The 5 Biggest Cyber-Security Challenges in 2019

As we become more digitally connected, the more vulnerable we are becoming. Anything that is connected is a target. The number of breaches in 2018 reached staggering proportions. With a multitude of new attack vectors, 2019 promises to be worse. Here are 5 threats you need to know.

Cyber-criminals are increasingly using sophisticated tools – including Artificial Intelligence – to troll the web for information that corporations and employees are inadvertently posting on their social media sites. This information will likely become a new threat vector in the new year where this information is exploited in phishing and spear-phishing attacks.

Questions you should be asking are:

• What is our social media threat profile?
  
• Who is monitoring it?
  
• What tools are available for such monitoring?
  
• What are our social media use policies? How do we implement them?

As corporations continue to harden their own perimeters and attack surfaces, criminals are increasingly looking at the vulnerable supply chain where risks are not completely understood. Increasingly, the vendors in that supply chain will be regarded as part of the company’s own vulnerability and risk profile. Criminals will increasingly exploit the supply chain to gain access to critical information about corporations.

Questions you should be asking are:

• What sensitive information am I sharing with my vendors?
  
• How do I assess the risk of each vendor?
  
• What tools and services can I use to effectively control the threats posed by such a risk?

The proliferation of cheap and insecure devices that comprise the Internet of Things (IoT), coupled with the legacy systems that control our Infrastructure, are combining to create a perfect storm in the New Year. Ransomware is likely to be higher as criminals hold companies, cities and even countries hostage as they take over and compromise such systems. Attribution will be very difficult thus providing cover to criminals and nation states.

Questions you should be asking are:

• How are IoT and infrastructure devices impacting my risk?
  
• Who is managing and controlling those threats?
  
• What are the remediation protocols and policies that will help me control breaches?

As we understand the limitations of passwords and identity management moves increasingly to the cloud, mobile device authentication is likely to explode. At least initially, expect some of this transition to be exploited, particularly where insecure approaches are used. Facial recognition and biometrics are still undergoing rapid development and have not reached a true trusted-state.

Questions you should be asking are:

• How will I control access and authentication across a myriad of devices, almost all connected to the internet, and with a varying degree of trust?
  
• What kind of biometric and MFA (multi-factor-authentication) solutions are appropriate for my environment?
  
• What cloud-based solutions will I use to allow access to sensitive information?

The most common attacks in the past year were exploits of zero-day threats where unpatched new vulnerabilities were used to compromise critical assets. In the case of "Polymorphic Attacks", the code used for the exploit changes rapidly and automatically to prevent effective management and remediation. In 2019, expect this to continue at a high rate. The high demand for software, complicated by the time pressures to be agile, result in many more undiscovered vulnerabilities.

Questions you should be asking are:

• What will I do if zero-day vulnerabilities are discovered for a mission-critical system? Will I take it offline? Or allow it to function, knowing that it may be compromised?
  
• Which security vendors and products will I trust for effective triage in case of polymorphic attacks?
  
• What is the status of my systems for known vulnerabilities? Who manages this?
  
• Do you have cyber-insurance?
  

There is no 100 per cent protection against cyber-attacks. However, you can reduce risks tremendously by constantly informing about new threats and questioning your security strategy.