2019

Best Reports:

• Verizon Data Breach Investigations Report – https://enterprise.verizon.com/resources/reports/dbir/
• Hiscox Cyber Readiness Report – https://www.hiscox.co.uk/cyberreadiness

Top Stat:

Over 10 billion personal data records were leaked  – the year started strongly with 4.1 billion records in the first 6 months, a 54% increase in reported breaches vs 2018, but the incidents kept growing and the 10 billion number was reached by the end of September.  With over 1.25 records compromised per human on the planet this year, who knows where it will be by this time next year? https://thedefenceworks.com/blog/2019-data-breaches-10-billion-records-leaked-so-far-this-year/

InfoSec Funny:

This CISO vs Pentester clip raised a smile, but as there’s so many, we suggest following ‘The Cyber Security Hub’ on LinkedIn for daily comical clips and images injected into an otherwise informative feed of useful knowledge.

Most Interesting Incident:

The Capital One hack in July was interesting for a number of reasons;

• the scale at 100m records,
• compromised data included records from 2005 which opens up the question of sensitive data retention in a post GDPR world,
• the accused was found after boasting about her activity on GitHub. Paige Thompson has now been charged with targeting more than 30 other organisations. https://edition.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

Highest Profile Fine:

In July, the ICO issued the largest fine of its kind to date when British Airways were hit with a £183m bill following their 2018 hack. Attackers re-directed traffic from the BA app and website and up to 500k users personal data and credit card information was compromised. Whether BA will actually pay the £183m is a debate by itself!

Favourite Technology Control:

It’s not feasible to ‘prevent’ all security incidents.  In 2019 we’ve seen a general trend in organisations maturing their ‘detect’ and ‘respond’ capabilities.  As organisations establish solid foundational security controls in line with Cyber Essentials Plus, there has been a growing desire for further actionable intelligence to improve the speed of incident detection and response.  SIEM comes to mind, but regularly these tools cause alert fatigue for security teams that are already spinning a lot of plates.  Rapid7 IDR is our favourite technology of 2019.  It understands user behaviour and marries it up against attacker behaviour to produce high fidelity incident alerts.  With centralised logging as a by-product and automated incident response capabilities, in our opinion it’s a key tool to have in your locker.

2020

The Big Bucks is in BEC:

Business Email Compromise will become increasingly targeted and attackers will adopt the use of image, voice and video Deepfake technology – Jonathan Miles, Head of Strategic Intelligence and Security Research at Mimecast provides a great explanation here: https://www.intelligentciso.com/2019/11/07/mimecast-expert-on-why-deepfakes-are-revolutionising-the-world-of-phishing/

Data Privacy and Compliance Complexity

The California Consumer Privacy Act comes into force in 2020 and we expect there to be many similar regulations introduced.  Having a comprehensive data risk management strategy will only become more important to competently navigate the compliance / alignment requirements.

Human Error = More Breaches

It’s not just click happy employees to educate, it’s building a ‘Secure by Design’ culture.  We expect considerably more than 10 billion records to be leaked in 2020, many of them from a boom in web applications which are quickly bought to market on tight budgets.  It only takes small code or configuration errors to culminate in significant vulnerabilities and sizeable breaches.  Be wary of the risks that 3^rd party suppliers and in house developers can bring.

Standard Adoption

We expect the NCSC to standardise the CE+ certification process in 2020 but where appropriate will encourage organisations to mature beyond the basics and adopt a more comprehensive information security management system like ISO27001.  We expect the number of certified firms to rise as the need and desire to proactively demonstrate security best practice increases.

What Skills Shortage?

Cyber Security is considered a compelling career path among many demographics.  With secondary education establishments offering a plethora of Infosec courses over the last 3 years, we expect a strong pool of emerging talent across the UK to reduce the ‘skills shortage’ the industry often references.

“Help I’ve been Hacked!”

It’s not just companies that lose out significantly to cybercrime.  Individual lives are regularly turned upside down due to cyber incidents.  The rise in awareness and use of facilities like the The Cyber Helpline will guide individuals through the response process and help mitigate future incidents.

As always, the Saepio team are on hand to discuss all things information security related.