NCC Group's trends of 2018
For better or worse, 2017 was a memorable year across the technology and cyber security landscapes. Data breaches were massive and numerous, global ransomware outbreaks brought organisations to a standstill and distributed ledger technology - including various cryptocurrencies - was (and still is) the talk of the town.
As we begin the New Year, disruptive technological advances and political and social tensions mean many may be unsure what to expect over the next 12 months. But that hasn't stopped us from asking a selection of our experts what they predict will be the big trends of 2018.
1. Do more without a password
"Biometrics are great for convenience and efficiency of authentication and authorisation; they are not, however, without their risks and potential for vulnerability in implementation." - Matt Lewis 
Is the traditional password dead?
With fingerprint authentication now embedded in almost all top-end smartphones and the launch of the iPhone X bringing with it Apple's Face ID, many will argue the answer is yes.
In 2018, FaceID and Microsoft's Hello, among many others, will help facial recognition to become a convenient way for end-users to authenticate and authorise transactions, and we should see growing adoption of biometrics in the enterprise and in retail applications.
As a result, the public's familiarity with and acceptance of biometrics will likely continue to grow, rendering it a popular mechanism for authentication and, in some cases, removing the need for PINs or passwords.
But at the end of 2016, we reasoned that biometrics is not the panacea to authentication.
Passwords offer the powerful property of allowing us to keep secrets - and change them when we wish - in a way that biometrics do not. You cannot change your face in the same way that you can change a password. You also cannot create a new fingerprint in the same way you can create a new PIN.
Will the traditional password make a comeback in 2019? Or will we perhaps see more systems and applications combining PINs, passwords and biometrics to deliver multi-factor authentication?
2. Cyber security steps it up a notch
"You need to be able to deal with successful cyber attacks of varying degrees of impact and be able to recover accordingly with the minimum level of disruption." - Ollie Whitehouse 
Tech companies aren't the only ones susceptible to a large-scale cyber attack. The transport, healthcare and retail industries were all the target of attacks last year, as cyber criminals realised that naivety in certain sectors can lead to significant financial gains.
In 2018, these industries will step up efforts to gain a better understanding of the threats and risks they face and increase investment in order to improve their cyber maturity. Other industries that are more experienced in dealing with threats will continue to invest ahead of the implementation of the new General Data Protection Regulation (GDPR) on 25 May 2018.
However, that doesn't mean we'll witness a year without publicised data breaches. No one person or business is free from risk, but GDPR - and 2017's unexpected impact of WannaCry and NotPetya - should highlight to organisations of all sizes the need to be prepared and appropriately resilient.
3. Cyber resilience capabilities move towards a global consistency
"If countries across the world are to achieve a consistent unified approach with regards to cyber resilience and the implementation of best practice, it's important to start taking the relevant steps at ground level in order to prime us for the future." - Phillip Larbey 
If 2017 taught us anything, it's that cyber attacks are borderless. In response, action is now being taken at a geo-political level to ensure a borderless approach to cyber resilience, most notably in the finance sector.
Since October 2016, the G-7 has published two sets of non-binding guidelines that are aimed at encouraging a consistent approach to cyber security across the finance sector. And it comes as regulatory interest in financial organisations has grown following recent, high-profile attacks.
In 2018, the cyber resilience work of geo-political forums, nation states and regulators in the finance sector will converge. We'll likely see more best practice guidance being published by the G-7 while, at the same time, institutions invest more in building the infrastructure required to meet regulatory requirements.
Financial sectors that are most cyber mature - including the UK's - will continue to lead the way. And it is expected that the work being done to improve the resilience of financial institutions will soon spread in to other regulated sectors.
4. The supply chain cannot hold
"As organisations seek to streamline their supply chain processes by integrating with their suppliers' systems, this inter-connectivity is leading to an increase in potential attack surfaces that criminals can exploit." - Dominic Carroll 
When the NotPetya ransomware spread via an update to the Ukrainian accounting software M.E.Doc in July 2017, it reminded organisations all over the world that supply chain vulnerabilities can be just as devastating as internal weaknesses when breached.
Throughout 2018, we should see an increased focus on securing supply chains as organisations conduct more in-depth due diligence before allowing external persons to routinely access their networks.
For those who ignore the warnings and advice of cyber security experts, 2018 will bring with it the increased risk of being breached by the weaknesses of a trusted partner even if their own resilience improves.
5. Leaked and stolen exploits become an EternalNightmare
"Cyber security is not a static issue. Companies must be constantly agile to the changing threat landscape and ensure resilience is a key strand of their defensive strategy." - Ollie Whitehouse 
In April 2017, hacker group the Shadow Brokers dumped 'Lost in Translation', a set of files containing tools and exploits developed by - and stolen from - the National Security Agency (NSA).
The most significant exploit from the dump, EternalBlue, allowed the WannaCry ransomware outbreak to infect organisations all over the world just weeks later. The following month, NotPetya also propagated through EternalBlue.
Another exploit from the same dump, EternalRomance, meant October's BadRabbit ransomware outbreak could rapidly spread throughout Russia, Ukraine, Bulgaria and Turkey.
In 2018, it's undoubtable that the upward trend in exploit re-use for large-scale attacks will continue, even if we can't predict whether other, more serious exploits will be leaked or discovered. Regardless, organisations should be ready for previously unknown threats to enter the wild and have threat monitoring in place to help detect suspicious activity, while also being able to respond at scale and speed with remediation activities.
6. More is done to manage the rise of the machines
"Artificial Intelligence might eventually replace human, moralistic decision making, perhaps in ways that aren't conducive to peace, safety or preservation of planetary life." - Thomas Marcks von Würtemberg & Matt Lewis 
Self-driving cars, smart speakers and chatbots. 2017's explosion of applications that use Artificial Intelligence (AI) and Machine Learning (ML) means that the technology now features heavily on our roads, in our homes and across our devices. This is a trend that will no doubt continue into 2018 and beyond.
But for all of the benefits that can be seen on the surface, Professor Stephen Hawking recently warned that AI could "spell the end of the human race"  if best practice and effective management isn't employed. It's therefore no surprise that we're seeing growing research and effort around adversarial machine learning; that is, looking at ways of defeating or manipulating AI-based solutions.
Ultimately, AI and ML applications are only as good as the data that they are trained on and on which they learn. If a data source is compromised, the application it serves could be manipulated in ways we're yet to witness.
Unless AI models are periodically re-trained to cater for changes in context, then this could be a future failure of some systems; an AI system that works well today may become obsolete in 2018 and beyond unless it is capable of continual learning.
Over 2018, research will continue from industry and academia that demonstrates the limitations and vulnerabilities in some AI approaches and implementations.
But it isn't all negative. There is a lot of hype and money flowing into AI and ML applications in cyber security and over the next 12 to 24 months we expect to see more examples of tangible value, new capabilities and scale.
7. An IoT botnet brings the net to its knees
"Security within the Internet of Things is currently below par." - Matt Lewis 
We're rapidly moving towards a future filled with Internet of Things (IoT) devices. By 2020, Gartner predicts that there will be over 20 billion connected 'things' . From experience, we know that many of these 'things' are relatively easy to hack.
But while the pervasiveness of technology deriving from IoT has a myriad number of possibilities, this rapid growth will likely increase the global threat of IoT-based malware and botnets in 2018 and beyond.
The Mirai botnet was a great example of how critical internet components could be attacked by taking control of millions of vulnerable connected devices around the world. Since Mirai, we're already seeing evidence of similar types of botnet (Reaper) but now with more sophistication in the methods used to compromise IoT devices (methods beyond just username and password guessing).
If more work isn't done to address the vulnerabilities in these devices, 2018 will likely see an IoT-based botnet attack take down a larger chunk of the internet.
8. Hybrid cloud keeps our feet on the ground
"Increased legislation and regulation around data security and privacy may slow-down pure cloud adoption, forcing customers to look at hybrid cloud or traditional on-premise hosting for more assured governance over data." - Matt Lewis
For years, we've read about organisations moving most or all of their data to 'the cloud'. Software-as-a-Service (SaaS) applications are now used by businesses of all sizes and you'd be forgiven for concluding that on-premise software is a thing of the past.
But in 2018 we may see this trend reversed.
For organisations unable or unwilling to fully submit all data to the cloud (for reasons of data sensitivity, regulation or resilience) there are hybrid cloud solutions. Having flown somewhat under the radar in 2017, these solutions will likely see greater adoption over the next 12 months.
The hybrid cloud provides organisations with the power and flexibility of public cloud features such as SaaS, Infrastructure-as-a-Service and Platform-as-a-Service, but with the ability to more tightly control data and host sensitive elements on premise.
Microsoft's Azure Stack and Amazon's Enterprise Cloud Stack are just two examples of hybrid cloud offerings that will likely grow in adoption during 2018.
9. Organisations orchestrate and automate in order to address scalability
"Threats like WannaCry and NotPetya mean we can no longer rely on manual responses to help us react at the speed required." - Ollie Whitehouse
The widening cyber skills gap is an issue that must be addressed. But even with large amounts of public and private funding, the problem will likely get worse before it gets better.
In the meantime, forward-leaning organisations are looking to tackle this shortage of skilled humans while operating as efficiently as possible. Orchestration and automation will therefore be a key focus in 2018.
Automation, in the face of recent threats and the ever-evolving landscape, will help us to respond quickly, providing scalability and resilience while keeping costs down.
Complex organisations with a mature approach to cyber security will be the first to carry this trend, initially using orchestration to automate responses to certain risks and scenarios. These responses could range from automatically isolating hosts suspected of compromise, through to being able to quickly identify and remediate vulnerable hosts.
However, the cyber maturity required to implement an orchestration strategy that supports a response to security issues means many organisations have a lot of work to do throughout 2018 and beyond.
10. Focus shifts to developer- and user-centred security
"Policies, processes and technology created in isolation cannot be expected to yield the security resilience outcomes we hope for." - Ollie Whitehouse
Isolating security as a function has significant weaknesses. This has become ever-more evident over the past few years where we have seen numerous ransomware and malware attacks take place, possible as a result of successful phishing activity or weak credentials.
Security is more than just technology and it is vital that people and processes form a key part of your protection strategy and a holistic view is taken. Embedding security within your organisation to educate and empower employees is now being seen as a more effective approach and will continue to trend upwards in 2018.
In highly agile development environments, the security culture of your developer teams is key. We are beginning to see security being embedded in development pipelines and, rather than placing the responsibility for security on specialist teams, developers must move towards building with security in mind from the outset.
Organisations like Netflix  and Comcast  are showing us how and why security should be a shared responsibility and we expect these associated methodologies to be more widely adopted throughout 2018.
The UK National Cyber Security Centre's sociotechnical security initiatives  serve as a good example of the real-world focus in this area and gives great guidance and up-to date research.
- Matty McMattface: Security implications mitigations and testing strategies for biometric facial recognition systems
- Infographic: Supply chain cyber risk
- Risk Management: Supplier Assured
- Managing cyber risk in the supply chain
- Evolving supply chain integrity
- Our research
- The Internet of Things
Published date:  19 January 2018
Written by:  NCC Group Reporter