Cybersecurity is never far from the headlines, with news of data breaches and cyber attacks an almost daily occurrence.
In that respect, 2018 was much like many previous years, with a steady stream of stories revealing new cybercrime threats and malware attacks as well as highlighting the same old security weaknesses and system failures.
One of the biggest and most serious incidents of the year happened just last month when it was revealed that a security breach at the Marriott International hotel chain compromised the personal data of up to 500 million guests, including not only names, addresses, emails and credit card data, but also potentially passport information too.
Marriott promised to pay to replace affected passports, something Fortune claimed could cost the company $36 billion – its entire market worth.
Other notable data breaches and cyber attacks this year included the Facebook Cambridge Analytica scandal, which saw the personal information of up to 87 million people improperly shared for the purposes of voter profiling, the Magecart hacking group attacks, which affected hundreds of thousands of customers of British Airways and Ticketmaster, among others, and the Dixons Carphone breach, which affected up to 10 million customers.
The scale of data breaches in 2018 has been so big that one journalist calculated that a billion people were affected in one thirty day period in November-December alone – almost one in eight people on the entire planet.
What’s more, the cost of such breaches is going up. A study conducted by Ponemon Institute and sponsored by IBM Security earlier this year found that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from 2017.
But 2018 was also notable for the biggest data protection revolution in a generation – the EU’s General Data Protection Regulation, better known as the GDPR.
The introduction of the GDPR on May 25 received large amounts of publicity, much of which focused on the huge fines that could be levied against businesses and organisations found to be in breach of the regulation – up to €20 million (£17.4 million) or 4% of turnover, whichever is greater.
At the time of writing we have yet to see any significant enforcement action under the GDPR, but experts think it will only be a matter of time before serious fines are levied against notable offenders.
One of the most encouraging effects of the GDPR has been how it has prompted other governments to improve their own data protection regimes.
Countries like Israel and Brazil have amended their regulations to keep up with the GDPR and this summer the US state of California passed the California Consumer Privacy Act, giving its citizens GDPR-like protections over their personal data.
Even if national information commissioners fail to follow through on the enforcement threats, at the very least the GDPR will have inspired more countries to up their data protection game, and that can’t be a bad thing.
Looking forward then, what trends can we expect in terms of cybersecurity in 2019?
First, I have no doubt that we will see more large-scale cyber attacks and data breaches, perhaps not on the same scale as the Marriott incident but significant enough to make global headlines.
We will also see more evidence of previous breaches emerge as businesses and organisations audit their own systems and processes in light of tougher regulation such as the GDPR.
Talking of the GDPR, I think we will see more national and state governments adopting similarly stringent regulations in their own jurisdictions, not only to ensure they keep up with international developments but also because of pressure from their own citizens demanding better protections.
We should also expect to see at least one major business or organisation made an example of for breaching the GDPR with a significant fine; if this does not happen within a year of the GDPR’s introduction people will rightly begin to ask questions about its efficacy.
McAfee’s recent Threats Predictions Report identified a number of cybersecurity trends to look out for in 2019.
One of the most concerning predictions is that we will see more collaborations and partnerships between cybercriminal groups, creating fewer but stronger “malware-as-a-service families” that will increasingly work together.
Another is that 2019 will bring a “significant increase” in attacks on corporate data in the cloud as a result of the growth of software-as-a-service systems like Office 365. McAfee says this will include phishing attacks and attempts to compromise email.
Forbes recently published its own list of 60 predictions from experts in the field. Many of these focused on so-called “next-gen” threats involving artificial intelligence and machine learning, which it was predicted would continue to develop and grow in sophistication, leading to an “arms race” between attackers and defenders.
The proliferation of connected devices, the growth in use of the cloud and the implementation of 5G technology would all represent new areas for hackers to exploit in 2019, it said.
It also warned that cyber breaches would start to have a serious impact on stock prices and consumer confidence.
The key message for businesses and organisations in Wales has to be that they must learn from the lessons of 2018.
No matter how good you think your cybersecurity is, it can always be improved. We know cyber attacks will increase in volume and sophistication, so if you are not being proactive in protecting yourself against them and constantly reviewing your defences, you stand to become a victim.