One of my clients recently asked me what organizations should expect for information security and privacy in 2019. My short answer: More! He appreciated my in-depth discussion with him so much, I decided to share a few of my high-level points from that conversation. Here is what to expect in five key areas in 2019, and beyond.
1. More ransomware
Why? More businesses, organizations and people are paying the ransoms. Cybercrooks will use what makes money, so they will use more ransomware. Even when organizations say they have up-to-date backups, business leaders have gone ahead and paid ransoms because they said it would be quicker to do so than to restore their data and applications from their own backups. If this is true, then they clearly have insufficient backup and disaster recovery procedures.
Two actions (of many necessary) to help prevent ransomware losses:
- Encrypt all your data. Ransomware crooks are increasingly taking copies of data before they use their own encryption to take your data hostage. Turn the tables on the crooks: strongly encrypt your data so if they succeed in stealing it, they will be unable to use and sell your organization’s data to their crook colleagues.
- Implement an effective backup and recovery program. Here are just a few of the necessary actions:
- Make frequent backups.
- Create a procedure to quickly restore data and systems.
- Establish a disaster recovery team to follow the procedure.
- Test the procedure with the team to ensure it works, and to determine how long data recovery will take.
- Modify the procedure as necessary to improve on the results, including recovery times.
2. More attacks to the USA critical infrastructure
Why? More of the energy, water, healthcare, transportation, communications, and all other systems that comprise the USA critical infrastructure, are demonstrably, incredibly vulnerable. This is not unique to the USA; most (if not all) other countries also have significant vulnerabilities within their critical infrastructure which attract nation-state hackers, and others who simply want to cause disruption or steal valuable intellectual property and other data. A weakness within one sector presents a threat to all others connected in any way to it. Many weak points exist throughout the entire homeland critical infrastructure that could be exploited to cause mass disruption, as well as actual physical harm. Large amounts of personal data are also stored and transmitted within the critical infrastructure, and massive privacy breaches have already occurred through a wide variety of incidents.
Two actions (of many necessary) to help improve critical infrastructure security:
- Require all entities involved to establish strong cybersecurity programs. Each organization that is part of the critical infrastructure should establish a risk-based information security program to mitigate the likelihood of successful threat and vulnerability exploitations and privacy breaches. All such entities should be encouraged (if not required) to use standards and resources available from government and/or legitimate and vetted standards agencies, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the CISA National Cybersecurity and Communications Integration Center (NCCIC).
- Require all entities involved to establish strong privacy programs. Each organization that is part of the critical infrastructure should establish a risk-based privacy protection program to mitigate the likelihood of privacy breaches, for not only taxpayers, consumers and patients, but also for all those who work within the organizations. They should be encouraged (if not required) to use privacy standards and resources available from government and/or legitimate and vetted standards agencies, such as the OECD Privacy Guidelines, EU GDPR Principles, and the NIST Privacy Framework that is currently being established.