One of my clients recently asked me what organizations should expect for information security and privacy in 2019. My short answer: More! He appreciated my in-depth discussion with him so much, I decided to share a few of my high-level points from that conversation. Here is what to expect in five key areas in 2019, and beyond.
1. More ransomware
Why? More businesses, organizations and people are paying the ransoms. Cybercrooks will use what makes money, so they will use more ransomware. Even when organizations say they have up-to-date backups, business leaders have gone ahead and paid ransoms because they said it would be quicker to do so than to restore their data and applications from their own backups. If this is true, then they clearly have insufficient backup and disaster recovery procedures.
Two actions (of many necessary) to help prevent ransomware losses:
Encrypt all your data. Ransomware crooks are increasingly taking copies of data before they use their own encryption to take your data hostage. Turn the tables on the crooks: strongly encrypt your data so if they succeed in stealing it, they will be unable to use and sell your organization’s data to their crook colleagues.
Implement an effective backup and recovery program. Here are just a few of the necessary actions:
Make frequent backups.
Create a procedure to quickly restore data and systems.
Establish a disaster recovery team to follow the procedure.
Test the procedure with the team to ensure it works, and to determine how long data recovery will take.
Modify the procedure as necessary to improve on the results, including recovery times.
2. More attacks to the USA critical infrastructure
Why? More of the energy, water, healthcare, transportation, communications, and all other systems that comprise the USA critical infrastructure, are demonstrably, incredibly vulnerable. This is not unique to the USA; most (if not all) other countries also have significant vulnerabilities within their critical infrastructure which attract nation-state hackers, and others who simply want to cause disruption or steal valuable intellectual property and other data. A weakness within one sector presents a threat to all others connected in any way to it. Many weak points exist throughout the entire homeland critical infrastructure that could be exploited to cause mass disruption, as well as actual physical harm. Large amounts of personal data are also stored and transmitted within the critical infrastructure, and massive privacy breaches have already occurred through a wide variety of incidents.
Two actions (of many necessary) to help improve critical infrastructure security:
Require all entities involved to establish strong privacy programs. Each organization that is part of the critical infrastructure should establish a risk-based privacy protection program to mitigate the likelihood of privacy breaches, for not only taxpayers, consumers and patients, but also for all those who work within the organizations. They should be encouraged (if not required) to use privacy standards and resources available from government and/or legitimate and vetted standards agencies, such as the OECD Privacy Guidelines, EU GDPR Principles, and the NIST Privacy Framework that is currently being established.
3. More nation-state hacking
Why? More disruption of society and more benefits to the nations doing the hacking. Nation-state hacking: 1) removes trust of citizens; 2) provides intellectual property and sensitive information to governments who want to use such data and ideas to create their own competing products and services, in addition to knowing what is going on next for innovations; 3) disrupts financial institutions, giving more economic competitive edge to the hacking nations; and 4) is used to find blackmail targets, for both political and economic gains to the nations hacking.
Nation-state hacking is also now targeted at not just government entities and agents, and business suppliers and vendors, but every person who goes online, has a smart device, and whose personal data is in any type of compromised database is a potential target. Those who lack, or have insufficient, security controls and awareness, and those with sloppy or no security protections, will become hacking targets. Former NSA hackers say Russia, China, Iran and North Korea are the primary nation state hackers. But, we all know the USA, and many other nations, are also very active.
Two actions (of many necessary) to protect against nation state hacking:
Implement long-standing security practices. Here are just a few:
Keep all systems and applications updated with the latest patches.
Encrypt personal and sensitive data in storage and in transit.
Ensure contracted third parties have strong data and systems security practices.
Raise awareness. Here are just a few ways:
Provide information security and privacy training regularly, using up-to-date training content.
Send frequent security and privacy reminders, including for how to spot phishing and other social engineering tactics, how to securely use wi-fi, computing security practices while away from the office, while traveling and at home, the need to use up-to-date anti-malware tools, and secure disposal of hard copy and digital storage media.
4. More surveillance
Why? More types of entities have more reasons and ways to surveil than ever before.
In the name of national security, government surveillance has increased significantly, not only for physical locations in public, but also while online and on the phone.
Social media sites are also increasingly tracking more online activities, increasingly far beyond the social media sites themselves, because personal data is valuable, and makes the social media entities much, much richer.
Smart devices are also collecting not only the sounds, and often sights, for the vicinities they are within, but those in the vicinities usually do not even realize that their data (what they say, what they do, etc.) is being collected and shared with an unlimited number of others.
Two actions (of many necessary) to control impact of surveillance:
Take precautions. Never forget that there are increasingly more audio and video surveillance devices installed in surreptitious ways in public, in stores and restaurants, in government properties, in public and private transit, and in people’s homes. Keep this in mind before you choose to say or do something that could come back to haunt you. Facetious and satirical actions and statements, taken out of context, have resulted in lost friendships, lost jobs, added surveillance, and even physical harms.
Check social media settings often and set auto updates. Set security and privacy settings on all social media and apps you use. When social media sites and apps are updated, the settings are often changed as a result, so be sure to regularly check the settings to ensure they are still providing the levels of security and privacy protections that you want.
5. More hacking through IoT devices
Why? More IoT devices are being manufactured and used every day, and they are overwhelmingly unsecured. Very few IoT devices are “smart” when it comes to having security controls built in. Numerous research reports show that most don’t have data security controls, and the rest don’t have enough. It is rare to find a device that doesn’t fail at protecting privacy. These all create substantially more pathways for hacking on an ongoing basis.
In the U.S. there are currently no IoT security laws in effect, and only one law, California TITLE 1.81.26. Security of Connected Devices which goes into effect on January 1, 2020, that specifically governs IoT security. I’m not aware of any specific IoT laws in other countries. There are generally no legal requirements established to ensure that IoT device vendors and creators engineer secure architectures for the growing numbers of IoT devices being placed into people’s homes and other personal spaces. I see Facebook’s Portal and I just shake my head … what a fun way to let the spies see all your in-home activities, possessions, etc. by using Shodan, and similar IoT discovery tools, to find all those unsecured IoT devices.
Two actions (of many necessary) to help prevent IoT privacy and security breaches:
Check device settings often and set auto updates. Ensure security and privacy controls are still appropriately set on all the IOT devices and associated apps you use. It is common for the systems and applications updates to change such settings, so don’t assume that the settings you established when you first started using a device or app are still the same. Compared to most folks, I don’t use that many devices (less than 10), and very few apps (less than 15). I set a quarterly reminder to check my security and privacy settings on them.
Have you considered these topics in your 2019 planning? Let us know! We welcome your constructive comments below.
Yes, I realize that each of these topics have much more involved than what I covered here. Of course, much, much more needs to be considered beyond the points made. But, the purpose of this post is not to provide a class discussion, but to get readers thinking critically and seriously about these topics.
I’m planning more episodes of my Data Security & Privacy with the Privacy Professor podcast covering these topics throughout this year. Here are a few of my episodes to date that covered one or more of these five topics:
I look forward to covering the wide range of privacy issues that must be addressed by every business, and every individual, in the coming months within this blog feature! If you have a topic to suggest, just let me know. I always appreciate knowing the topics that are at top of mind for our readers.