This discussion is useful especially since the costs of cyber incidents are still on the rise, and regulation such as PSD2, GDPR and eIDAS require organisations to take a closer look at their cybersecurity.
1. Customer will get more control over personal data
With GDPR becoming effective May 2018, customers will have more control over what personal data companies are allowed to process. Organisations need to map who their customers are, what personal data they hold about these customers, and design processes in which explicit consent is captured. Losing the data, or using it without being compliant, will result in high fines. Driven by this increased exposure, it has become economically viable to give customers more control over their personal data. By giving back control, for instance via an online portal, the organisation ensures information is up-to date. This reduces risk of misue and builds trust with the customer.
Some examples include the MedMij initiative in the Netherlands where citizens get more control over their personal health data. Also, Estonia is the most well-known example for management of e-health. As the regulation comes into effect in 2018, we expect to see more of these examples.
2. Consolidation of digital identity management
As the digital transformation continues more identities will be created. The traditional siloed way of Identity & Access Management, where emplopyees and customers are managed on different platforms is no longer effective.
A common trend for technical IAM solutions vendors is to combine management of employee and customer identities on one platform. New platforms are also able to effectively manage machines identities on the same platform. Therefore, the next step would be the integration of public identity schemes (e.g. (Neuer) Personalausweiss, eHerkenning, etc.) into these platforms. We expect this move to accelerate with the further implementation of the EU eIDAS regulation in September 2018. 3. Rising use of encryption and hashing technologies
Although the technology in itself is nothing new, we see an increase in usage and interest in cryptography. This has several reasons. The first is the increased use of data outside the company boundaries, for instance with cloud services. As more data is stored outside the organisation the need for strong encryption increases. The second reason is the introduction of GDPR. By encrypting customer data, there is no longer a need to individually notify a data subject in case of a databreach. Encryption significantly reduces the risk of exposing data and therefore the potential costs. And finally the proliferation of blockchain technology like cryptocurrency, blockchain identities and smart contract increases the interest for hashing technology. To ensure authenticity and integrity of blockchain both data encryption and hashing technology are paramount.
4. Standardisation of API security
The proliferation of APIs as part of software design is increasing the attack surface for hackers and exposing organisations to more risk. As a result of the transition to DevOps and regulatory pressure for more openness (PSD2), the use of APIs is growing fast. This raises questions about the security of APIs.
We expect more efforts for standardisation in 2018. Important efforts are made by the Berlin Group, a European standards initiative, to drive standardisation of APIs for PSD2 compliance. Security is an important part of this standardisation effort.
5. Adoption of machine learning to detect attacks and malware
The application of machine learning and other pattern recognition technologies is not entirely new. However, this trend will continue and become increasingly relevant for cybersecurity, especially in domains where manual analysis capacity is limited and large volumes of data are being processed. These solutions ‘learn’ what expected behaviour of a system or network is and scan for abnormalities. In practice the best solutions are the combination of machine learning technology with a well trained analyst.
We expect to see an increasing number of innovative tools embedding machine learning to recognise attacks and malware on systems and networks.
6. Security by design in distributed storage and computing
One of the key objectives of security is to ensure the availability of systems and resources. In a traditional security approach this results in Business Continuity Management of systems and data centres. Now there is an alternative approach with distributed storage and computing power. Techniques such as fog computing are especially promising. This approach utilises computing power and storage just outside the organisational network, close to where it is needed.
Pioneers in this space are SOMN, a start-up which uses the Ethereum blockchain to offer distributed computing power, and STORJ, a start-up offering decentralised storage on the blockchain. The combination of strong encryption and distribution of data across multiple nodes reduces single point of failure and makes it harder for an attacker to extract meaningful data.
7. Cybersecurity platformation
Because of the growing need for organisations to improve their security, the demand for cybersecurity specialists is at an all-time high, making it increasingly difficult to find suitable resources. This requires organisations to reconsider how they resource critical technical roles in the organisation. A relatively new way to do this is by sourcing penetration and vulnerability testing specialists through an online platform. A marketplace or platform where cyber experts, penetration testers and hackers can be hired by organisations. An example is Synack. This is a platform with a pool of screened cybersecurity specialists to support organisations with penetration testing and white hat hacking.
8. Security rating agencies and background checks
As the technology ecosystem becomes more fragmented, the number of partners delivering IT services to an organisation rises, which can be a security risk. In security, the defence is as strong as the weakest link. Organisations need to know whether the security controls of their (prospective) partners is up to standard, to ensure their systems are not compromised via a partner with access to their systems.
Similar to credit checks, market data is needed about the security practices of an organisation. There are a few players already exploring this space (e.g. Bitsight and Checkr) and we expect there will be more as demand increases.
At INNOPAY we believe these trends will impact your cybersecurity strategy for 2018. If you want to know more about how to remain secure in a fast-changing landscape, sign up for the INNOPAY Cybersecurity Masterclass about the Future of Access Management on the 13th of March.
About Jelger Groenland
Jelger Groenland MSc CISSP is Senior Manager and Cybersecurity Lead at INNOPAY with 14 years’ experience in advising c-level on cybersecurity topics. INNOPAY is an international consultancy firm specialised in digital transactions.
About INNOPAY
INNOPAY is an independent consulting company, specialised in online payments, digital identity and e-business. We help our clients, including financial institutions, governments and corporates, to develop the compelling strategies and digital services for consumers and companies that are key for successful competition in a rapidly digitising world.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now