IT teams resources and damage brands.
"Reputation is a valid asset," said Samani, and now companies have to consider the impacts of an engineered misinformation campaign. "We've already seen reputation being held hostage."
The rise of botnet accounts has successfully shaped narratives and influenced consumers. McAfee tracked a bot account with less than 300 followers that started a harassment campaign against an organization. Within a month, the account racked up another 1,500 followers.
Unlike malware or breaches, where there are "no quantifiable metrics to determine the cost" or how long it takes to feel the aftermath, the impact of misinformation campaigns can manifest immediately in customer boycotts.
Executives who have a social media presence have to be more aware of account safety. "It's kind of like the ultimate shadow IT story," said Samani.
Automate or bust
As automation begins to work itself into cybersecurity, companies become less burdened with cyberthreats. Intelligent systems will be able to more effectively adjust for attacks as they learn from user behavior.
But the "beauty of it" is that "we'll basically never know about it," said Brad Shewmake, director of corporate communications at Centrify, in an interview with CIO Dive. Cyberthreats "will be a nonevent."
More security vendors, in fields such as identity management or cloud security, are incorporating artificial intelligence and machine learning into their services.
Now companies have to scrutinize the vendor selection process. "Don't invest in a vendor that hasn't even gotten started [in automation] yet, because they're behind the eight ball," said Shewmake.
Look for threats in the supply chain
The supply chain exposes companies to their weakest link in cybersecurity. Malicious actors don't discriminate based on the size of a company and they know many companies don't spend enough time looking at third party security.
Companies should study and understand their third-party reliance and what normal patterns of communication or activity look like, according to Dave Burg, principal at EY, in an interview with CIO Dive.
Small- and medium-sized businesses are on the receiving end of most cyberattacks and they serve as a gateway to larger enterprises.
"It goes beyond a single company," said Ajay Banga, president and CEO of Mastercard, while speaking at a National Press Club event in Washington in December.
Attacks on SMBs compared to large enterprises are an "asymmetric threat," according to Banga. Data breaches often occur because security protocols were lacking somewhere in a company's "value chain" and the larger entity suffered the consequences.
Follow Samantha Ann Schwartz on Twitter