Business need to cope with an ever-growing volume of data, and the looming 2020 rollout of 5G, as well as cybersecurity issues – each of which is a key economic driver. Trend Micro have analysed many of the issues in a new report headed “Mapping the Future: Dealing with Pervasive and Persistent Threats.”
To understand more about the implications of these trends upon businesses, Digital Journal spoke with Greg Young, VP for Cybersecurity at Trend Micro.
Digital Journal: Which business technologies that kicked off in 2018 are set to grow in 2019?
Greg Young: The big trends in security for 2019 that started last year are all around – Machine Learning (ML) but especially in Artificial Intelligence (AI) technology. ML & AI became more prevalent in cybersecurity defenses and made some attacks more difficult for criminals, such as ransomware or emails with malicious attachments.
Trend Micro predicts that attacks will continue to grow in 2019 with attackers however opting for tried and true methods. This includes leveraging stolen credentials, known vulnerabilities, and phishing.
Currently there is little motivation for attackers to find significantly new business models because the old ways still work and continue to be lucrative. For the bad guys, why invest in new tech when the old stuff can be applied to new targets.
DJ: Will we see the same number of cyber threats?
Young: The number of attacks via cyber will rise in 2019, with BEC (business email compromise) at the forefront. BEC is the “big phish” when an attacker uses targeted efforts of social engineering to go after business execs, often tricking staff into a wire transfer or gaining credentials to do other attacks.
In a recent Trend Micro year-end review report on BEC in 2018, BEC losses were recorded to be upwards of $12 billion. There is no slowing down for BEC attacks in 2019; we can realistically expect to exceed $15 billion in collective global losses. The payouts for BEC are so significant compared to Ransonware that we expect this to be the most significant area of attack growth.
Other phishing attacks will also be on the rise as well for both consumers and employees. All types, including emails, phone and texts and hybrid attacks involving multiple methods.
DJ: Which technologies in particular can address cybersecurity risks?
Young: New AI/ML technology has incredible power in cybersecurity solutions and has made many attacks more difficult for criminals, such as ransomware or emails with malicious attachments. For example, using writing style analysis via ML/AI a lot of BEC can be easily spotted. But beware of ‘AI-washing’ and make sure that what you think is an advanced AI security solution is not just some basic analytics with an AI label applied. I encourage tech and security leaders to educate themselves on the features of ML and the predictive elements of AI to better understand what solution could be best.
DJ: Does the rise in home working present a specific cyber risk?
Young: Yes, remote working has risks but not from surprising vectors. Home networks in work-from-home scenarios will open enterprises to BYOD-like security risks: they often aren’t as well locked down as the ones in the corporate office. Enterprise IT will observe more and more attacks where the entry points are employees’ internet-connected home devices. This is the unexpected but inevitable intersection of two trends: the rise of remote-working arrangements and the increasing adoption of smart devices in the home. The Internet of Things you have at home are an additional vector.
Home networks typically have printers and access storage devices that employees find convenient for work as well as for home use, resulting in a mixed-use (i.e., personal and business) scenario. Unfortunately, in terms of security, this means that every unsecured device on an employee’s home network will be a potential entry point for attackers into the enterprise network, including poorly locked down cloud storage.
DJ: What can be done to minimize this risk?
Young: Overall, the two activities with the greatest impact are patching and backing up. Keeping patches up to date is similar to but more complex than what we’ve seen when we get update requests on our laptops and phones. More specifically to home workers, enterprises need to equip and secure them as if they were part of the business, not some outlier or exception cases. And that extends to the helpdesk, to acknowledge the realities of homeworkers trying to connect and be secure. Don’t leave teleworkers stranded otherwise they’ll still find ways to get their work done, just not securely: “The VPN isn’t working for my Mac, I’ll guess I’ll just use my Dropbox”. Better security monitoring on devices for remote users helps.
DJ: Will email be subject to new security risks?
Young: Trend Micro’s 2019 Security Predictions Report heavily focuses on the continued increase in phishing attacks. Email and text phishing attacks are both prevalent for consumers and employees. All types of phishing emails are on the rise – whether they include a malicious link or attachment, or BEC attacks that are just text.
DJ: What other concerns are there for enterprises?
Young: The year of 2019 will introduce more unknowns in the cyber threat landscape, reinforcing the need for a multilayered approach to cybersecurity. New and existing attack surfaces must be secured across the enterprise network to ensure the best protection.
Additionally, Trend Micro predicts that we will see more major data breach cases that will be a direct result of misconfigurations during migration to the cloud. During that “lift and shift”, of transitioning on-premise or private cloud data to a cloud service provider can open up the enterprise to security risks unless the enterprise has a good handle on what exactly is happening to its data. Access policies must therefore be well understood, well implemented, and well maintained throughout the bucket’s use. There’s a lot of configuration options that aren’t part of an on-premise environ.
In a follow-up interview, Greg Young tells Digital Journal about data privacy issues facing businesses. See: “Q&A: Businesses need to prepare for data privacy challenges.”
