So 2017 is in the rear-view mirror, and here comes 2018, all bright-eyed and bushy-tailed. What should we be ready for this year in terms of risk management trends? Here are three that are likely to have an outsized impact:
- Cyber security risks will continue and get more dangerous. Maintaining information and network security will grow even more challenging.
- The cloud will bring risk. The increased dependence on cloud-based services is creating a new kind of risk that many companies have yet to address. 2018 is likely to see a deepening engagement with the vulnerabilities caused by this new reality.
- New rules will bring unexpected risks. As companies adapt to the new regulatory regimes, the changes they are obliged to make will create unexpected new dangers.
The traditional threats to business operations from nature, people, and technology are still out there. These threats will doubtless rear up and make themselves felt in 2018. These will include bad weather, employee mistakes, and so on. But in terms of new risk management trends, the three developments mentioned above are likely to be especially prominent. We’ll take a closer look at each one below.
New Challenges to Cybersecurity
Dealing with threats to their data and information networks has been a fact of life for business for many years. Unfortunately, the problem is going to intensify in 2018 as hackers grow more sophisticated in their methods. In our recent series of posts on Corporate Security Awareness, we talked about problems such as ransomware and phishing attacks. (See “Staying Safe While Browsing the Web: How You Can Help Protect Your Organization.”)
Those problems are likely to shapeshift in 2018 as hackers employ new forms of attack. In terms of ransomware threats, we might see hackers try new ways to monetize their illegal access to company networks. For example, instead of encrypting data, freezing systems, and demanding that companies pay money to get their data back, we might see hackers threaten to release data to the public unless they receive a ransom. Likewise, phishing attacks will probably grow more insidious as hackers get better at mimicking trusted websites, including your own support site or forms.
Meanwhile, 2018 is likely to see an increase in the use of artificial intelligence (AI) in hacking attacks. AI can be used by hackers to raise the sophistication of phishing attacks. It can also be used to learn users’ computer behavior in order to improve the hackers’ field position as they go on to mount the familiar brute-force attacks to try to crack insiders’ network passwords. Since security companies have been using machine learning to identify potential anomalies or attacks, 2018 might be the year of AI vs. AI in the cybersecurity trenches.
The Risks Caused by Increasing Reliance on the Cloud
In our recent review of the biggest business continuity trends from 2017, we talked about business’s increasing reliance on the cloud. This now commonly extends to such critical functionalities as email, conferencing, and spreadsheet software. The shift brings many benefits but also creates new vulnerabilities. 2018 is likely to see business engaging more intensively than it has in the past with the risks created by the rise of software as a service (SaaS) and other cloud-computing trends.
This is a new wrinkle in the old story of third-party vendor risk management. But greater dependence breeds greater risk. It also calls for greater diligence in risk mitigation.
Whatever you do from a disaster recovery and regulatory perspective, you need to make sure your critical vendors are doing the same. The vendor might say, “Sure, we have a business continuity plan,” but that doesn’t mean their plan is accurate or sufficient.
Cloud-dependent companies need to ask themselves what they will do if their cloud-based services go away for a period of time. How will your company communicate if Office 365 or Gmail go down? Obviously, Microsoft and Google are major, well-resourced services, but stranger things have happened than such services becoming temporarily unavailable. In their absence, how would the members of your organization communicate? Would you turn to text messages or phone calls? There are ways to work around an email outage, but it takes thought and preparation. If you don’t have a workaround in place before trouble strikes, the outage’s impact will be needlessly disruptive and expensive, so take the time to consider what would happen to your organization if internet access was unavailable either due to internal or external causes.
Adapting to New Regulations Will Create Dangers for Business
Lastly, 2018 is going to see some significant regulatory changes, and adapting to these is an inherently risky process.
Perhaps the biggest regulatory change related to data security that will impact many organizations will be the European Union’s General Data Protection Regulation which will go into effect in May. (For more information, see the article “GDPR Compliance: A Heads-Up for Business Continuity Professionals” from BCMMetrics.) These new consumer-privacy protection rules will impact just about every organization doing business in Europe. (The new tax bill in the U.S. might also have regulatory-type impacts.)
Obviously, not being in compliance with a regulation such as GDPR can have a major impact on your organization. For example, fines for not being in compliance with GPDR can be up to 4% of a company’s annual revenue.
Ironically, however, the very act of going into compliance creates new vulnerabilities. The process of incorporating new data-handling procedures is inherently risky. It’s like changing horses in midstream—but due to the compulsory nature of the new regulations, you must make the change. Making alterations to data-processing procedures commonly adds costs and complexity. Such changes can also create incompatibilities that interfere with other processes.
It’s counterintuitive, but making system changes to increase privacy protection can inadvertently weaken that protection by creating new vulnerabilities if those changes are not well designed and tested.
Because making changes to conform with new regulations increases risk, any regulatory change should be part of your crisis management planning. Business’s adapting to meet new regulations, and handling the risks of those adaptions, will likely be a major theme of 2018.
How would you rate your organization’s risk management strategy as 2018 gets underway? If you would like help in evaluating or strengthening it, contact us.
Dealing with Risk Management Trends in 2018
All in all, 2018 is looking like it will be a lively, invigorating year for risk management trends and business continuity professionals. In addition to the usual threats of fire, flood, and the rest, we’ll have three new, cutting-edge problems to go with our cutting-edge times: a heightening of the threat to information and network security, a new reckoning with the vulnerabilities of cloud computing, and new risks brought on by the process of adapting to new regulations.