Malaika NicholasWednesday, March 13, 2019
2018 ended with two massive data breaches.
“A malicious third party” gained access to Quora’s systems and compromised the account data of nearly 100 million users. A week prior, hackers breached Marriott’s Starwood Hotels reservation database, compromising names, mailing address, phone number, email address, passport number, and other information for about 327 million customers.
Marriott and Quora join other 2018 data breach targets including British Airways, T-Mobile, Ticketfly, and Orbitz. Although you may have heard about these massive data breaches in the news, cybersecurity breaches often more often than you may think.
According to Verizon’s 2018 Data Breach Investigations Report, there were over 53,000 security incidents and 2,216 confirmed data breaches. Moreover, 58% of data breach victims are categorized as small businesses.
In 2019, will we see more massive data breaches? Are there any emerging technologies and other forms of risk management that can help protect consumers and businesses from becoming a cyber attack victim or mitigate losses that result from a data breach?
. . . . .
Malaika: Now that we’re entering 2019 and ending  on a note where massive data breaches are occurring, do you have any bold predictions on what we can expect for 2019, or any trends we can expect?
John Curran: Number one, I have no reason to believe that the causes of incidents–whether you’re talking about malicious insiders, ransomware attacks, or other forms of exploitation–will diminish this year. One form of attack or another may increase or decrease over the short-term, but over the long-term the number and severity of risk factors – and the delta between the “attack surface” versus the level of preparation and detection by most firms – is expected to increase indefinitely. An example of a particular kind of attack that we saw a lot of last year, which we expect to increase this coming year, is Business Email Compromise.
I think you’ll also see an increase in the amount of money companies are projected to spend on cybersecurity over the next year, and especially over the medium-term. Total cybersecurity spending is already estimated to be $80-100 billion, and that that number is expected to basically double over the next five years.
In terms of related trends, one thing that’s developing, and it’s for good reason, is the use of machine learning for detecting breaches and other unauthorized activities in your environment. You’ll see increasing trends towards the use of machine learning techniques and away from the more signature-based analysis that’s traditionally dominated the “managed security” services industry. While there is a huge difference in the quality of these solutions, I think that’s a positive trend overall.
The last thing I’ll mention is breach insurance coverage, which differs from traditional forms of corporate insurance. But I think one of the trends you’ll see–and I’m a big advocate of it–is that companies of all sizes and in every industry will begin to increase their coverage, and, with that their information security due diligence, including things like breach readiness assessments and network penetration testing. Cybersecurity is not a simple set of “best practices” – it requires an active mindset and continuous improvement – and I think that commercial litigation and breach insurance due diligence will (hopefully) act as drivers in terms of general awareness, early detection, and overall risk mitigation.
. . . . .