Vulnerabilities, Security Control, Cybersecurity, Security Awareness
Security Trends and Takeaways for the Second Half of 2019
So much has happened in terms of information security and breaches in 2018 that it can be a little overwhelming. Now that we’ve had time to reflect on 2018, we can summarize important lessons and takeaways as we head into the second half of 2019.
Without further ado, here are the security trends to watch — along with takeaways on how to deal with them — for the second half of this year.
1. Trend: Security Apathy. As you probably have noticed, Facebook is in the news almost on a weekly basis. Their security issues have individuals, companies and even the federal government concerned. However, people seem to be so overwhelmed by all of the security issues, personal rights and data breaches that the general population is becoming numb to the news. This makes it a challenge to ensure that when we talk to employees about protecting both company and personal data that we make sure that it relates to them and it's meaningful.
Takeaway: Make employees understand what’s at stake in terms of risk to the company. One of the biggest issues is that most workers do not fully comprehend the dangers of getting their emails hacked or losing personal data. This is why a company - wide awareness program has to be in place regarding security measures. It helps employees acquire knowledge about new threats and how they can better protect their data.
2. Trend: Europe’s Data Laws. GDPR passed last year because the government felt companies weren’t being proactive enough. Ideally, an industry should be setting these standards and following them, but if the captains of industry in the United States, such as Facebook, do not step up to the plate in the next couple of years and start adopting a basic security frameworks and standards, the government is eventually going to step in and will likely do a more inefficient job.
Takeaway: As a company, it’s in your best interests to be proactive in terms of protecting your customer and adhering with compliance. Even if laws are enforced, as in GDPR, you’ll be ahead of the game protecting your customer base and your business.
3. Trend: Pervasive Vulnerability. The Spectre and Meltdown flaws were eye - opening for the industry. They exploited critical vulnerabilities in modern processors to allow programs to read data from other programs, which is typically not allowed. A malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business - critical documents. Read more here.
Now that the IoT is everywhere and our devices, speakers, and TVs are “smart,”the stakes get even higher as these and more items become vulnerable. We don’t have a decent way for consumers to be informed as to whether the manufacturer of these products meets any kind of security standard.
Takeaway: Some form of label or notification on the product saying that this product meets some kind of basic security standard or if there's a flaw found on it that it can actually be patched or updated would be extremely valuable in when it comes to consumer products. While an industry standard may be years in the making, consider how to best communicate with your customers and have a crisis plan in place.
4. Network Neutrality: In 2018, we lost a lot of privacy with the network neutrality issues with the US government. Now we have ISPs who are able to sell data about their customers. We’re used to Microsoft and Facebook being able to sell our data, but those are platforms we voluntarily sign up for. Any company that we use to access the internet can sell information about us and our traffic to advertisers. A company can be affected by this as well. A company is a customer of an ISP and the traffic patterns that the company makes and creates on the internet technically can be sold to a marketer within that company’s competition. It probably would not be in the best interest of an ISP to do so, but nonetheless, it is still legal.
The takeaway: Most organizations need a trusted adviser who can help you weigh the potential pros and cons. In many organizations, internal politics can get in the way of a more neutral viewpoint based on security experience and statistics. Partner with someone and schedule time on a regular basis to have that person evaluate the risks and ask questions when it comes to these issues.
Feeling overwhelmed? We can help!