A year of scares and big headlines ends. Cybersecurity is more present than ever in the minds of users. It has been a difficult year, but from now on we are more aware that we have an open front.
The danger zone is is situated between our electronic devices and the Internet connection. The users, each one of us, are in that fight against cybercrime. We must take certain actions as part of our way of interacting in the digital world. This is the only way to keep safe the most precious thing which is our privacy.
Because what is coming is not good. We asked three experts in technology and cybersecurity about cybersecurity trends in 2018. Tamara Hueso, senior security analyst at Deloitte; Captain Alberto Redondo of the Technological Crimes Group of the Civil Guard UTPJ and David Bonilla, CEO of Comalatech and author of the Bonilista newsletter.
Tamara Hueso, senior security analyst at Deloitte:
“It wasn’t a year in which there were more attacks.”
2017 will be remembered for many things, among them, ransomware attacks became one of the main threats of 2017, according to Europol. Do you think there will be a panic again due to attacks of this type in 2018? Were these attacks more regular than expected?
I think that 2017 will be remembered as a year full of attacks by ransomware, such as wannacry or petya. But it has not been a year in which there have been more attacks.
What has really happened is that this type of attack has become known, and has been reported and recognized by the companies that have been attacked. And I tell you this because attacks of this type occur every day. Now with the new law that obliges us to recognize and inform clients of this type of events, we will hear about them more often.
Cyber-activism has been another challenge we have faced this year. There has been talk of election hacks or the leaking of information from emails of politicians to influence public opinion. Can we trust the upcoming electoral processes?
I think this is getting into politics but I think that although there are not computer systems by which the vote is exercised, corruption will always exist. Nowadays you can not trust anything.
The scam has always existed, fake ballots or hacks to the electoral systems, it is the same but with a different system. Having a secure electronic voting system would be a great advance, but that costs a lot of money.
In 2017 we talked about the Internet of Things, which mean the objects with Internet connection that are able to collect personal information. For example, the famous Roomba vacuum cleaners. Can users do something to protect themselves?
The end user of these systems believe that they have little to do to protect themselves, since the security of the devices must come from the factory or series. As there is nothing 100% secure the user should be aware of new updates or patches of those devices.
Another way that can be useful to protect yourself is not to give information that those devices do not require. For example, if you have a Smart TV and it asks for permission to access your location. Does a television need to know where it is located? No, you have to be aware that the information is very valuable at this time and you don’t have to provide information which is not needed.
The news of cybersecurity has the characteristic of being negative: they put us on notice of the dangers. Is there any positive information?
The news in general is always bad, as negative news is more striking. But of course, good things are done. Every day there are many people working against these cybercriminals. Just as there are people trying to attack, there are also others defending.
As I said before, 100% security does not exist, there can always be a breach by which cybercriminals can use to violate a system. But it is very important to be prepared for when there is such an attack and try to secure systems properly. And if there are no more attacks it is because there are many people behind securing the systems.
Captain Alberto Redondo from the Technological Crime Group of the UTPJ Civil Guard:
“The use of cryptocurrencies as a means of payment in the field of cybercrime will tend to consolidate against other money remittance platforms.”
Taking into account the most reported technological crimes in 2017, what does await users in 2018?
On the one hand, the consolidation of trends that have been developing during the year 2017 will be a reality, and on the other hand, there will be new emerging threats during 2018.
Classic crimes such as online scams are expected to follow the same trend and even increase, due to an increasing number of online transactions and buy-sell operations of all types of services and platforms in the network. Moreover, the following should be highlighted:
- All indications show that APT attacks will be more complex and dedicated. In the same line, the ransomware malware infection will continue evolving and adapting to the successive detection measures.
- The increase in possibilities and capabilities associated with mobile devices will cause greater risks, with these platforms being a priority target for cybercriminals. The infection of these devices with Trojans and ransomware malware will gradually adapt to the security measures imposed by users.
- The use of cryptocurrencies as a means of payment in the field of cybercrime will tend to consolidate against other money remittance platforms.
- IoT hatching is foreseen, so attacks on these devices either as commitment targets, or as intermediate platforms for other attacks (eg DDS) will increase.
- Cyber-espionage actions, consisting of cyber attacks originating or sponsored by States, will continue to be present, always with the intention of appropriating sensitive or valuable information from a strategic, security or economic point of view.
- The increasingly standardized use of Deep Web, and especially access to the Dark Net, will facilitate access to users of certain tools, illicit content or outsource cybercrime specialists (crime as a service).
- Deception through social engineering through the Internet is going to be seen more and more refined and worked, especially in the commission of scams like BEC (Business Email Commitment). A greater incidence is expected in its concrete aspect of fraud directed at the CEO.
This year there has been a lot of talk about the lack of professionals in cybersecurity, both in the public and private sectors, and that will increase the demand for their services. Do you expect to increase the number of employees?
According to the National Cybersecurity Strategy, one of the priorities of the Spanish State is to promote the development of Research Units in the field of Cybercrime. The increase in staffing and the allocation of resources for the recently created Information, Research and Cybercrime Command is expected, but everything will depend on the items assigned by the budgets to be approved.
Recently, a report prepared in the United States announced that cybercrime is more concerning for citizens than traditional crime. Is this true in Spain or are we expected to find that in the coming months?
Obviously we are talking about a permanent risk where, thanks to the different awareness campaigns and users’ own experience, citizens are increasingly aware of the dangers of the network directly linked to cybercrime. However, there is still a long way to go in this matter.
Do you believe that with the new European Data Protection Act (which will begin to take effect on May 25, 2018), companies and users will be more aware of the importance of data and privacy?
The application of this regulation introduces new elements, such as the right to forget and the right to portability, which improve the decision-making and control capacity of citizens over the data they entrust to third parties. With all this we expect a greater awareness in the matter.
Perhaps the companies have a greater commitment, although it does not have to materialize in a greater burden. In many cases it will only be a different way of managing the data, which will give continuity or replace other existing measures (eg security measures, documentation obligation …). To give an efficient response to the demands of the regulation, it will be convenient for companies to carry out their own risk analysis in order to determine the measures to be implemented and thus be able to assess the changes.
What will citizens have to do in 2018 to facilitate the work of the Telematics Crimes Group of the Civil Guard?
In the first place, the first measure that must be taken to favor our work is the awareness itself. Be aware of the risks inherent in new technologies and “not facilitate the work” of cybercriminals. In most cases, just a little common sense and think: what you wouldn’t do in the real world, don’t do it in the virtual.
Once you have been a victim of a crime in the network, keep any kind of clue that will help us identify the author (screenshots, fraudulent URLs, email headers exchanged …), and move to the nearest Barracks to interpose the corresponding complaint.
David Bonilla, CEO of Comalatech and author of the Bonilista newsletter:
“The information of our users is sacred. It does not matter if they value their privacy more or less. It is our responsibility as professionals to safeguard it.”
When developing a digital product, what priority does security have if you had to rate it from 1 to 5?
It depends on the function to be developed by that application and, above all, the data of the users that it will manage. In any case, no less than a 4.
The information of our users is sacred. It does not matter if they value their privacy more or less. It is our responsibility as professionals to safeguard it.
Will we need more global attacks next year (Wannacry or Petya type) to think of security as an added value to the business and as a responsibility (and obligation in some cases)?
Probably, at least in large corporations and administrations.
No network is 100% secure, there is no application without bugs – anyone who claims otherwise, is lying or does not know what they are talking about – but completely ignoring security and not implementing a series of good basic practices is reckless. Unfortunately, some don’t see it that way until it’s too late.
Have we learned from the Lexnet Case or do you think we will see another disaster, especially in the public institutions in 2018?
If we rely on the statements of public officials, we have not learned anything. Not only do we still lack a common policy of disclosure responsible for vulnerabilities for Public Administrations, it is that they prosecute security experts who find failures in them.
It is normal that the Administrations are always behind when it comes to new technologies, but it is very sad that in our country they are SO far behind.
What would you say to a person who is not very convinced about protecting their company and asks you for advice?
If that person trusts me, I will tell them to invest a bit of their time to be trained in the subject. Once you know the risks and benefits a bit, I am sure you will convince yourself.
As entrepreneurs, we shouldn’t become experts in security, but rather know how the challenges and opportunities presented can affect our business.
Hacked elections; global epidemics of ransomware; vacuum robots (IoT in general) that collect personal information; attacks on critical infrastructures … what scenario do you think will occupy more headlines next year?
I think the main topic is going to be privacy and intimacy. Ordinary people are not only increasingly aware of the huge amount of personal information that companies are collecting in which users are the product to be sold (Google, Facebook) but also the power that, for better or for worse, has that information.
If they are not worried about what is happening, it is because they are ignoring it.