In 2016, the pace and cost of data breaches increased, threat vectors multiplied, hackers were traced to foreign governments, global organized crime syndicates, and hacktivist groups. Insider threats also intensified: the negligence, human error, and malicious intent of those inside the breached organization led to a significant portion of data breaches, and these types of attacks are often harder to detect. Many breaches could have been avoided by deploying and following through on basic cybersecurity measures. However, attackers continue to become more sophisticated and their methods more advanced.
The Information Security Forum has identified four predominant security threats that organizations need to prepare for in 2017:
1. The IoT Adds Unmanaged Risks
Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines.
The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.
The Obama administration has also issued sweeping guidelines on cybersecurity for internet-connected devices, stressing an engineering-based approach that builds security systems directly into IoT technology, whilst the Department of Homeland Security has separately released its own cybersecurity policy for IoT devices, delineating six strategic principles that it believes will help stakeholders stop hackers from tampering with connected devices.
Organizations that get on the front foot now and prepare for stricter regulation will find themselves ahead of the curve and in customers’ good graces. They’ll also make better business decisions along the way.
2. Crime Syndicates Take a Quantum Leap
Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.
Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide. Rogue governments will continue to exploit this situation and the resulting cyber-incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.
Emerging markets will be hit the hardest, particularly where newly connected organizations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organizations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organizations.
3. Government and Regulators won’t do it for you
The number of data breaches will grow over the next year, along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.
With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation (GDPR) and the Network Information Security Directive will present substantial data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber-attack or information loss.
4. The Role of the End User – The Weakest or Strongest Link in the Security Chain
In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that a?ect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.
If we learned one lesson from 2016, it should be that the consequences of data breaches extend well beyond individual identity theft and exposure. High-level corporate secrets, critical infrastructure, and fundamental government systems are constantly under attack. Organizations must be vigilant, analyzing the emerging threats that have shifted in the past year, as well as those they should prepare for in 2017.