2017 is coming to an end. And the last year has seen some big vulnerability disclosures, global ransomware outbreaks, and of course, more data breaches and threats to people’s online privacy.
Taken together, these developments might leave people wondering what they have to worry about next. The good news is that a lot of what’s happened is business as usual for the cyber security industry.
So while we say good bye (and possibly good riddance) to 2017, it’s worth taking a few moments to think about what 2018 could bring.
Here’s a few thoughts from F-Secure’s experts on what cyber security developments we can expect next year.
“Amount of new ransomware will decrease, but there’ll be more targeted ransomware attacks against companies.”
2017 saw some interesting developments in ransomware. May’s WannaCry ransomware outbreak was the biggest in history, and were followed swiftly by other significant attacks.
According to F-Secure Labs Researcher Päivi Tynninen, we should see fewer new families and variants of ransomware. But she also expects companies to face more targeted ransomware attacks.
“We’ll still see cyber criminals developing new types of ransomware, but not as much as the past two years,” says Päivi. “The delivery mechanisms for attacking individuals aren’t really that effective at the moment. But ransomware’s business model is a proven money maker, so we’ll probably see cyber criminals focusing more on conducting targeted ransomware attacks against companies to get bigger paydays from fewer victims.”
“Biometrics as a form of identity authentication will become more mainstream.”
Apple rolled out their FaceID feature in the iPhoneX earlier this year. Based on the company’s success in marketing new technologies to consumers (the iPhone, the iPad, etc.), F-Secure Security Advisor Sean Sullivan thinks that more people and organizations will open themselves up to the idea of using biometrics to identify people.
“Biometrics have been available for a long time, but they haven’t really been marketed in a way that’s made them seem user friendly. But Apple’s quite successful at getting people to start using new technologies, and I suspect that’s what we’ll see here,” says Sean. “It’ll start with better Smart Lock features for Android (Smart Lock isn’t really designed for security at the moment), but that will spread to other applications and increased investment, which will then be more actively marketed by device manufacturers, service providers, etc.”
“The confusing, messy realities of the GDPR will hit home.”
The General Data Protection Regulation (GDPR) will come into effect in May 2018. And survey after survey shows that many companies aren’t really prepared for it. But F-Secure Privacy Officer Hannes Saarinen thinks the question of whether companies are ready for the so-called GDPR deadline oversimplifies what the GDPR is and that the real impact for companies will last much longer.
“May 2018 will see companies introduce their minimum viable product (MVP) version of GDPR compliance. This can be deducted from recurring ‘we’re not ready by May 2018!’ cries from businesses,” Hannes explains. “Every country needs a companion law that complements the integration of the GDPR into their national laws. And to date, Germany is the only country that’s done this.”
Basically, that means Germany is the only country ready to actually implement the GDPR, so companies based in other countries still have a lot of questions about how to prepare. And Hannes thinks that businesses simply have to get used to living with uncertainties while authorities iron out the practicalities of the regulation.
“Companies simply have to establish valid, good faith, practices to comply, and understand that some of those practices might need to change. Maybe that sounds scary, but it’ll be the only real option after May 2018,” says Hannes. “But on the positive side, the biggest causes of fines will remain consistent over time, so companies that improve how they secure data, avoid sending spam, and provide transparency and honesty with how they process people’s data will make things easy in the long term.”
“Ireland having a lot of US nationals provides a bonus item: how will that affect their use of enforcement powers under GDPR? And will the activities of Irish officials be enough for other data protection authorities? If not, then we’ll get to see the ‘one-stop-shop’ mechanism at work,” adds Hannes. “I think the Ireland case will partially move the discussion from compliance to how the whole project is actually supposed to work.”
“Early adopters will begin to regret purchasing smart devices.”
The Internet of Things is bringing internet-connected televisions, toasters, and other gadgets into people’s homes. And most of these “smart” devices aren’t particularly secure. In fact, Hypponen’ s law states that if it’s smart, it’s exploitable, making the spread of these gadgets bad news for security.
Sean Sullivan thinks that early adopters will start to realize that their smart devices aren’t so smart after all. But this won’t be driven by cyber attacks – it’ll be a lack of service from device vendors.
“Internet-enabled appliances need ongoing support to function properly, and that service aspect is a new feature for many devices. And I think these services will experience some growing pains in 2018 that’ll burden both manufacturers and consumers,” says Sean. “Vendors will want to phase out support for products that are just a couple of years old, which will result in early adopters of those products experiencing bugs and service outages. And vendors will likely respond to complaints by telling customers to upgrade or live with limited functionality, leaving early adopters feeling ripped off and let down by their smart devices and the companies that sell them.”
“Cyber centaurs – AI-empowered cyber security experts – will become state of the art in cyber security.”
Cyber security needs both people (cyber security experts) and machines (artificial intelligence) in order to keep up with today’s threats. And security providers are looking for ways to leverage the benefits of both in different ways.
A lot of AI efforts focus on increasing automation or improving traditional security methods (such as signature-based recognition of threats). But Matti Aksela, head of F-Secure’s Artificial Intelligence Center of Excellence, thinks that AI’s potential is much more transformative when combined with human expertise, and that we’ll see examples of this in 2018.
“The challenge of AI approaches is that it is often hard to truly understand the problems you need to solve without having a high level of domain knowledge. We can address that by working together with cyber security experts, but also by using AI to augment and empower experts that have collected years or decades of data through their experiences,” explains Matti. “This coming year will see more cyber security applications that embody human expertise augmented through AI – people I like to think of as cyber centaurs. And perhaps most significantly, cyber centaurs will be able to use AI to improve their own speed and performance and accomplish even more complex tasks faster, leading to the application of AI in areas that many used to dismiss as too complicated or too impractical.”