Forecasting the Risk and Security Landscape in 2018

January 19, 2018 · READ

To kick off the new year, industry experts and hosts of our new podcast, The Watchdog, Brian McIlravey and Tim Chisholm sat down to chat about their forecasts for the shifting risk and security landscape this year and how practitioners can stay ahead of the curve. Read the full guide to the top corporate security threats of 2018 here.

Prefer to listen? No problem! Tune in to the episode on Audacy.

Tim Chisholm: All right. It’s a new year, Brian.

Brian McIlravey: It is, Tim. It’s 2018. How do you think the planet is this month, Tim?

Tim Chisholm: The planet has maybe been in better shape before. But what do you think? Where are you sitting? How are you feeling?

Brian McIlravey: There are all kinds of different charts on the top security risks that pop out for 2018, and they’re all very similar. But in terms of Resolver’s guide to the top risk and security trends of 2018, I went through a bunch of them and found some patterns that were very interesting. What I’m going to do is focus it down to two that I think are very prevalent. One that’s been common going back to probably about 1811 is natural disasters. I mean, there’s some risks that we know are going to be on this list every single year. But there was an article that came out about the planet and natural disasters that I found especially fascinating — 2017 was the most costly U.S. disaster year on record just in terms of the massive, massive amount of billions spent—which you might expect given the significant disasters that happened this year.

When it comes to natural disasters, I often say they’re always on the list of top threats. You have to protect yourself against natural disasters if you’re in Miami, if you’re in California, or if you’re in the Midwest. Different types of disasters will happen to different corporations depending on where they’re geographically located. What I found interesting in the article was not so much that the number or the quantity of natural disasters were that much different compared to previous years—in 2005 there were actually more natural disasters. So it’s not the quantity. The frequency doesn’t change that much. You don’t go from 10 hurricanes to 125 hurricanes from year-to-year. What the article pointed out was just that the significance of the disasters—like the hurricanes this year—were way beyond most they’ve ever seen. Wildfires were especially worse than they’ve ever seen.

So in terms of the things to watch out for in 2018, it will be interesting to see whether natural disasters will carry the same frequency, but the severity will be similar to 2017, or whether it will calm down a little bit. My question asking how you think the planet is doing was kind of led by that one because I don’t think 2017 was a good year for our planet, Tim.

Tim Chisholm: Well, it brings up an interesting question about how you end up planning for those kinds of escalations. I mean, obviously I don’t think people could’ve seen 2017 coming in terms of the sheer severity of the things that were thrown at the United States, but going into 2018, how as a company do you adjust that calculus? Do you now have to factor in and assume that 2018 is as bad as 2017? Do you look at it as an outlier? How does that kind of natural disaster planning actually happen?

Brian McIlravey: Yeah. I think you have to. I think the keyword is planning, for sure. I mean, you can’t expect that you’re going to go from 10 really bad hurricanes and horrible wildfires down to zero, and say, “Hey, hopefully nothing’s going to happen in 2018 and we’ll just wait and see.” Wait and see will never cut it. It’s all planning and you have to plan for the worst case scenario. Some of the hurricanes and the responses to hurricanes over the course of the year just become lessons learned — learn these little things so that going into 2018 you plan a little differently, you respond a little differently. It’d be interesting to talk to business resiliency professionals on their take on the differences. Did they plan any differently in 2017 than they did in 2016, and what did they miss going into 2018? What are they planning in 2018 that they didn’t last year during a hurricane? So maybe one of these Watchdogs need to get a business resiliency pro in here and let them answer that question on how you change when you have these serious events happening. What do you have to do to protect yourself against the absolute worst thing that can happen, and then what is that worst thing that can happen? Can it be any worse than 2017?

Tim Chisholm: It’s that idea that you can’t reasonably plan for your actual worse case scenario. It has to be rooted in some kind of grounding and some sort of precedent. But I think if 2017 showed us anything, it’s that there can be a gulf between what we are able to considerably, reasonably imagine and what can actually happen. I think it becomes interesting from a corporate perspective when you have to start allocating actual funds and actual resources to this kind of planning. How much do you dictate through your imagination of how bad it can get versus what is a reasonable spend on the part of the company and on the part of the corporation?

Brian McIlravey: Yeah. Historical information really plays in a lot. If you look at something as simple as urban planning for lake area properties, they go by something that’s called the hundred-year flood mark. When they do setbacks, they take a flood marking and say your property setback has to be here because if we have the worst possible flood in the next hundred years, the worst possible flood in the last hundred years was before mark. We don’t expect it should ever go higher than this mark. If it goes 25% higher, you’re still good. So for hurricanes and other types of weather events, the historical context must have some kind of play in terms of how bad things can get. I’m not feigning expertise in this field in any way, but I wonder if there are any historical components that played into planning for hurricanes over the past hundred years. This year has been the most costly ever, but not necessarily the worst storms ever. There’s been some pretty bad hurricanes in the past. You wonder if the economic disaster piece to it is just more people, more businesses, more things that can get destroyed, more claims, things like that.

Wildfires, on the other hand, are a different story. Historically, once a fire has burned through a forest, there’s a very low likelihood that the same forest is going to catch on fire again next year. But the one 20 kilometers away from it still could. I’m sure there’s some historical extrapolation there.

So you know, Tim, the concept of natural disasters will never go away. I just found that one article on it being the most costly ever was pretty interesting even though the frequency hasn’t change. Risk is all about frequency and expectations.

Tim Chisholm: That being said, is there anything that’s predicted for the next year that strikes you as something a little bit more contemporary, a little bit more rooted in newfound threats?

Brian McIlravey: Going back to how the planet is doing today, some of the threats being predicted for this year are very obvious. Some are not. But there were some that just kept repeating themselves. It’s not going to be a surprise to anyone. The two biggest ones that I kept seeing over and over again were cyber attacks and soft target attacks. But then what I found more interesting was within each of those two, there was actually a common theme. I can let you in on that theme as I get to the end because I don’t want to tell you right away. It would just spoil it.

Tim Chisholm: Excellent. Stay tuned to the end.

Brian McIlravey: Yeah. Stay tuned to the end because there’s a big twist to all of this as you research it. Take cyber attacks as the first one. Any list that you look at on security risks to watch out for in 2018, there was not one that did not have cyber on it. So it’s got to be one of the biggest ones that every company, every organization, every person has to be worried about. You could be a government, you could be a corporate organization or an individual person. You need to be worried about cyber. What gets more interesting though is the different types of cyber threats for 2018 that become more worrisome than others. There’s lots of them.

The most prominent ones like denial of service attacks are always out there. You’re always protecting against those. But there’s other ones I found a little more serious and a little more interesting. Ransomware, of course, being not a new one but one where companies are getting hit a little more frequently. I mean, ransomware is rampant and I think a lot of people and companies take the ‘not in my backyard approach’ thinking it will never happen to them. Be proactive about ransomware. As an individual, Tim, have you ever sat at your home computer and thought, “No one’s ever going to come into Tim’s computer. What are they going to steal from me?”. Do you think about that as an individual?

Tim Chisholm: I only ever really think about it when I see cyber attacks in the news. But my reaction is always that I’m sure that I’ve got nothing of value. I’m sure I’ve got nothing of interest. So why would anybody knock on my metaphorical door to try to extract stuff out? But then it’s one of those things where if you ever let your mind kind of roll down the drain, it’s amazing how much information you have or that you have access to either by virtue of individual banking assets, or things that your work trusts you with. There’s a lot of valuable stuff on my own computer that I sometimes take for granted as being unimportant but is actually fairly sizable and fairly valuable in these kinds of attacks.

Brian McIlravey: Yeah. It’s one of those things where you probably don’t understand how much you love something until it’s gone and taken away, and then someone says, “Hey, you can have all this back for the healthy fee of $50,000.” Pictures, documents, all of these little things that we keep on our personal computers that can easily be ransomed. Imagine being at a corporation where you come in one day and your servers are locked out. You can’t get into Salesforce. You can’t get into anything that is running your company. Just the impact on that would be so huge to any organization.

But there were two other pieces that I found very interesting when looking at cyber related threats and things to watch out for in 2018. One was related to the internet of things being the real weak link in the internet. As we know, there are more and more censor-based internet connected devices and the internet of things will always remain a major weak point right now because of the devices being connected through networks that aren’t properly configured, and rely upon the 000 password that no one ever changes. Those little gateways can give very easy access to bigger systems. They give rise to the bot nets that are just out there saying ‘looking for a hole, looking for a hole’ and are then used for volume attacks to actually trade stolen data. It’s really, really huge stuff. We have a lot of things even here in our office that are internet-based, and people have them at home. That’s just going to exacerbate over the course of the year as things get connected and further expand those weak links where something is looking for that little hole to get in to cause some kind of damage — ransomware, whatever it might be.

Tim Chisholm: I think we’re getting to a place where we’re bringing these things into our home, into our office somewhat unthinkingly. Someone goes out and buys a new smart thermostat or a new smart plug. Sometimes you can get these things for as cheap as $20, $30 and so you don’t think of it as being a point of attack for your computer, being a point of attack for your personal information. It’s one of those things that seems so innocuous. It actually reduces the cognitive assumption that it can pose a vital threat to both your home or to your office. I think as these things become more and more ubiquitous, and as the general population starts to really adopt them, it’s immeasurable how much the threat will increase because you are taking these things in unthinkingly. Maybe you have one single smart plug, and that one single smart plug is going to be fine. But if you’re going to start bringing in the kids’ toys and the random speakers, every single one of these is a new potential fail point for your home or work security.

Brian McIlravey: Yeah. It’s the fail point that’s the next point I wanted to discuss actually. So we have these connected, sensor-based devices — all these things that are used in corporations, in houses, in public. No matter where you go. These devices are becoming more ubiquitous. But at the same time, there is a significant shortage in cyber security professional skills.

Tim Chisholm: Interesting.

Brian McIlravey: I don’t know if a lot of people really recognize the amount of data that we have out there through these sensor-based devices being set up. To your point, there’s little scrutiny of these things. Part of that is there’s just not enough expertise. The expertise is not going as fast as the technology for us to properly protect all these things that are out there on the internet or out in cyberspace. Had I said, “Give me five things in cyber that you think are an issue for 2018, Tim,” would you have said, “Hey, I think it’s a skills shortage”? Because that’s one I’m shocked to have read everywhere.

Tim Chisholm: I really wouldn’t have thought of that. Is there a specific kind of skillset that you’re referring to? What would be the skillset that you find is lacking perhaps in the job’s marketplace?

Brian McIlravey: It depends on the term. There are cyber security professionals. There are InfoSec professionals. They both relate to the protection of something cyber. So InfoSec people are going to be more concerned with the protection of information and data and getting through servers. But think of something as big and critical as infrastructure protection. When you look at the electric grid and other high impact critical infrastructure places, a lot of those are running on networks and are still based on the internet. Their servers might be contained but they are still open targets that need protection. So you have professionals that range from the physical protection of physical barriers through to the logical barriers through to the local barriers. I mean, it’s just a protection of all these pieces, widgets, sensors, connections, pathways, open ways. The skill set is very diverse. Through ASIS International, there’s a council called the Information Technology Security Council. I think there’s 40 to 45 members on t