TSC looks back at information security in 2019

An infosec review of 2019.

Lauren Groom looks back over the infosec year and the five key lessons we learned going in to 2020

Throughout 2019 we saw high profile information security incidents and events, from accidental data breaches to ransomware. The threat to Internet of Things (IoT) devices has continued to increase, and phishing scams have become even more sophisticated.

So as 2019 is behind us we take stock of the threat landscape and prepare to build a safer world in 2020.

Ransomware

After the crippling NotPetya and WannaCry attacks in 2017, ransomware attacks seemed to wane in popularity. But ransomware regained momentum in 2019, with attacks wreaking havoc among hospitals, educational institutions and corporations.

In the US, ransomware was used in more than 70 attacks on entire towns and cities, but a bigger cause for concern arose when some victims agreed to pay the ransoms. In June, for example, two cities in Florida paid a total of around £867,000 to their attackers.

Business email compromise attacks

Years of security awareness campaigns have opened our eyes to phishing emails. But this increased awareness has forced cybercriminals to change their tactics.

In 2019, more sophisticated social engineering attacks reared their heads. Business email compromise (BEC) has been especially prominent, with reports showing a huge rise in the number of attacks.

It’s no surprise – BEC attacks offer big money if they’re convincing enough. This year, an employee at Nikkei America was tricked into sending $29 million to a malicious third party, while the Toyota Boshoku Corporation suffered a BEC attack that could cost the company £30 million to resolve.

As well as BEC, cybercriminals are using technological advancements to make their attacks more convincing. In September, for example, cybercriminals reportedly used artificial intelligence (AI) software to mimic a chief executive’s voice and trick another CEO into transferring £200,000 to a fake supplier.

Internet of Things

The upward trend in the use of Internet of Things (IoT) devices continued in 2019 and, unsurprisingly, so did the number of attacks.

Kaspersky detected 105 million attacks on IoT devices in the first half of 2019 alone, nine times more than the 12 million detected in the first half of 2018.

In April, the European Commission ordered the recall of a children’s smartwatch due to security flaws that could allow a third party to access information, track a child’s location or communicate with them.

In September, researchers at Trend Micro discovered that cybercriminals were increasingly discussing how to hack internet-connected fuel pumps.

And in November, a Japanese hotel chain was reportedly forced to modify in-room amenity robots to prevent the devices from being used to eavesdrop on guests.

Data breaches and fines

We marked the first anniversary of GDPR in May 2019, and GDPR fines are beginning to trickle through.

In January, Google was fined £44 million for breaching GDPR due to a ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’.

And the fines got bigger, as the companies behind two high-profile data breaches, British Airways and Marriott International, faced fines of £183.39 million and £99,200,396 respectively for huge data breaches.

Lessons learnt

The events of 2019 can teach us lessons that will help shape our information security awareness programmes going forward.

1. Don’t pay the ransom

   If victims pay ransomware demands, attackers will continue to attack. While you can’t control what other organisations do, you can build up your own defences.
   
   We can’t overstate the importance of regular back up procedures and adequate breach responses, which can help protect you if the worst happens.

   
   

2. Create targetted awareness campaigns

   The increase in targeted phishing attacks calls for targeted awareness programs. It’s also more important than ever that executives are included in these campaigns.
   
   If you need a steer, talk to us about creating effective awareness campaigns for all employees, from office personnel to high-risk users.

   
   

3. Don’t be fooled

   As cybercriminals utilise technology to look and sound even more convincing, we all need to be alert to suspicious requests and behaviour.
   
   You can’t rely on the fact that a request seems to be from somebody you know – it’s crucial that everybody thinks carefully, listens to their intuitions if they have suspicions, and follows authentication procedures.

   
   

4. Be IoT savvy

   If you create connected devices, privacy-by-design should be a top priority. And if you use connected devices at work or home, make sure they are adequately protected before you start using them.
   
   Most importantly, everybody needs to protect their devices with strong, unique passwords and multi-factor authentication, and devices must be kept updated with the latest security patches and anti-virus protection.

   
   

5. Don’t forget GDPR

   May 2020 will mark two years since the introduction of GDPR. For those of us in the UK, it will remain law regardless of our EU membership.
   
   Some of the initial GDPR panic will have abated by then, but we can’t afford to lose momentum.
   
   Make sure everybody in your organisation is regularly reminded of their rights and responsibilities under GDPR, and always ensure personal data is kept secure.

And that’s a wrap!

All that’s left to say is have a very happy New Year and we look forward to building a safer world together in 2020.