Breach Outlook for 2019: Winter is Coming

When the conversation gets around to the topic of cyber security, the narrative increasingly resembles the script of Groundhog Day, a movie where the main character remains stuck in the present.

Last year marked a continuation in the number attacks aimed at stealing information – whether for financial gain or on behalf of state actors. And there’s little indication that trend of accelerated threat activity will pause or reverse in 2019.

"If we have not hit the maximum pain point already, I'm not sure what it is going to take for us as a culture to say, enough is enough, and demand security and safety over convenience," said Eva Velasquez, president and CEO of the Identity Theft Resource Center.

One problem is that the tally of breaches tends to be subjective. Take a widely-reported cyber breach, such as the attack against the Office of Personnel Management in June 2015, which exposed sensitive background checks into federal employees and contractors. Those incidents get lumped in with massive, but limited, exposures of information. But to be clear, a record from one breach is not generally equal in value to a record from another breach.

Still, the number of records exposed in 2018 almost certainly surpassed that registered in 2017, even when you remove the outliers. For example, a breach that impacted 3 billion Yahoo accounts comprised the lion's share of compromised records chronicled in 2017. The actual breach occurred in 2013.

So with the number of records exposed each year on the increase, there’s more pressure from both customers and regulators for organizations to find better ways to limit the risk of data loss. The task has taken on added urgency because companies now collect an ever-widening amount – and variety - of information.

In the not-too-distant past, breaches used to be limited to names, e-mail addresses, passwords and credit-card accounts. But increasingly, medical records, DNA information, biometrics and demographic profiles are also at risk. Attackers who find ways to access that kind of valuable personal information are then able to compromise a person’s identity and inflict major damage.  Although prices vary, this sort of information also offers a bigger potential payday on the black market than, say, stolen credit card numbers, which might go for a few quarters or dollars. Over the last 7 years, the number of annual health data breaches increased 70%, according to the Journal of the American Medical Association , with 75% of the breached, lost, or stolen records – 132 million – being breached by a “hacking or IT incident.

None of this exactly qualifies as a surprise. In a new survey conducted by the Conference Board, US CEOs listed cyber security as their top external concern for 2019. Yet, security measures are not keeping up.

Time to Plan is Now

Part of the problem is that users still want to make access to their accounts as easy as possible, according to Valesquez.

"When it's not difficult for us to access our accounts, it's not difficult for the thieves either," she said. "We need to demand (providers) jump through more hoops, but most people don't want that—it is an extremely difficult culture shift."

The Identity Theft Resource Center believes that 2019 represents a crucial year for breaches and identity theft. More consumers are wary of the dangers posed by their information being too accessible. That’s going to lead to more demands that organizations be clearer about how they use information as well as be more forthcoming about the kind of data put at risk when a breach occurs.

At the same time, regulations such as the European Union's General Data Protection Regulations (GDPR), which requires more strict handling and protection of data, could convince those companies holding customer data to take more care with the information. Also, Canada has already enforced GDPR-like legislation, and Brazil recently passed new privacy legislation similar to GDPR, due to enter into force in 2020.

In the US, California recently passed a sweeping data digital privacy law regulating the data-collection practices of technology companies. The legislation, which goes into effect in January 2020, is also viewed as a potential harbinger for other states weighing how best to protect their residents’ data.

But as Giampiero Nanni, Symantec’s government affairs head for its EMEA region noted, GDPR is based on outcomes. It doesn’t instruct companies on how to achieve cyber security.

That puts the onus on enterprises to pull together the integuments of a detailed plan in advance of any attacks so that the breach notification process won’t be dependent on improvisation. That way, all of the affected stakeholders will know how to respond based on the nature of the intrusion.

“A situation that will by definition cause distress, if not panic, in the organization, does not need additional aggravation due to lack of direction and planning,” according to Nanni.

It’s a timely warning. Symantec CTO Hugh Thompson and Steve Trilling, the company's general manager of security analytics and research, recently teamed up to offer their take on the threat landscape in 2019. Among their conclusions:

• Attackers are gearing up to exploit Artificial Intelligence-based systems and use AI to aid their assaults.
• Growing 5G deployment and adoption will begin this year in earnest; while that's expected to be a boon to consumers who benefit from faster connectivity, it's also expected expand the attack surface area.
• The continuing proliferation of poorly-secured devices belonging to the Internet of Things may invite even more powerful botnet-powered attacks than in years past.
• Attackers don't need to get particularly fancy either. They can simply try to exploit home-based Wi-Fi routers and other poorly secured consumer IoT devices in new ways to steal the data passing through them. These data-in-transit compromises are also likely to hit enterprises as they provide unique visibility into a victim’s operations and infrastructure.

 Jon Snow of Game of Thrones fame has to worry about winter’s imminent arrival. It may not be as grim an outlook for the rest of us. But make no mistakes: More breaches are in store - so start preparing now.