This is a part of a series of stories featuring CIO Dive's business technology trends for 2018. You can find the rest of the trends here.
The theme of cybersecurity in 2017 was "no one is safe."
Any consumer who managed to emerge from the Equifax, Yahoo, OPM and a host of POS breaches unscathed should consider entering the lottery. And any company that escaped 2017 without a cybersecurity crisis should should give its security team a raise.
Today, the battlefield of business is the digital landscape and the weapons are complex strings of binary. This year will see several battles continuing to play out and several new ones emerging.
1. This year will bring more of the same, and it's all uphill from here
Last year saw a continued escalation of cyberattacks and cyberthreats, derivative costs and overall security spending, and the tide is not looking to slow in 2018. Information security spending was projected to reach more than $86 billion in 2017, and Gartner predicts another hike to $93 billion in 2018.
Security services will remain the fastest growing segment, as businesses continue to outsource IT services, according to Gartner. But an increasing deficit in cybersecurity professionals and a continued dearth of talent are imposing large limitations on the progress companies can make.
Millennials, women or veterans may save the day, but 2018 is not likely to be the year cybersecurity workforce deficiencies are overcome.
Companies should be prepping for long-term cybersecurity strength, but short-term threats, such as ransomware, and associated costs will likely prove more dangerous and prevalent. Though 2017 felt dominated by headline after headline about cybersecurity failings, experts are not predicting a change this year.
2. Forget the basement hacker: Nation-state actors elbow way to front of the line
It's not often that a year closes out with Microsoft, Facebook, the White House and North Korea all sharing spots in the same sentence. But big tech firms made headlines in December as government officials praised their efforts to deter North Korean cyberattacks.
The end of 2017 saw fingers pointed towards North Korea as the culprit for the WannaCry ransomware and questions and investigations arising related to the Russian hacking of the DNC during the 2016 presidential election.
With midterm elections coming up, election security is set to become an especially prominent topic. In 2018, the government and enterprise will have to come to terms with the presence and effects of hostile foreign actors in their cyberspace, as well as figure out what the path moving forward and reprisal may entail.
This path forward is sure to see a continued and potentially expanded partnership between the public and private spheres.
Tech companies can help fill voids in international laws on cyberattacks, acting as "medics in cyberspace." And fluid communication between public and private channels about security threats will need to see improvements before things get better.
After all, neither side can operate independently from the other.
3. Redefining cybersecurity as a bottom-line profit area
When it comes to talking about cybersecurity, it's sometimes hard not to sound like a broken record. While some hacks and breaches come about as the work of particularly ingenious actors, more often than not they are the result of insufficient best practices, human error or bad luck.
Cybercrimes are expected to cost more than $6 trillion globally by 2021, and 2018 cybersecurity spending is expected to reach $93 billion. As business costs per attack continue to rise and regulators seek to improve corporate accountability and responsibility, simply hiring a few more security experts is not enough.
CIOs and, more importantly, the rest of the C-suite need to view cybersecurity as a key area of profitability. For some, it may drive profits; for others, it may be integral to maintaining them. But for all companies, cybersecurity cannot be an afterthought or reactive measure.
Redefining cybersecurity does not mean companies need a complete system overhaul. But it does require more attention to measures such as multi-factor and risk-basked authentication, contextualized access and frequent employee training — and, of course, expanded security budgets.
4. Beefing up security for the Internet of Things
We said it last year, and we'll have to say it again: Internet of Things (IoT) devices need better security.
While only half of the global population is expected to have connection to the internet this year, the expansion of the IoT for the other half is erupting to an estimated 24 billion devices by 2020 and $6 trillion in investment between 2015-2020. Higher estimates have around 50 billion connected devices — or an average of 6.58 devices per person — by 2020, according to Statista.
The difference between these estimates is that 24 billion devices have a huge security dilemma and 50 billion devices have an even bigger one.
Right now, less than half of IoT budgets are spent on protection, according to Gartner. Over the next four years, the majority of these budgets will continue to be allocated to fault remediation, recalls and safety failures.
IoT devices and algorithms are ready to reap and harness the 2.5 quintillion bytes of data already generated daily, but these benefits could be dramatically offset by the lack of adequate security. After all, device security often takes a backseat to time to market pressures and societal demands, which is currently causing around three-quarters of IoT devices to be in "failing" condition.
If "information is the new oil," the IoT is the rig, and it's better to have a comprehensive security system and backups in place rather than risk an oil spill. This is especially important because IoT attacks for profit, rather than for damage or chaos, are expected to rise in 2018, according to Forrester.
5. Compliance, compliance, compliance
About halfway through 2018, the EU's General Data Protection Regulation will take effect and impose a host of new accountability measures and data rights responsibilities upon companies handling or processing data.
Juggling GDPR as well as a host of other state, federal and international regulations is no easy feat and can cost a company almost $5.5 million. So why bother?
Under GDPR alone, companies can face fines up to 4% of global turnover or around $23.8 million — whichever amount is higher. And overall noncompliance, which includes fines as well as disruption to business, productivity and revenue, can cost almost $15 million per company.
Compliance will be a long, hard and costly road for many companies, and can entail a retooling of security practices across the entire workforce.
For example, data accessed through employees' mobile devices could risk GDPR compliance. And right now, the majority of employees use mobile devices to access company data, including over public Wi-Fi networks.