2018, what actually happened then?

News and information from the Advent IM team.

You know we love to talk predictions at this time of year, as well as take a look over the shoulder at what happened…

Image courtesy of Sira Anamwong at FreeDigitalPhotos.net

Mike Gillespie – Advent IM Co Founder

Predicted and did not happen – GDPR did not cause the end of the world/humanity.

Not predicted- that December would see the news of some of the biggest data breaches with lost records this month alone in the hundreds of millions. Is there anything left to lose??

Should happen but won’t –  Businesses in 2019 align security strategy to business objectives, destroy the security silos, embrace neurodiversity, make securityrisk a business risk, take the talking spoon off the techies, reconnect with the information, reprogram thinking to respect and value their staff, fully understand the concept of defence in depth protecting information appropriately, build technical security solutions that are contextual and user supportive, write policies that are outcome based instead of rule bases, introduce decent role based culture enhancing education, and stop getting breached

Jason Barron – Security Consultant

Predicted but didn’t happen –  The Collapse of the IoT didn’t happen

There seemed to be a lot of indication that IoT devices would be hijacked and used for DDoS attacks and also provide a persistent threat to home networks.

Although I don’t believe this occurred on any grand scale (i.e. No major infrastructure shutdown or transport network disaster), my Alexa at home gives me tourettes! Just to be clear, that isn’t my wife’s name.

However, IoT is a significantly evolving space (smart meters) and has been for the last few years; it will inevitably attract all sorts of bobble-hatted wiggly amped miscreants that will do anything for a fiver (oh! and maybe some HFIS/criminals); generally, with less than honourable intentions. Watch out for next year!!

Should happen but won’t – Someone getting a hefty monetary slap in the face

Predicted but did not happen– Last year I predicted that there would be a major cyber-attack/security breach against a UK Government Dept during 2018.  While such an event doesn’t seem to have happened (or least there hasn’t been one reported yet) the private sector seems to have more than made up for it (e.g. the Marriott breach).

One thing that was not predicted and did happen – The biggest event for me this year (and in line with what others have also said) was the Morrisons vicarious liability decision.  While it can be argued that Morrisons could have done more to prevent what happened, the decision that they are vicariously responsible for the actions of one (very) disgruntled individual should be of concern to every employer, particularly when it comes to handling staff disciplinary matters.  I also found the ICO’s use of the Computer Misuse Act to prosecute an individual and the subsequent custodial six-month sentence really interesting and thought it was a real step forward in providing a potential deterrence.

One thing that should happen in 2019 but probably will not happen – The boardroom should finally pay attention to the reality of data breaches and the potential impacts to their organisations.  It still only seems to be those who have suffered a breach who finally realise they should have done more.  I also wonder how many hotel chain boards have started asking questions around their security/risk posture given the Marriott breach?

Insider threat (accidental or otherwise) will continue to contribute to the bulk of security breaches. No matter how fortified a system is, and how well it is aligned to industry best practice(ISO 27001, PCI DSS, HMG Security Policy Framework, etc.), it’s only as strong as the individual sitting in-front of it. Whilst the advocation of robust training mechanisms and awareness is of paramount importance, that avoids the question of a disgruntled and determined employee; the recent legal case with Morrison’s is a key example of this…

Peter Daniel – Security Consultant

Disagreements with management, poor work/life balance, inadequate (or lack of) processes or feedback, and not to mention disciplinaries, can all be attributable to someone being hacked off (pun intended) with their employer. Fortunately, there are relatively simple, and not to mention free(!), measures that can be implemented as a safeguard. This all stems from a humanistic and pastoral approach to the wellbeing of each and every employee. Something as modest as regular, informal contact with theirline management to discuss any issues that they may have (and for this not tobe limited to work) can have a profound effect on an employee’s sense of confidence, trust, and belonging.   

Remember: Security is everyone’s responsibility –regardless of their role – so if any assets need priority in protecting, then it’s their people!

Steven Foley – Senior Security Consultant

Predicted for 2018 that did not happen  
It’s been wheeled out numerous times but there was no escaping it; Companies will take definitiveactions on the GDPR…  I’m not convinced this has happened in many cases with most probably waiting to see the outcome of the first high impact monetary fine.  I said it last year and will say it again, even though the ICO have said they will look to sanctions and education, other countries might not be so lenient.

One thing that was not predicted and did happen
I’m probably quite naïve with this one but the Vicarious liability ruling in respect to Morrisons should shake up a few organisations thought processes around staff awareness,review of clearances, monitoring, etc.  Yes the individual in question should have been removed from having admin access, put on gardening leave but you can’t completely mitigate the insider threat and I for one feel it’s quite a harsh decision (be interesting to see what the penalty is).

As ML and AI advance and make life even easier for the naughty fellas organisations should make sure they’re doing the simple things right, up skill security staff inline with the threat etc but of course, unless they are breached they’ll carry on blissfully ignorant until someone has their pants down.

Ian Warren – Security Consultant

I think it is worthy to mention that staff are also the issue for a major trend on Data Security Incidents across pretty much all business areas (ICO Data Security Incident Trends); (inappropriate/illegal/’accidental’) Disclosure of Data. Again, the trust put into staff to process data/information in an appropriate manner is a key issue on Data Protection for businesses.

The public awareness has been sparked with, and yes I’ll mention it again, GDPR, which has been a catalyst for some businesses to focus and redress understanding amongst staff. Yet the capabilities of staff to perform has been questionable as some business areas do not deliver good training/education awareness that is fit for purpose. Therefore, businesses fall foul of that lack of awareness and ability of staff.

This isn’t anything new and ever likely to be the continuing story as we go forward sad to say. Time for education and training is, I feel, seen as a ‘non-profit making’ exercise with some and yet with foresight should be the driver to enable staff and the business to demonstrate good, best practice, Data Processing; reputation building.

Julia McCarron – Advent IM Co-Founder

For those of us old enough to remember the hoopla around Y2K and the fact that despite everyone running around like a headless chicken for 2 years, at 00.00.01 hours on 1/1/2000 onceagain hard disks kept on spinning, IT systems kept on running and all was well with the world. So too it came to pass that on 25th May 2018, GDPR didn’t cause non-compliant organisations to internally combust as Mike says.The prediction that did come true was everyone rushing to demonstrate compliance up to 25th May 2018. What has been surprising has been the complete drop off since then as organisations that did do something are resting on their laurels and those that didn’t are waiting for a competitor to get fined before they actually do anything themselves. I expect to see an increase in fines being handed out in 2019 and with this I would hope a realisation that regular auditing and monitoring is needed to ensure compliance with the regulation and DPA2018, and protection from the monetary and reputation damage being fined can cause. But I suspect I may be disappointed….

Derek Willins – Business Development Manager

One thing I’d like to see in 2019 is all websites have a simple way to switch off tracking cookies as an option. They should have this today – but approx. 40% of all sites I visit  go out their way to say how much they respect my privacy etc – but then loop me around in cyber space to find the kill switch on personalised ad cookies (if it exists).

Ellie Hurst – Head of Marcomms & Media

What happened that was predicted – growth in the number of ransomware families plateaued. It had been in triple figure growth and so a slow down was inevitable and not hard to predict. What remains, however is potent and very effective. 

What didn’t happen that was predicted – That crypto-mining would take over ransomware as the vector of choice for criminals. Its labour intensive and takes time. Ransomware is much quicker (and dirtier) and is still extremely popular.

What should happen but won’t – businesses will update their security training, tailoring it to the users and avoiding the twenty mins of e-learning per year is enough. Then they can shift the idea that users are stupid to the Useless, Lazy Excuses cupboard….

Dave Wharton – Managing Consultant

Predicted for 2018 that did not happen– Last year I predicted that there would be a major cyber-attack/security breach against a UK Government Dept during 2018.  While such an event does not seem to have happened (or least there hasn’t been one reported yet) the private sector seems to have more than made up for it (e.g. the Marriott breach).

One thing that was not predicted and did happen – The biggest event for me this year (and in line with what others have also said)was the Morrisons vicarious liability decision.  While it can be argued that Morrisons could have done more to prevent what happened, the decision that they are vicariously responsible for the actions of one (very) disgruntled individual should be of concern to every employer, particularly when it comes to handling staff disciplinary matters.  I also found the ICO’s use of the Computer Misuse Act to prosecute an individual and the subsequent custodial six-month sentence really interesting and thought it was a real step forward in providing a potential deterrence.

One thing that should happen in 2019 but probably will not happen – The boardroom should finally pay attention to the reality of data breaches and the potential impacts to their organisations.  It still only seems to be those who have suffered a breach who finally realise they should have done more.  I also wonder how many hotel chain boards have started asking questions around their security/risk posture given the Marriott breach?

Don’t forget to come back in 2019…

Share this Post