Now the first half of the year is over, our KPMG Cyber team takes stock of current changes and looks at what the next few months and years may bring – with five changes shaping the (geo)political, social, and economic environments in which organizations operate to how companies are implementing security, and what that means for cyber security as a profession and practice.
“Extortion through ransomware makes money, with losses increasing as criminals become more careful in selecting their targets, spend longer working out how to extort money most effectively, and ratchet up their ransom demands into the hundreds of thousands or even millions of dollars. Companies increasingly look to the cyber insurance sector to cover those payments. Expect insurers nursing growing losses to become more selective in just what and who they are prepared to insure as cyber insurance comes of age. With regulatory penalties rising for cyber incidents, also expect criminals to be creative in encouraging clients to pay ransoms rather than risk public disclosure of sensitive data or security weaknesses. Criminals may also have an eye to the potential of deep fakes, which makes it harder to distinguish truth from fiction and open up new avenues for reputational harm and blackmail.”
“While the old staples of CEO fraud and compromised business emails are still with us, criminals have found new opportunities in poorly configured cloud services, web sites and content delivery networks. Quickly spotting those vulnerable systems using automated tooling has opened the door to attacks at speed and scale, leading to data breaches, installation of payment skimmers and system disruption. Organized crime also has an eye to the attack surfaces offered by 5G and interconnected internet of things devices. For their part, law enforcement and tech companies are getting much better at taking down and disrupting criminal infrastructure, with some recent big and high profile successes. We can expect digital combat to continue, with more sophisticated analytics and rapid interventions to disrupt criminal infrastructure, as active defense becomes commonplace.”
“The dream of a global commons in cyberspace is dying. Countries are increasingly regulating to create walled gardens and national fortresses to defend their corner of the internet. Some countries demand that personal data be processed in-country. Others seek to limit the use of overseas technologies, and yet more are building increasingly sophisticated national firewalls to control and limit their citizens’ access to the internet or protect their national networks against malicious activity, as they define it. Businesses are being forced to adapt their global models to create in-country or in-region data centers or cloud instances. The extra-territorial ambition of many national legislative instruments on privacy, cybercrime, and national security is creating a complex and conflicting network of obligations, requiring firms to pay increasing attention to the origin and nature of the data they process and handle. Metadata matters now more than ever.”
“Regulatory sanctions are increasing as many countries implement stricter privacy regimes and also impose greater penalties for service disruption and data breaches. There’s an inevitability around the litigation that follows, as companies seek to challenge fines running into the hundreds of millions of dollars – but what's good practice, and what represents negligence on the part of a breached organization? A single line in the General Data Protection Regulation states that personal data shall be “processed in a manner that ensures appropriate security.” Who’s the arbiter of appropriate? Separately, the class action suits continue post-data security breaches in the US, often taking years to conclude, while other nations establish the norms around group litigation to protect consumer interests, including around the internet of things. Will courts accept expert testimony, or will we see recourse to standards as the only means of organizations providing comfort around their security controls, and will that really make us more secure?”
“Countries are demanding the policing of content on social media – but where do we draw the line between free speech and content which is harmful, libelous, subversive or immoral? Every nation will have its views. It will look to social media giants to police their content in line with those ill-defined norms demanding takedown of content nationally and blocking of content from overseas. Content filtering is becoming a massive industry increasingly reliant on artificial intelligence systems to screen bulk data. The censor bots are arriving. Long-standing debates on end-to-end encryption will continue as nations demand access to digital platforms for national security and law enforcement reasons, while the tensions between individual rights and those of the state become starker. Fragmentation of the internet seems more and more likely. Amongst all of this, the ability to stay anonymous is disappearing as nations mandate stricter sign-up conditions and authentication mechanisms for access to internet resources.”