2019 was a challenging year for organisations trying to reduce the likelihood and minimise the impact of IT outages. As we have seen, both businesses and public sector bodies are increasingly being targeted by opportunistic cybercriminals looking for vulnerabilities to exploit. The effects of these attacks have been devastating for some organisations. Unfortunately, despite improvements in resilience, we expect these incidents to continue in 2020.
Peter Groucutt is the managing director or Databarracks.
The cyber crystal ball
When looking to the future, we inevitably tend to pay the most attention to big, shock predictions and neglect current trends. In fact, the risks we’ll face in 2020 are most likely to be the ones we already know about. Amara’s Law states that society tends to overestimate the effect of a technology in the short term and underestimate its effect in the long term. We will likely see a continuation of the same types of breaches and cyber-attacks we have seen in 2019.
Will we see cyber criminals using quantum computers to break encryption and bypass antivirus solutions? Probably not. How about a rogue Artificial Intelligence (AI) systematically breaking into corporate networks and holding systems to ransom? Again, unlikely. The threats we should be focusing on are the ones that are working and doing damage now.
According to our 2019 Data Health Check, cyber-attacks have doubled as a cause of downtime since 2016. They have also increased as a cause of data loss by almost 90 per cent since 2014. Organisations may be getting better at protecting their infrastructure, people and data, but unfortunately, cybercriminals are adapting even faster.
This means we will witness more high-profile incidents, potentially leading to job losses. As we have seen many times, this results in severe and long-lasting reputational damage - a huge motivation for board leaders to prioritise resilience and cybersecurity in 2020.
On a more positive note, cyber defences and Disaster Recovery (DR) (opens in new tab) are gradually improving, with more frequent testing and steady increases in offsite backups. This is good news, as hardware failure and human error will likely continue as the top causes of data loss (another multi-year trend reported by the Data Health Check).
Better Business Continuity
There is also greater protection of cloud services (opens in new tab) as more businesses install their own backups, either to cloud storage (opens in new tab) or back to their own sites. Additionally, cybersecurity is now viewed as more than just an issue for IT teams and is being raised to board. It is great to see senior staff are taking more responsibility for areas traditionally outside their remit.
Taking DR and BCP more seriously is vital, considering the enormous impact they can have on any business. Cyber-attacks were once a minor inconvenience that could be handled by IT management (opens in new tab) but is now an existential threat for any organisation.
Supply chains are now a common route for attack. Bloomberg reported that Chinese spies interfered in the supply chain of Supermicro servers, introducing microchips on mother-boards of servers (opens in new tab) sent to over 30 companies including the US DoD, a global bank and Apple. As an attack vector, this is one of the more difficult to defend against and illustrates the holistic approach organisations need to take to protect themselves.
The Commons Treasury Committee report into the IT outages across the financial services sector was published in October. The report shines a light on how all the UK’s major high street banks have been hit by IT outages over the last few years. The importance of the banks and payment systems have forced the Treasury to push regulators to act. This precedent will hopefully encourage other regulators to also take action if failures reach unacceptable levels and to take the lead on resilience. We therefore expect more political involvement in 2020.
Hope for the future
There are a handful of expressions you can’t avoid hearing in the world of cyber security:
‘It’s an arms-race between us and the criminals’
‘It’s not if - it’s when you’ll be breached’,
‘A criminal only has to be right once, we have to be right every time’.
Although the criminals still seem to be winning the race, we’re actually very positive about the future of cyber security.
It really can’t be understated how quickly the world has changed. A few years ago, when I spoke to IT Directors, they were universally overwhelmed. Cyber just wasn’t part of their skill-set and they were suddenly facing threats from all directions. Attacks are increasing but our Data Health Check also tells the other side of the story, revealing steady, incremental improvements in defences.
Conversations with those same IT Directors are very different now. They’re not complacent and certainly don’t think they’re impenetrable but they are in much greater control. They’ve upskilled themselves and their teams, educated their users through basic cybersecurity training (opens in new tab) and have plans in place to respond to incidents.
- Protect against malware with the best antivirus (opens in new tab).