For once, one of the biggest cyber security stories of the year was entirely predictable.
Everyone knew that Europe’s General Data Protection Regulation (GDPR) would go into effect on May 25. And it did.
GDPR makes it clear that consumer data is always consumers’ data
Did all the preparations and emails and updates to terms and conditions pay off? That remains to be seen.
The first fines seem to be modest. But the establishment of the this set of regulations casts a shadow on just about everything that comes with securing data.
This shadow comes not just from the potential consequences and costs for companies, but because it also places private information in a new context: the data that consumers share with businesses still belongs to the consumers.
“Some of these organizations and companies, they have been working in sort of a wild west era, and they have considered everything they find, every data they find to be their own and they have regarded it to be their right to use it as they see fit,” F-Secure’s Erik Andersen said on our Cyber Security Sauna podcast. “So they simply don’t get the point that it’s not their data.”
Protecting data isn’t just about securing your own devices and network. It’s about the trust consumers place in companies and the responsibilities companies have to consumers.
Of course, this has always been true. Now it’s essentially the law—at least in Europe.
With that in mind, let’s look at the biggest non-GDPR cyber security stories of 2018 that confirm just how much data matters.
Spectre/Meltdown ring in the New Year
January had barely begun when the Spectre and Meltdown vulnerabilities in chips manufactured by Intel, AMD, and ARM were first disclosed.
“In practical terms, the widespread use of the vulnerable chips means the issue affects nearly everyone,” F-Secure’s Adam Pilkey reported.
Almost a year later the attempt to mitigate these vulnerabilities are still “work-in-progress,” as fixes for the bugs have presented their own complications.
“Best advice for the security conscious, of course, is to keep patching,” TechRepublic’s James Sanders wrote.
No WannaCry or NotPetya sequels, as ransomware retreats
“You can’t just prepare for one kind of cyber attack” is a lesson our consultants always try to convey.
“If you take WannaCry and NotPetya, for example, no one was expecting those particular attacks,” Marko Buuri, Principal Risk Management Consultant at F-Secure, and Tuomo Makkonen, Principal Security Consultant, noted on the February 2018 episode of our Cyber Security Sauna podcast.
And few were expecting that ransomware, which dominated much of the 2017 cyber security news with two of the largest attacks in history, would recede in 2018, while still being a considerable threat, especially to businesses.
In May, our The Changing State of Ransomware report noted the “gold rush” around malware that holds files hostage to extort ransoms appeared to be over as other threats including cryptomining or cryptojacking were on the rise. By December, it was clear that the declining popularity of ransomware was one of the most notable infosec stories of the year.
The question now to debate is “What killed the gold rush?” So we can be ready if (and when) it begins again.
Breaches, breaches and more breaches
“Data is more valuable than ever, and trading it is so profitable that it makes companies take enormous risks when handling data of the users on their platforms,” F-Secure’s Laura Kankaala told Vice News.
The massive Marriott hack in late November was quickly followed by Quora announcing its own large-but-not-as-massive breach. Hacks that result in the compromise of data of millions of people are so common now that it’s difficult to keep track of them all – though regulators enforcing the GDPR likely are.
For instance, the largest breach in Facebook’s history was announced in October and it wasn’t even close to being the biggest Facebook news of the year. But that wasn’t great news for Facebook.
Facebook’s never-ending 2018
From the investigations in March revealing that Cambridge Analytica had used Facebook consumer data in violation of the site’s privacy policies to revelations in December that the site had not disclosed that it had offered partners including Amazon, Yahoo and Microsoft access to private consumer data including private messages, 2018 is certainly a year Mark Zuckerberg would like to forget.
Even reading a timeline of Facebook’s 2018 is exhausting.
You may be asking yourself if this data privacy story is truly a cyber security story. But as the GDPR reminds us, the protection of your data matters.
For many people, Facebook might as well be the internet. And the way they secure or don’t secure our private information has ramifications all over the digital world.
F-Secure expands and pwns some phones
At F-Secure, we obviously can’t think of cyber security without thinking of F-Secure.
This year we saw the biggest acquisition in our history with the purchase of MWR InfoSecurity, the world-class consultancy that produces the threat hunting platform Countercept and the phishing protection service Phisd.
The renowned MWR Labs consistently produces some of the best cyber security research in the world and again international news this year during November’s Mobile Pwn2Own competition in Tokyo by identifying zero-day exploits in the Xiaomi Mi6 and Samsung Galaxy S9 smart phones.
We also participated in an international anti-fraud botnet takedown, launched F-Secure Rapid Detection & Response to back up companies fighting intruders, expanded our premium cyber security package TOTAL and tried to let everyone know that spam is back is the number one way to spread malware again. Our hackers also discovered one flaw that could let anyone open hotel rooms around the world and another that allows for a new way to physically hack into PCs.
Oh, and we also celebrated our 30th anniversary. Not bad for 365 days.