It’s hard to believe but 2018 has flown by. The year has been marked by breaches at the world’s largest and most powerful social media outlets. The mother of them all, Facebook, had a fairly awful year and it is directly due to major security issues.
In late September, the company announced that a widespread security flaw affected as many as 50 million users. This only added insult to injury after the truly stunning revelation back in March that political consulting firm Cambridge Analytica harvested the sensitive data of as many as 87 million Facebook users without their permission. This sent Facebook’s stock price tumbling and CEO Mark Zuckerberg himself lost nearly $11 billion. He also had to testify in front of a week-long congressional panel in April. (Is Zuck ready for 2019, or what???) And, now it seems the company is mulling the purchase of a major cybersecurity firm to avoid any future breaches.
Then there’s the Google+ network, who just this month announced that private information for as many as half a million users was exposed. The breach was the final death knell for the social network.
Of course, security breaches were not restricted to social media magnates in 2018. Retailers and restaurants took quite a hit as well, including Macy’s, Best Buy, Panera Bread and Whole Foods. Then of course there was a plethora of medical-related data breaches and those that targeted the government.
Hopefully 2019 won’t be quite as punishing – especially if companies take more precautions when it comes to security. The security experts here at GlobalSign have once again taken a peek into their proverbial crystal balls. Here are some of our predictions for 2019.
Lila Kee, General Manager and Chief Product Officer
Adoption of digital signatures will soar
Adoption of Trusted Digital Signatures will soar as the eIDAS regulatory framework emerges as the gold standard for electronic signatures and digital identities. Organizations and governments will rapidly digitize work-flows and give solid legal foundations around digital signatures, and thereby eliminate paper process.
Lancen LaChance, Vice President of Product Management, IoT Solutions
The need for identity in Bitcoin will grow; PKI will become the de facto IoT standard
The need for identity in Bitcoin grows as it regains cryptocurrency dominance and its layer two solution, the Lightning Network, will gain early adoption from mainstream payment providers. Meanwhile, PKI will become the de facto standard for IoT authentication and identity, as early IoT projects gain traction and adoption, especially in industrial, energy, medical, and telecommunications use cases.
Blockchain is here to stay and it is way more than just cryptocurrencies. Like new technologies, it’s a matter of finding ways to use it and making it compatible for commercialization by the masses. Companies will invest in R&D next year to find ways to utilize this technology for other purposes like smart contracts and authentication.
Arvid Vermote, Chief Information Security Officer
The world will follow the EU’s footsteps to combat online fraud
Led by the EU, countries around the world will increasingly adopt legislation requiring high level assurance signatures on digital contracts and transactions in order to fight online fraud and criminality by ensuring identity and integrity.
The need for identity within blockchain will become more pertinent and various stakeholders will offer proposals how to solve the identity need, within which, PKI technology will be used to resolve the issue by linking identities to blockchain addresses.
Furthermore, more organizations will move towards a co-sourced Security Operations Center (SOC) model, where an external expert party performs advanced analysis of events combined with internal event handlers that do the actual triaging and handling of events.
As more and more IoT devices and technologies reach the consumer and corporate market, breaches will increasingly be caused by vulnerabilities within these devices. The required focus and difficulties with securing IoT devices or networks will become more apparent.
John Murray, Vice President of Sales – West
Email will continue to be an easy target for phishers
Emails leveraging services you use, and trust everyday can be easily created to fool the enterprise user. In 2019, next generation, socially engineered and targeted phishing emails appearing to come from within the “trusted enterprise” will continue to scale, resulting in escalating business productivity and financial losses.
Nisarg Desai, Director of Product Management, IoT Solutions
IaaS providers will drive security best practices
Infrastructure-as-a-service providers (IaaS) such as Google, Microsoft (Azure) and Amazon Cloud will drive security best practices for the IoT in 2019. There was a lack of standards and regulation this year, and this will remain so next year.
These IaaS providers will do this in much the same way Google has driven best practices around TLS. Ultimately, these security practices will become the de facto rules. This shouldn’t be a surprise to anyone given the advancements being made in their IoT device management platforms and capabilities. This is a win for overall cybersecurity, since all of these companies are very security conscious.
Richard Hancock, GMO Group Manager for Data Protection and Privacy – West
The impact of GDPR beyond 2018
2018 was the year that we’ve all been waiting for. For six years, the data protection world eagerly anticipated the next generation of regulations that took existing data protection laws to a whole new level. Marketers weren’t so eager. Since GDPR took effect on May 25th, we’ve seen some interesting things happen, most notably of which was ICANN’s burying of their head in the sand as well as German court giving us some guidance and precedent on data minimization (if you don’t need it, don’t collect it). So, in 2019, we will undoubtedly see a sharp rise in the number of organizations truly coming to grips with GDPR.
Even now in October 2018, research suggests that considerably less than 50% of the commercial world is fully compliant. The Information Commissioner’s Office (ICO) were talking about streamlining the Binding Corporate Rules (BCR) application and accreditation process and I would hope to see this realised next year. I’ve spoken with many companies who are grappling for a legal basis to process their data on a global scale but standard contractual clauses and BCR’s are just too cumbersome for them so a little help from the supervisory body would be welcomed by Data Protection Officer’s (DPO) and Chief Legal Officers (CLO).
Upcoming changes to the Privacy and Electronic Communication Regulations (PECR) to more closely align with the GDPR will see a fascinating strategy unfold amongst marketers and the political climate changes coming at the end of Q1 will have gargantuan impact to the way data is processed.
Where 2019 will also be noteworthy will be the precedent setting case law. Currently, all eyes are on the likes of Google and Facebook, but the following 12 months will, I would hope, bring some clarity to areas of current ambiguity. One hopes that by the end of the year, most of the interpretation and conjecture that I’m currently witnessing when talking to data privacy leaders will have begun to diminish and make way for clear and concise action plans. In 2019, there is no data that should be in clear text. Encryption technology is readily available to protect your databases, your files and your e-mails. Used in conjunction with key management solutions and IAM, this provides a very effective defence and demonstrates verified access to your sensitive data estate.
Another big area of change that 2019 will witness is that of the contractual relationships between relying parties. Articles 28 and 30 of the regulation parallel liability for data loss between both the controller and the processor. I am already seeing contract terms much more carefully crafted, incorporating these additional duties, obligations and responsibilities around information security and data governance.
Jose Sue Smith, Senior Sales Engineer
Going paperless will speed up the adoption of digital signatures
Going paperless will be a must to facilitate digitalization. As a result, this will speed up the adoption of Trusted Digital Signatures in 2019 with the appropriate standards that grant trust to them. It does come with a cost, so the industry will work towards finding ways to maintain the levels of security and reduce the resources needed in processes and hardware, so cloud solutions will continue to prosper.
Dawn Illing, EMEA, Regional Product Manager
Rise in ‘novice’ mobile banking users will be a new prime target for criminals - although the attacks will be on the infrastructure, not necessarily the customer
Speed and competition mean a radical change in banking models. In 2018, digital banking dominated as Open Banking unfolded and traditional banking models faded away. Phones also increasingly became wallets. In 2019, cyber-attacks will be on the increase - a rise in ‘novice’ mobile banking users will be a new prime target for criminals - although the attacks will be on the infrastructure, not necessarily the customer.
Connectivity is now compulsory which in turn means that industries in 2019 will be quick to recognize and adapt to providing a secure method for verifying digital identities. We also need to remember that in a highly competitive driven market, if a service fails, the repercussions on reputational damage is immense.
In 2017-2018, eIDAS (eElectronic Identification, Authentication and trust services) was not a widely recognized term in the financial sector, however from 2019 onwards, it will be, as financial institutions comply to meet required legal obligations and to ensure they know with certainty who their customers are. This also includes the insurance sector, as regulations on cross-border services and payments in other EU States begins to take effect in the coming year and therefore, customer due diligence becomes paramount.
Consequently, in 2019, security spending is will increase by around 10%, as a result from GDPR privacy concerns as well as requirements around application security and identity access management.
Whether you agree or disagree with our predictions, we’d love your feedback either here on the blog, or on Twitter. In the meantime, here’s to hoping that painful lessons learned in 2018 will result in stronger security practices next year, and consequently, fewer breaches and attacks worldwide.