It’s no secret that I hate predictions — not least because the security field changes rapidly, making it difficult to know what’s next. But given what we know about the past year, we can make some best-guesses at what’s to come.
Ransomware will get worse, and local governments will feel the heat
File-encrypting malware that demands money for the decryption key, known as ransomware, has plagued local and state governments in the past year. There have been a near-constant stream of attacks in the past year — Pensacola, Florida and Jackson County, Georgia to name a few. Governments and local authorities are particularly vulnerable as they’re often underfunded, unresourced and unable to protect their systems from many major threats. Worse, many are without cybersecurity insurance, which often doesn’t pay out anyway.
Sen. Mark Warner (D-VA), who sits on the Senate Intelligence Committee, said ransomware is designed to “inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions.”
“While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States,” he said earlier this year.
As these kinds of cyberattacks increase and victims feel compelled to pay to get their files back, expect hackers to continue to carry on attacking smaller, less prepared targets.
California’s privacy law will take effect — but its repercussions won’t be immediately known
On January 1, California’s Consumer Privacy Act (CCPA) began protecting the state’s 40 million residents. The law, which has similarities to Europe’s GDPR, aims to put much of a consumer’s data back in their control. The law gives consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.
But many companies are worried — so much so that they’re lobbying for a weaker but overarching federal law to supersede California’s new privacy law. The CCPA’s enforcement provisions will kick in some six months later, starting in July. Many companies are not prepared and it’s unclear exactly what impact the CCPA will have.
One thing is clear: expect penalties. Under GDPR, companies can be fined up to 4% of their global annual revenue. California’s law works on a sliding scale of fines, but the law also allows class action suits that could range into the high millions against infringing companies.
More data exposures to be expected as human error takes control
If you’ve read any of my stories over the past year, you’ll know that data exposures are as bad, if not worse than data breaches. Exposures, where people or companies inadvertently leave unsecured information online rather than an external breach by a hacker, are often caused by human error.
The problem became so bad that Amazon has tried to stem the flow of leaks by providing tools that detect inadvertently public data. Those tools will only go so far. Education and awareness can go far further. Expect more data exposures over the next year, as companies — and staff — continue to make mistakes with their users’ data.