According to the 2018 edition of the Cybersecurity Predictions Report realized by Aon's Cyber Solutions specialists, the growing threat of cyber attacks on every aspect of the business and its growth in terms of recurrence and scope, will force companies to implement new measures to address the "holistic" cyber risk, fully integrating them into risk management policies.
Il Cybersecurity Predictions Report 2018 indicates what the significant changes will be, deriving precisely from the increase in the size and impact of cyber attacks, associated with the greater responsibility that companies are called to assume in the cyber security field.
Main highlights of the “Cybersecurity Predictions Report 2018”:
- Companies will stipulate 'stand alone' insurance policies, since the Boards of Directors and executives will become more aware of their responsibilities also in the cyber field.
As board members and executives experience first-hand the impact of cyber attacks, including for example reduced profits, business disruption, and lawsuits against directors and managers, companies will increasingly resort to tailor-made insurance policies against cyber risk, rather than relying on silent components of other policies. Furthermore, the adoption of cyber policies will extend well beyond the sectors in which they were traditionally made – such as retail, financial and healthcare – and will involve other sectors vulnerable to business disruption caused by cyber-related problems, such as manufacturing, transportation, utilities and oil.
- Chief Risk Officers to take central role in managing cyber risk, which will increasingly be treated as a business risk as the real and digital worlds converge.
As advanced cyber attacks generate real-world consequences, with an increasing impact on business operations, senior executives will be more aware of the relevance of cyber risk. In 2018, CROs are expected to become involved in managing cyber issues, working closely with Chief Information Security Officers (CISOs), to help organizations understand the impact of cyber risk on business.
- The attention of the Authorities is widening to increasingly complex dynamics, generating requests for harmonization. The European Union asks international companies to report any violations of the General Data Protection Regulation (GDPR); in the US, big data aggregators will be audited.
In 2018, the Authorities at international, national and local level will apply the existing regulations on cyber security more strictly and will increase the pressure on companies to enforce the rules, also introducing new ones. In the future, European authorities are expected to hold major US and global companies to account for violations of the GDPR. Across the Atlantic, 'big data' companies (whether they collect or sell it) will be subject to scrutiny on how they collect, use and protect data. Under the weight of growing regulatory pressures, industry organizations will ask authorities to harmonize various cyber security regulations.
- Hackers are ready to attack businesses active under theInternet of Things (IoT), especially small and medium-sized enterprises that provide services to global companies.
In 2018, global businesses will face increased complexities in the use ofInternet of Things, relating to third-party risk management. The Report predicts that large enterprises will be hit and challenged by attacks directed against their small supplier or contractor, which will target the IoT to penetrate their networks. This will represent a wake-up call, leading on the one hand corporates to review their approach to third-party risk management and, on the other hand, it will push small and medium-sized enterprises to implement better security measures, in order not to suffer business losses .
- The continued cracking of passwords and the bypassing of biometric recognition systems will increase the importance of multifactor authentication systems.
Beyond passwords, companies are introducing new methods of authentication – from facial recognition to fingerprints. However, these technologies are still vulnerable and, for this reason, the Aon Report predicts that a new wave of companies will adopt multifactor authentication to counter the assault on passwords and attacks against biometric systems. People will then have to provide multiple pieces of information to the authentication device. An increasing use of behavioral biometrics is therefore expected.
- Hackers will target transactions that use loyalty points as currency, thus stimulating the widespread use of 'bug bounty' programs, i.e. reward programs promoted by companies dedicated to anyone who tracks down and reports system or device vulnerabilities.
Companies also outside of the technology, government, automotive and financial services sectors will introduce 'bug bounty' platforms into their security systems. As criminals target transactions using loyalty points as currency, businesses that adopt loyalty programs that offer rewards and rewards – such as airlines, retailers and hotel chains – will contribute to the new wave of program adoptions' bug bounty'. As new companies adopt these programs, the support of external experts will be sought, to avoid the emergence of new risks due to improper configuration of the programs.
- Ransomware attacks will become more targeted; cryptocurrencies will contribute to the expansion of ransomware.
In 2018, ransomware attackers will change their tactics. The Report indicates that hackers, using various forms of “benign” malware – such as software designed to launch DDoS (Distributed Denial of Service) attacks – attacks on company servers that make a company's services, data or resources unavailable for a certain period of time organization) or to spread advertising on thousands of systems – will cause massive waves of ransomware attacks. While the "carpet" attacks to hit as many systems as possible will continue, the Report also estimates an increase in attacks targeted at specific companies and aimed at demanding ransomware payments proportional to the value of the encrypted assets. Cryptocurrencies will continue to support the development of ransomware, despite an increased ability of law enforcement agencies to track attacks, for example through bitcoin wallets.
- 'Insider risk' threatens companies, who underestimate their vulnerability, while major attacks go completely undetected.
Companies did not invest enough in proactive strategies to mitigate internal risks in 2017 and this phenomenon will repeat itself in 2018. According to the Aon Report, the lack of training in the field of security and technical controls, combined with new working trends (smart working, external consultants, freelancers), will mean that the real extent of attacks and cyber problems caused by workers not will be in the public domain. Many companies will continue to respond reactively to incidents 'behind closed doors' and remain unaware of the true cost and impact of insider risk' on their organization.
Jason J. Hogg, CEO of Aon Cyber Solutions he said “In 2017, cyber-attackers created significant damage using different levers, from Phishing that influenced electoral campaigns, to 'ransomware cryptoworms' that infiltrated systems on a global scale. In 2018 companies will be increasingly exposed to cyber risk, given the increased use of technologies and the growing value of intangible assets. It will therefore be necessary to adopt an integrated approach to cyber security, both within the corporate culture and risk management policies, which makes it possible to assess and mitigate risk in all company functions”.
Enrico Vanin, CEO of Aon SpA and Aon Hewitt Risk&Consulting he commented: “In Italy, most companies are aware of the impact of cyber attacks on business, but there are still few virtuous ones that have already adopted adequate strategies for risk assessment and transfer to the insurance market. The GDPR, which will enter into force in May, with its implications on data protection responsibility, will be the tool that to a certain extent will require companies to assess their vulnerability and to define the adoption of a shared cyber risk policy management. On the other hand, the insurance market is called upon to respond to new needs by developing new products and solutions”.
