Fresh from the KPMG Newsroom, partner, security services, Gordon Archibald tells risk managers what his Top 7 predictions for cybersecurity risks are in Australia in 2018
In 2017, one in two businesses was threatened by a ransomware attack, one of the fastest growing types of cyber-crime. Attacks are getting larger, more sophisticated and more expensive.
Major global brands such as Uber, Equifax and Yahoo have seen millions of user accounts compromised: 3 billion in the case of Yahoo. Cyber-crime is expected to cost more than $6 trillion globally by 2021, up from $3 trillion in 2015.
Clearly, the business world has no choice but to sit up and take notice. But what kind of action will this translate into and how will Australia be affected? Here are seven predictions for cybersecurity in Australia in 2018.
Cyber in the boardroom
Cybersecurity is going to be top of mind for boards. With digital transformation part of everyone’s strategy, cybersecurity has to be treated as a business risk – which means defining a company’s appetite for cyber risk. Some advanced organisations are already looking at it as a risk and governance and defining key metrics for measuring and reporting deviance to cyber risk appetite.
This means that cybersecurity is moving up the value tree in business. It’s no longer going to be seen just as a matter for the IT department. The CISO (chief information security officer) will now report directly to the CRO, CFO or CEO, not the CIO, becoming a bridge between business owners and cybersecurity.
Privacy, Privacy, privacy
Need for Australian companies to be Privacy Resilient. They need to prepare and be ready to respond. The reputational impact will be significant, cost on business could be large. There will be a major Australian company hit. Being the target of an attack is not a crime, but how you respond could be.
Data is the new currency, with mandatory breach disclose coming in force which will place greater focus on third parties.
Take for example the Red Cross Australia data breach, which saw a technology partner leak 1.3 million records – third parties will have to provide “ongoing assurance” in controls and not just sign up to SLA’s. Contractual requirements will tighten and the penalties for breaches will be significant. And it’s not confined to just home jurisdictions. Organisations operating internationally need to be across how EU and US privacy laws impact them.
Cyber warfare threat
In the US, cyber warfare is viewed as a bigger threat to the US than terrorism. In Australia, the government and Defence also have this as a top priority by announcing the launch of a cyber warfare unit.
With the IoT and the spreading interconnection of devices, critical infrastructure is becoming increasingly vulnerable. It’s likely we will see some kind of major attack in Australia in 2018.
To counter the threat, the government is working on new legislation, the Critical Infrastructure Bill to manage national security risks. This will provide a regulatory framework that requires CI operators to build cyber resilience and report compliance and incidents.
AI, Machine learning, D&A (data and analytics), and continuous controls-based monitoring are transforming functions and roles. Many activities and functions will be replaced by machines. This will bring reduced costs, increased visibility, assurance and trust and ultimately improved security posture. More cybersecurity products will be available to mid-market enterprises that can’t afford a dedicated CISO and security operations.
However, the rise of new technologies will also create opportunities for smart cybercriminals to find better ways to attack. For example, social data will be harvested and analysed on a massive scale and used for automated, highly targeted and sophisticated phishing attacks.
Explosion of the IoT
The Internet of Things will see an explosion of benefits but also of incidents in 2018. We’ve already seen how hacked CCTV cameras were able to take down Netflix in the DYN attack. A 2014 study by HP found that 70 percent of IoT devices contained serious vulnerabilities. Continually identifying and patching vulnerabilities in billions of devices will be an immense task. Gartner predicts it will represent 20 percent of the market by 2020.
As IoT continues to advance, security will be top of mind. Assurance and controls will increasingly be necessary protect critical infrastructure. Many organisations will struggle to identify just how many connected devices they have.
Security expectations shift to third-party
Security will no longer be about just your own organisation but also your suppliers’ security. With the heavier penalties being introduced in new data legislation, ensuring third-party security will be critical. Organisations will move from an audited to an assured approach. 2018 will see the rise of real-time, risk-based reporting will transition to a requirement.
The government will also start to engage private enterprise, and ease of engagement will drive more collaboration from private enterprise to support government demands.
The year of Identity
Ultimately, 2018 will see an increased focus on cyber resilience with a shift back to prevention and response as well as detection. User-based behaviour analytics will be key. With the explosion of IoT and an increasingly connected world, there will be a shift towards securing data, no matter where it resides. Data is the new currency. People expect security of their data and legislation will encode this expectation into a legal right.
2018 will be a year of significant growth for professional services centred on strategy, architecture and implementation of identity services across these three key areas:
1. The rise of Online Self 2.0. Customers’ expectations around ease of use, choice and privacy will start gaining momentum this year. Every service industry will start adopting some form of customer identity strategy that offers a true digital experience.
2. The Mandatory Data Breach Notification laws will have significant impact on how organisations collect, store and manage online/digital identities. In light of the significant risks related to a breach organisations will start re-considering what they collect, the supporting processes around customer information and how this information is protected within the organisation.
3. Internal productivity programs based on Microsoft Office 365 will drive employee identity capabilities that provide better digital experiences for internal staff whilst at the same time improving security, privacy and increase identity governance.
If 2018 sounds terrifying in terms of cybersecurity, that’s because we will face greater threats than ever before. We also have better tools to deal with some of those threats, but there will be gaps.
Businesses and consumers are in an arms race with cybercriminals and hostile states. Every organisation needs to plan in terms of “when”, not “if”, they face a cyber-attack.