2017 has certainly been a busy year for cybersecurity professionals. We’ve witnessed sensitive data leaks from the National Security Agency, the Wannacry ransomware scheme and of course the massive Equifax breach.
But what is in store for us in the next year? The cybersecurity experts here at GlobalSign have looked into their proverbial crystal balls. Here are some of their predictions for 2018.
Nadim Farah, Manager Digital Signing Services
2018 Will Bring More Legal Challenges to Simple Electronic Signatures
December 2016 marked the first successful legal challenge to simple electronic documents standing and as the world is moving more towards standardized and publicly trusted digital signatures, I believe that we could very well see more legal challenges to the standing of simple electronic signatures in 2018.
This is due to the fact that major US application providers for document management and signing continue to invest in creating integrated ecosystems between trust providers, identity verification services and application providers, including Adobe's Cloud Signature Consortium and DocuSign's Trust Service Provider programs.
Furthermore, expect trust program updates from providers such as Microsoft and Mozilla root trust, in addition to the announced Adobe Approved Trust List (AATL) program requirement updates in July, to drive a higher level of compliance requirements for these programs in line with Electronic Identification, Authentication, and Trust Services (eIDAS) in the EU for ID verification.
Facial Recognition May Play a Role in Identity Verification
The recently unveiled iPhone X by Apple has facial recognition capabilities with secure local storage for the data and similar technology has been announced to be in the works by Facebook as well.
While those technologies don't yet have the recognition of accuracy and assurance to be reliable for identity verification used to issue certificates for publicly trusted digital signing, it is still a possibility to use them in authentication for simple electronic signature in the first phase in 2018. As the technology continues to develop, especially the type that Apple is using which is supported by various hardware sensors and cameras, it could be potentially recognized as an equivalent of face-to-face identity verification in the next two to four years.
Doug Beattie, Vice President Certificate Services
By the End of 2018, 85% of All Web Pages Will Be Protected by HTTPS
We’ve seen strong growth in the number of HTTPS page loads and secure sites this year, primarily driven by Google and Mozilla, who have been encouraging the use of HTTPS. Chrome has been marking sites that collect passwords or credit cards as insecure since Chrome 56 and Chrome 62 now marks all sites with input fields (that are served over HTTP) as insecure. It’s just a matter of time until all HTTP sites are marked as insecure.
Now that free or low cost Domain Validation (DV) SSL Certificates are available, there is minimal financial impact to website operators so both Google and Mozilla are encouraging them to secure via the changing browser behavior based on site content. With Google and Mozilla continuing to add more warnings to HTTP pages and the eventual treatment of them with a prominent red exclamation mark in a triangle, we expect to see adoption rates continue to increase significantly. By the end of 2018, I’m predicting 85% of all web traffic will be protected by HTTPS.
TLS 1.0 and Earlier Protocols Will (Finally) Be History
Security is only as good as the weakest link. With the wide adoption of HTTPS, it’s time to say goodbye to outdated protocols - SSLv3 and earlier and TLS 1.0. These protocols have severe vulnerabilities and should be disabled on all websites.
With TLS 1.2 widely available and 1.3 on the way, the older protocols will be phased out in 2018. Given this, I predict that the majority of the sites will be supporting TLS 1.2, and virtually no use of TLS 1.0 and older protocols, by the end of 2018.
Lila Kee, General Manager, Chief Product Officer and NAESB Board Member
There Won’t Be a Major Attack on the US Electric Grid in 2018
Despite the increase of cyber-intrusion into the energy sector like Dragonfly, I am taking a contrarian stance and predicting there won’t be a “water-shed – 9-11” attack on the US electric grid in 2018.
First, we have a very resilient grid due to both increased federal coordination around cybersecurity support to the energy sector, and ongoing progress around building security by design into the smart grid.
Second, I also believe we greatly benefit by an increasing adoption and reliance on microgrids. Microgrids add much more resiliency to the grid by offering a faster and cleaner method to tap into renewal sources while the larger grid is restored. Municipalities should follow some of the early adopter models seen in California to mitigate outage issues due to natural disaster or cyber-attacks.
In addition, the very fact that Dragonfly did not cause major disruption served as further evidence (to me, anyway) that we are doing something right. Because if we weren’t, the outcome of that attack would have been severe.
Lancen Lachance, Vice President IoT Business Unit
Expect More Botnet IoT Attacks
In 2018, we will continue to see exploits of IoT devices with usage aimed at botnet activity. The scope of unsecured devices is still large, which makes low hanging fruit for hackers.
More Legislation, But Not Much Guidance
Regulation and legislation evolves, but will still lack teeth. We will see additional legislation and regulation aimed at cybersecurity for the IoT proposed and passed across verticals. However, due to the lack of IoT experience in the justice system and experience enforcing, the regulation and guidance still won’t have enough basis to truly guide the market yet.
Attackers Will Continue to Target Holes in Security Basics
We will also see more examples of basic security being overlooked and exploited by attackers. Successful IoT attacks will not be advanced, but rather exploit basic lapses in security by design for IoT devices, like shared passwords or unencrypted communications.
Dawn Illing, EMEA Regional Product Manager
Businesses Will Start to Get More Serious About Cyber-Insurance; Premiums Will Inflate
Cyber-insurance, despite the attacks throughout 2017, will continue to grow at a fairly steady pace despite the awareness being a not ‘if’ but ‘when’ an attack will take place. The catastrophic attacks in 2017 established that cyber-risk is now a prominent threat. The success of an attack can cause major damage not only to a company’s bottom line but to business reputation and consumer trust. However, despite the market awareness being significantly magnified, uptake on insurance continues to be slow as companies are slow to mitigate risk and understand how the appropriate resilience can be built into the business.
Moving Insurance from ‘Risk Protection’ to ‘Prevention’
Due to growing awareness of cyber-attacks throughout 2017, businesses’ will start to see security as a key commercial risk rather than an ‘IT issue’ that effects all parts of their business. A holistic process will begin to be adopted from the boardroom down, to change cultures and take company-wide positive steps to protect digital systems.
The Rate of Security Breaches Will Continue to Increase, Having a Knock-On Effect on Insurance and Claims Complexity
The variety of attacks and technologies and processes deployed to prevent them will also be noticeable, adding more confusion to businesses and therefore advice or guidance becomes sought after. Previously, a degree of blame has always been in place for the end-user when a breach takes place; however, companies will begin to adopt policies that make it easier to report breaches within the company and the focus will be more one of ‘how to detect’ rather than ‘how to respond’. In turn, reinsurance (insurance for insurance companies) support will grow in response to better data and tools, supporting the overall growth of the market.
Cybersecurity and Insurance Sector Opportunity
As high profile attacks continue, insurance companies’ direct sales and brokers have a compelling opportunity to become businesses’ trusted advisers. Therefore, although cyber-insurance take up remains slow, cyber-insurance premiums, will be increasing (due to increase in claims), which could result in a ‘rush’ in the second half of 2018. This will mean that as businesses seek advice, brokers and direct sales persons need to become more knowledgeable in the field. Therefore, both insurers and in many instances, brokers will become critical influencers in future buying decisions.
Richard Hancock, Technical Data Protection Officer and Security Specialist
The Impact of General Data Protection Regulation (GDPR) in the EU
2017 has seen the biggest shift in focus within information security for more than a decade: data protection. The EU’s General Data Protection Regulation (GDPR) has more than ruffled a few feathers, not just within the industry but across the board. Whilst, to this day, I still have not seen widespread advertising of the law change to the general public, it is a hot topic within a wide array of business communities. With only seven months to go, that clock is ticking!
2018 will witness a sharp increase in companies rushing to get their affairs in order as the reality dawns on them that after May 25, they could very well be writing a seven or eight figure check to the regulatory body. The way our data is collected, stored, handled, manipulated and reported on is never going to look the same again. We have never had more power and control over our personal information as we do now.
Europe is somewhat setting a trend for global data privacy. Over the coming year, we’re likely to see more and more countries striving to equate local laws with those of the EU. I would hope that the privacy shield becomes stable and its longevity is assured by the US government administration. I foresee many more organizations adopting binding corporate rules to enable them to freely move data around within their own borders and I think that the process for such accreditation will be streamlines to make it much more accessible than today.
Looking Ahead to 2018
What are your thoughts on these predictions? Are they spot-on, or do you have a differing opinion? Is there a topic you have like to have seen addressed? We would love your feedback here in the comments section, or via Twitter.