2017: A Banner Year in Cyber Security
Cyber attacks jumped out of every corner to make front page news throughout 2017. Striking across geographies, industries, and just about every other category you can think of, attackers thrust “ransomware” and “data theft” into the vernacular and struck terror in the hearts of CISOs and Internet users everywhere. Moreover, we’ve witnessed record volumes of new malware samples detected each quarter, with McAfee reporting an all-time high of 57.6 million new samples in Q3 2017—that’s four new samples per second!
Predictions Come True
Last year, Forrester predicted that 2017 would see a cybersecurity crisis for the Trump Administration in its first 100 days, that healthcare breaches would become as large and as common as retail breaches, and that more than 500,000 IoT devices would fall victim to cyberattacks. All of those predictions came true over the course of the year. And how!
Some Noteworthy Exploits
We witnessed viral, state-sponsored ransomware, leaks of spy tools from the NSA, US Presidential campaign hacking, and lots more turmoil in the cyber world. Some of the major contributors to our tumultuous year were:
The Shadow Brokers released a cache of NSA tools including the Windows exploit, EternalBlue, subsequently used by hackers in high-profile ransomware attacks. WannaCry, the most famous of these, invaded companies and made it to the headlines all over the world. Proliferating across as many as a million targets, WannaCry was able to spread effectively thanks to EternalBlue, exploiting a Microsoft server bug for which Microsoft had already released a patch. Unfortunately, however, many institutions were lax in applying the patch and suffered the consequences. Most notably, the ransomware created chaos throughout the UK’s National Health Service.
No sooner did we get past the WannaCry fiasco when Petya (or NotPetya, among other names) made its debut. Leveraging the Shadow Brokers’ sinister work, the malware infected numerous networks in many countries, most notably Merck (US), Maersk (Denmark) and Rosnoft (Russia). Ukraine, too, was particularly hit, causing disruptions throughout its public services like airports and the central bank.
Millions of our smart devices were also forced into the act. Publishing its Vault 7 data trove stolen from the CIA, Wikileaks exposed multiple iOS and Android vulnerabilities, Windows bugs and—perhaps most disturbing of all—the ability to turn some televisions into in-home listening devices!
Still other major stories covered vulnerabilities that left large volumes of personal information (PII) totally exposed to any would-be hacker, making it alarmingly straightforward for them to exfiltrate these sensitive data. Back in June, an UpGuard researcher discovered a publicly accessible database that contained personal information of every US voter for the last 10 years – some 198 million of them, in fact.
While we are on the subject of voter records, let’s shift our focus to France. Days prior to the recent élection présidentielle, hackers dumped a hoard of emails from the campaign of now-President Emmanual Macron.
Getting Ready for GDPR
The European Union’s far-reaching General Data Protection Regulation is set to go into force in May 2018, only a half-year from now. GDPR intends to strengthen and unify data protection for all individuals within the European Union (EU) and also addresses the export of personal data outside the EU. It also lays out some pretty stringent requirements for notification in case of data breach along with substantial fines for non-compliance. Several key data security requirements for GDPR compliance are succinctly laid out in this blog and CISOs would do well to read it to make sure they are covered before May rolls around.
2017 saw many companies scrambling to improve their cyber standing before GDPR goes into effect. Among the many tasks undertaken were:
- Information taxonomy (where is the data?)
- Classification (what is PII?)
- Encryption and Pseudonymization (who can read the data?)
- Appointment of a Data Protection Officer (mandated by GDPR for large organizations)
Jobs, Jobs, Jobs
2017 yielded some good cyber news, too. For job seekers, that is.
“Thanks” to cybercrime, the number of unfilled cybersecurity jobs is growing at an unprecedented rate. According to some estimates, more than 1 million cyber-security jobs are waiting for people to fill them. As a result, the cybersecurity unemployment rate has dropped to zero percent—and will likely remain there for years to come.
In 2017, we saw some other interesting cybersecurity job trends:
- Many CISOs who previously reported to CIOs are now on an equal footing and report directly to CEOs.
- The idea of having CIOs report to CISOs began to be discussed seriously in 2017.
- New job titles include a Chief Cybercrime Officer (CCO), who would be tasked with day-to-day responsibility for protecting computer systems from attack and would take the lead if a breach should occur.
In 2017, global spending on information security will likely reach $87 billion. That volume of spending should protect us, shouldn’t it?
Cybersecurity Ventures predicts that cybercrime damages will cost the world $6 trillion by 2021, up from $3 trillion in 2015. While final statistics for 2017 are not yet in, early indications show that we achieved a significant increase this year— Kaspersky Lab estimates that the number of attacks has grown by 11.5%.
Ransomware especially has become a favorite of hackers, proving to be a highly profitable venture. As of now, the rate of ransomware attacks is a staggering 5,000 per day. Global ransomware damages will exceed $5 billion in 2017, up from $325 million in 2015—a “mere” 15X increase over the last two years. Far exceeding the cost of the actual ransom payment, downtime, lost productivity, loss of data and reputational harm are costing hacked organizations dearly.
How are they falling victim?
The threats are many and varied but most information security professionals can agree that any organization’s largest security vulnerability is probably its employees. As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals. With more than half of the world’s population now “online”, we humans are prime targets for phishing scams, social engineering and other cyber exploits.
No matter how many warnings we receive, we just keep clicking on those email and website links. According to Fredrich-Alexander University in Germany, 78% of people claim to be aware of the risks of unknown links in emails, yet click anyway. As a result, ransomware and other malware continue to circulate. It is therefore critical that organizations deploy advanced protection that stops malicious content from getting in, no matter what cleverly-disguised links your users click on.
2017 was indeed a banner year for cyber security. It is changing our world right before our very eyes. 2018 will shape up to be even more astounding. But more on that next month…