By Denson Todd, Director of Cyber Risk Services, SSIC
2018 is a new era of security. Or is it? At the beginning of 2017, there was a sense that recent data breaches had finally launched cybersecurity into a boardroom conversation, giving the CISO a long overdue seat at the table. However, a brief search on 2018 predictions doesn’t reveal a new era of security. Instead, I found a list of status quo predictions that mirror previous years, including the continued rise of ransomware, expansion of Bitcoin, influence of state-sponsored attacks, etc.
Nothing new or surprising jumped out at me. If you took these predictions to your board, would the members care or understand? Instead, I propose a different approach – a risk-oriented view of 2018 that you can use to spur conversation with your leadership.
When it comes to cyber risk, here’s what I expect to see in 2018:
- Businesses within the manufacturing, healthcare, and utilities industries are most at risk for cyber attacks.
- That doesn’t mean other industries are “safe.” Businesses within finance and insurance and public administration still rank high on the risk index and can expect a steady pace of targeted industry attacks in the new year.
- Cyber espionage will increase across all industries.
- Crimeware will start to increase in the following industries: healthcare and social assistance, manufacturing, and public administration.
- Enterprise data breaches will not produce long-term financial impacts.
- Small businesses, on the other hand, will be significantly impacted by short-term reputational damage.
- Small businesses will increasingly seek cyber insurance to transfer cyber risk.
Now let’s drill down into each of the predictions above.
Looking at risk across industries
Despite industries like financial services and retail hogging the media spotlight, there are some underdog industries that actually appear to be carrying the majority of the (risk) weight.
In 2018, manufacturing, healthcare, and utilities will continue to rank among the top five industries at most risk for cyber attacks. Additionally, financial services, healthcare, and public administration can expect more cyber attacks in 2018.
Analyzing the attacks
When it comes to attack patterns, based on yearly averages, denial-of-service and web application attacks are at the top of the threat list with insider and privileged misuse and miscellaneous error following close in their wake. This also aligns with the industry findings above as healthcare, public administration, and finance industries are the ones most at risk from these specific types of attacks.
2017 data seems to indicate that web application attacks and denial of service across industries have steadily declined through the year. While cyber espionage is a hot topic in the news, it doesn’t rank among the top threat attack patterns for 2017. That being said, it does carry the most significant negative change from the beginning to the end of the year.
In 2018, expect to see an increase in cyber espionage across all industries. Additionally, I expect crimeware to increase in the following industries: healthcare, manufacturing, and public administration.
Who do breaches hurt the most?
I recently wrote a two-part blog series on data breaches and reputation damage and found that for enterprises, reputational damage from a data breach is actually insignificant when you look at the business over the next two to five years. While an enterprise may experience an extreme dip in value immediately following the public disclosure of a data breach, most large businesses manage to absorb the initial impact and potential change in consumer behavior until the market moves on and refocuses on the next “outrage dujour.” Enterprise data breaches in 2018 will not produce long-term financial impacts past one year from breach disclosure.
On the other hand, small businesses cannot absorb breach costs and will be significantly impacted by short-term reputational damage. As such, 2018 will see an increase in small businesses purchasing cyber-insurance policies to cover initial breach costs and/or service interruption, as well as sustain business in the short term post breach.
Pulling it all together
While 2018 may not be a new era of security, businesses seem to be realizing that not everything can be or should be remediated and are therefore looking for ways to transfer or offset their risk. Data breaches and interruption are particularly damaging to small businesses, which are now looking to adopt cyber-insurance policies to transfer risk.
For those that are curious, research related to industry and attack-pattern trends came from aggregating 2017 public research and intelligence feeds into the SSIC X-Analytics threat database. This database updates threat frequencies monthly based on incident counts reported in both public and proprietary research. Industry intelligence is updated across 21 industries and 110 attack scenarios using the VERIS incident recording methodology. All trends and predictions are based on the analysis of the SSIC monthly threat updates in 2017 with projected trend forecasts into 2018. For research related to reputational damage and data breach costs, please review my previous blog series on data breaches and reputation damage.