Ransomware, New Privacy Laws Are Top Security Concerns for 2019

In 2019, enterprise security will be all about the data: where it is, who has access to it and who is protecting it.

For Steve Durbin, the managing director of the non-profit Information Security Forum (ISF) that focuses on data and how best to protect it, 2019 will mark a return to a more traditional approach to InfoSec, with less emphasis on the cyber attack of the day.

"For me, 2019 is all about information security really coming back on trend," Durbin told Security Now in an interview before the organization released its list of the top security trends for 2019. "We have talked a lot about cyber, but for me [2019] is more about traditional information security. It's about data and how that data can be shared, potentially compromised, and I think that is the overarch. It's all about digital data and the implications of that."

In fact, ISF's top security concerns for 2019 -- increasingly sophisticated ransomware attacks, concerns about new privacy laws, the trouble with an increasingly connected world, and rethinking the global supply chain -- all have these concerns about company data at their heart.

(Source: iStock)\r\n\r\n

As Durbin explained:

"It's going right back to the data, to the information, and so it's about confidentiality, integrity, and availability -- the traditional InfoSec elements. Of course, you have people talking about technology and that's off to one side, but for me it's the CIA in InfoSec that we are talking about and how it relates to that specific data, whether it's around assets or personal information or whatever that might be. So, it's that zeroing in on those traditional security arguments. I think in the past, we got excited about cyber and what you could do with all that stuff and for me 2019 is about people saying, "Let's draw that back a bit and talk more about how we protect data assets.""

That notion of protecting data is at the heart of why ransomware remains a major concern. Although somewhat eclipsed in 2018 by the rise of cryptomining and cryptojacking attacks, ransomware remains the overarching concern of enterprises, whether it's large firms or smaller businesses. (See WannaCry Continues Rampage 18 Months After First Outbreak.)

One major concern is the increasingly sophisticated nature of ransomware, where the person or persons behind the attack are willing to spend more time mapping a corporate network and disabling the back-up systems, or encrypting the back-up files, in order to increase the pressure on the company to pay the ransom.

It's an issue Sophos Labs touched on in a recent report that focuses on ransomware campaigns such as SamSam. (See Sophos: 'Living off the Land' Is the Law of the Land.)

Additionally, cybercriminals are bundling different attacks together as ransomware spreads, as well as sharing information and best practices. This gives rise to the issue of ransomware-as-a-service. (See Kraken Cryptor Update Points to Rise of Ransomware-as-a-Service.)

"We're seeing two different trends with cybergangs. One, they are becoming much more collaborative … so they will share information about what works and what doesn't work, and they are becoming much more patient," Durbin said. "So, we know that you can live on a corporate network for months without being detected and that's allowing them to see how the systems work and where the back-ups are and that's a real danger for all organizations."

The flipside of cybercrime is, of course, the law, and increasingly governments are creating new rules and regulations designed to address concerns about data breaches and other types of attacks.

These regulations, best exemplified by the European Union's General Data Protection Regulation (GDPR), are increasing, with countries such as China, Russia and Vietnam all updating or putting new laws on the books. (See GDPR Presents New Challenges in Backup & Disaster Recovery Management .)

In the US, California is setting new standards for data privacy and protection, although a federal law does not seem like a possibility yet. (See California Looks to Pass Rudimentary IoT Security Legislation.)

For Durbin, 2019 will be the first big test of GDPR and some of these other laws and frameworks. He noted that the data breach at British Airways is of particular interest to him. (See British Airways Already Facing Lawsuits Following Data Breach.)

"You're not going to see the big numbers just yet. I think everyone is waiting around in anticipation of the 4% coming out," said Durbin, referring to the maximum fine under GDPR. "The British Airways breach is the one everyone is looking at. Some of the cleanup around that has been done exceptionally well and the ICO [Information Commissioner's Office] will take that into account, but they will want to drill into what went wrong."

In addition to ransomware and privacy laws, Durbin and ISF identified two other areas of concern:

IoT
The Internet of Things remains a concern for security pros, especially as the office and home spaces are increasingly mixed, with employees taking corporate data home, which leaves it exposed to an array of connected devices, such as smartphones, smart TVs and other gadgets. By increasing the attack service, more data remains at risk. Supply chain
By 2019, enterprises will give up trying to improve the security of their supply chain. Instead of focusing on the companies within the supply chain, businesses will put more emphasis on protecting individual components and intellectual property instead of the supply chain companies themselves. This again focuses efforts on corporate data and information and away from trying to ensure the security of a third-party supplier. Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.