NCC Group launches predictions for 2019

NCC Group has revealed its predictions for 2019 after asking its experts for their opinions on next year’s key cyber security trends.

Following a year in which data breaches and security threats continued to plague organisations worldwide, the global cyber security and risk mitigation expert has predicted increased scrutiny over third-parties and supply chains, financial ruin as a result of regulatory fines, publicly visible hacks of IoT devices and increasingly prominent state-sponsored attacks in 2019.

The full list of NCC Group’s predictions for 2019 is as follows:

1. Vendors and third-parties prove their worth

In 2017, we predicted that the NotPetya ransomware attack would convince organisations to conduct more in-depth due diligence before allowing external persons to routinely access their networks in 2018. As the number of data breaches continues to rise in 2019, third-parties will be under even more scrutiny as potential weak links in an organisation’s cyber security chain.

In the wake of this year’s Cambridge Analytica scandal, major tech organisations have already begun granularly reviewing their third-party data sharing policies. In 2019, we expect businesses of all sizes worldwide to seek more assurances and risk assessments from their partners and suppliers, driven by continued reports of hackers infiltrating companies through their supply chains.

As the threat of GDPR fines raises the stakes of a breach, some organisations will even try to shift the blame and responsibility for post-breach remediation to a third-party. Security vendors will be an easy target, making it crucial that they can clearly evidence the real-world efficacy of their solutions and products.

2. Post-breach fallout causes financial peril

After months of build-up, GDPR was finally implemented in May this year.

With the regulation now firmly in place and enforced, the financial consequences of a data breach will no doubt be more ruinous for businesses than ever before. For example, estimates suggest that some of the first businesses to suffer a major breach under GDPR could be fined millions next year.

But 2019 will prove that the cost of a breach goes beyond regulatory fines. Reputational damage, claims for compensation and a subsequent loss of earnings represent just a few of the additional negative consequences of a breach and, when combined with a crippling fine under GDPR, its plausible that at least one organisation will be bankrupted as a result of post-breach fallout.

With this in mind, all eyes will be on breaches occurring in early 2019 as case studies for the ‘true cost’ of GDPR. Next year, compromised businesses may have to contend with fines, pay-outs to customers who suffered as a result of stolen personal or financial details, and even lawsuits.

3. State-sponsored attacks have public impact

Cyber crime entered the global political arena with a bang this year, as Britain and the US accused the GRU, Russia’s military intelligence agency, of multiple cyber attacks carried out between 2015 and 2017. In September 2018, the US responded by announcing that it had granted its Defence Department greater authority to penetrate foreign networks to deter hacks on US systems.

As state-sponsored attacks become increasingly prominent in 2019, it’s likely that other countries will announce offensive cyber capabilities. We predict that governments worldwide will announce a spate of task forces, initiatives and increased defence funding in the cyber security sector – especially those that do not currently enable their military and intelligence services to hack other nations.

As global powers test their offensive cyber capabilities against each other, both localised and critical national infrastructures will be targeted. At least one attack will have a clear, publicly visible impact and may even result in the first loss of life directly attributable to a cyber attack.

4. Smart cities’ attack surfaces grow

The nationwide rollout of 5G in the UK will bring an unprecedented level of high-speed connectivity to urban environments in 2019, paving the way for the growth of smart cities in Europe and further afield.

But security flaws in the technology underpinning their design will be revealed, exposing smart cities as potential hotbeds for hacking activity.

Self-driving cars, cameras, laser sensors and other connected elements will all become targets for cyber attacks, giving malicious actors almost unlimited potential to compromise personal data and even cause physical accidents.

5. Malware attacks hit mobile and IoT harder

Cyber criminals have shifted their focus from servers and desktops. Mobile and Internet of Things (IoT) devices have become key targets and, due to their increasing divergence, ownership and use by today's consumers, this trend will only continue apace.

As far back as 2017, we warned that security within the IoT was below par and, left unchecked, attackers will take advantage of existing and new vulnerabilities to infect devices with malware in 2019.

We could see an increase in hacking existing app developers for malicious intent, rather than creating rogue app stores containing infected apps. This could enable criminals to push their malware through legitimate-looking app updates, potentially infecting hundreds of thousands of mobile and IoT devices in one action.

To secure the future of both industries, mobile and IoT manufacturers must increasingly work closely with the security industry to secure product development life cycles in 2019, before hackers seize control.

6. Hackers get in the driving seat of connected vehicles

With over half of new vehicles expected to be connected by 2020, 2019 will be a crucial year for automotive cyber security. The modern car has 100 million lines of code, offering a huge attack surface. Minor misconfigurations in an IoT vehicle's onboard software, underlying systems or products can all leave it vulnerable to a malicious attack.

But next year, vulnerabilities in the supply chain will be exploited, leading to the first publicly visible successful hack of a connected vehicle. If a telematics service provider or similar is compromised, we could witness the first infotainment-based ransomware attack, preventing a vehicle from starting or claiming that its safety-critical functionality has been disabled and demanding money to fix the problem.

Worse, the interconnectivity of the automotive sector means that hackers will only need to exploit one supplier to potentially reach entire fleets of vehicles. Research will show that vehicle to vehicle communication technologies could facilitate the propagation of malware between vehicles, exacerbating the problem even further.

7. IoT security legislation tightens in the public interest

The security of IoT devices will be more closely regulated than ever before in 2019.

This year, several IoT technology firms began committing to the Secure by Design code of practice, developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) to tackle security vulnerabilities in connected devices.

But as more and more people bring connected devices into their homes and workplaces, a major hack will become public knowledge, leading consumers and businesses alike to call for watertight IoT security to be written into legislation.

Savvy IoT device manufacturers will turn this to their advantage by increasingly seeking third-party validation of the security of their products, and highlighting this in their marketing.