The Shape of Cybersecurity in EMEA – Looking Back to Look Forward

It’s probably fair to say that 2018 has experienced more than its share of data breaches. In fact, according to Gemalto’s Breach Level Index, the first half of the year alone saw 945 data breaches compromise an incredible 4.5 billion data records worldwide. A week seldom goes by in which a major data breach is not reported, while organizations the world over continue to strive to keep valuable data out of reach of an increasing range of threats.

From an EMEA perspective, the EU’s General Data Protection Regulation (GDPR) has compelled many businesses to elevate data protection processes, yet high profile breaches are still happening. The European edition of the 2018 Thales Data Threat Report believes that data is under siege across Europe, with 71 percent of European enterprises surveyed reporting that they have been breached, of which 32 percent have experienced a breach in the past year.

The report goes on to state that “the UK is the most breached country in cybersecurity terms,” with 67 percent of UK respondents confirming they had been victims of a security breach at some point in the past. Here are five of the most infamous security breaches that have occurred in the EMEA region over the past two years:

1 – FIFA
In November this year, approximately 3.4 terabytes of data and 70 million documents from FIFA, containing numerous allegations of corruption, were leaked to German magazine Der Spiegel by the Football Leaks organization.

2 – British Airways
Between Aug. 21 and Sept. 5, 2018, a data breach affecting 380,000 transactions occurred, involving an attack that took place on the British Airways website and the company’s app.

3 – Dixons Carphone
The UK-based electrical brands retailer admitted to a massive data breach that happened in July 2017, involving access to approximately 1.2 million customer records. Even worse was an attempt to compromise 5.9 million cards in the processing systems of Currys PC World and Dixons Travel Shops.

4 – NHS
In May 2017, a calculated attack was undertaken on not just the NHS, but also other organizations worldwide. Unfortunately, the NHS was the worst affected, with 47 Trusts breached by the malicious ransomware WannaCry, which restricts computer or network access and threatens to delete data within a certain time unless a ransom is paid.  

5 – Wonga
The payday loan firm suffered a data breach in April 2017 that affected as many as 245,000 UK customers, including bank account numbers and sort codes.

One clear conclusion that we can draw from all of these data breaches is that attack vectors are constantly changing. Additionally, applications are forming the base of many of today’s organizations, which means that DevOps is becoming a true Software Production Line, and therefore, the importance of embedding security during the DevOps processes cannot be overlooked.

Vigilance has become everyone’s responsibility not just that of the CSO. With this in mind, and looking ahead to 2019, here’s a short wrap of how three of Forrester’s predictions for the cybersecurity industry may impact the European market specifically, as shared by senior analyst Paul McKay:

• Economic espionage in Europe will increase due to the US-China trade war. Forty-one percent of security decision makers in Europe listed geopolitical risks as a high-priority concern for their organizations. Our predictions report outlines the uncanny resemblance in the correlation between the industries listed as priority areas of investment in the last (11th) five-year Chinese industry investment plan and those that were targeted by Chinese state actors via hacks around 2015. Readers of the latest plan (12th 5-year plan) will realize that several key European industries are under threat. With the fallout from the US-China trade war, this is going to accelerate over the next 12 months and beyond. This should serve as an early warning sign for industries such as: 1) new energy vehicles (e.g., car manufacturers in Germany, France, and the UK); 2) power equipment (e.g., Switzerland and Germany); and 3) aerospace (France, the UK, and Italy). CISOs serving such companies should assume that they are targets. CISOs should take care to focus their security measures on protecting their key intellectual property in 2019 and beyond.

• Smart devices are undertaking surveillance in your home and will lead to drama. EU Directive 347/2013 is driving energy companies across the EU to implement smart metering and smart grid infrastructure. The volume of data and devices connected to our state utilities has improved dramatically over the past few years. This has improved the level of customer targeting that utilities perform to put forward bespoke customer offerings. We predict in 2019 that a major utility is going to cause a major public relations gaffe. Utilities will inadvertently use data in ways that have not been formally consented to by customers. This will cause embarrassment and expose the large level of surveillance insight that utilities have into our daily lives.

• Demand for more diversity in the security workforce will continue to rise. As some of the reactions I’ve seen in the robust response to bad practices at trade shows such as Infosecurity Europe 2018 indicate, there is a big demand to get more underrepresented groups more fully into the security workforce, such as women and all other more diverse demographics in Europe. According to the CISO of Xerox: “How can we expect to solve the skills shortage when we only recruit from less than 50 percent of the available talent pool?” By 2020, we expect 20 percent of CISOs to be female. We expect this to apply in Europe, as well. Further diversification of the workforce brings a broader range of perspectives and talents to our fight against adversaries. This ultimately allows us to serve our organizations better.