How can organisations best plan and prepare for the cyber events of the future?
2016 was a big year for cyber security, with attacks growing in both frequency and scale. Over two billion personal records were stolen this year alone in a series of data breaches that included Yahoo, MySpace and the National Lottery. The landscape was also dominated by the unprecedented DDoS attack on DNS provider Dyn in October that took down sites like Twitter, Amazon and Netflix.
As we look ahead to 2017, what other threats and trends are lurking on the horizon? And how can organisations best plan and prepare for the cyber events of the future? Here are our top predictions for the year ahead, and suggestions for how they could impact the sector as a whole.
1. More severe legal and financial ramifications will follow huge data breaches
Historically, the ROI on security has been difficult to gauge. Even after seemingly large breaches, share prices have traditionally held steady with little to no real business impact. But during the past year, things have started to change. In October, Verizon asked Yahoo for a $1bn discount as a result of its hack. And in another example, security startup MedSec shorted St Jude stock to punish it for poor pacemaker security.
These are just two of many examples in the past year where poor security has hit a company’s bottom line. With this in mind, during the coming year, we will likely begin to see a trend towards more severe legal and financial fallout from breaches.
2. Stakeholders will push for stronger breach reporting requirements
In Europe, breach reporting requirements have been discussed for some time and will soon come into force with GDPR.
However, there is also a growing global trend for customers and stakeholders to demand more vigilance from companies in terms of data security. It is generally accepted by now that any company could be breached by attackers that have enough time and motivation. But what is absolutely not acceptable is companies that respond to breaches with a lack of transparency – or in even worse situations, those that lack any awareness that a network breach has even taken place.
Set against this backdrop, it would not be surprising if we see stakeholders, regulators and even customers lobbying for stronger breach reporting in 2017, which may lay the groundwork for new legal requirements.
3. The battle of Big brother will continue
The tail end of 2016 saw the Investigatory Powers Bill, nicknamed the Snoopers Charter, pass through the House of Commons and Lords despite stiff opposition from privacy advocates, human rights organisations, and even an online petition that has amassed many more than the 100,000 signatures needed for parliamentary debate.
Enterprises are bracing themselves for the potentially wide-ranging impact that the bill could have. ISPs will be among the most severely impacted by it, as they will now be required to store the internet history of each of their customers for 12 months, and these records could be accessed by police, security services and other public bodies with a warrant.
The bill will also grant government agencies the right to legally bug computers and phones if a warrant is approved. Those opposed to the bill have referred to it as “an absolute disgrace to both privacy and freedom” and it is likely that the debate around the interpretation and application of the bill will continue well into 2017.
4. Compliance will flourish in preparation for GDPR
Regulatory compliance requirements have been the bane of many a security professional’s life for many years. The introduction of PCI DSS was the first time that a standard went so deep. With its prescriptive nature, industry buy-in, and independent verifications, the regulation sparked a whole industry of organisations which were created to help companies to deal with the requirements.
But while PCI DSS may have cut to the bone, the EU General Data Protection Regulation (GDPR) has the potential to sever limbs with reckless abandon. Although it is not due to come into effect until 25th May 2018, enterprises do not have much time left to get their security in order.
So during 2017, we are likely to see many services and products rebranded as ‘GDPR compliant’ as part of a wider attempt to ride the compliance tsunami that is about to hit.
5. Car security concerns will intensify
There has been a push by automotive manufacturers to install more intelligence, functionality and automation into vehicles, and computers have been steadily taking over control of many vehicular functions. But these additions have also introduced more security vulnerabilities.
Hacking into vehicles, remotely accessing functions (like the accelerator or brakes), or locating their whereabouts are unfortunately all becoming more commonplace.
There’s no easy fix – but the consequences of vulnerabilities in vehicles can be a lot more catastrophic than a flaw on a website. Next year, we’re likely to see car security concerns intensify right alongside IoT device safety.
6. Internet of Things (IoT) security will become even more controversial
Plenty of security professionals have spoken about the ticking time bomb that is IoT and its lack of security – but few manufacturers took notice of this until the end of 2016, when we witnessed the huge DDoS attacks against reporter Brian Krebs’ site and DNS provider Dyn.
IoT devices are typically insecure by design, and they often lack the option to upgrade or apply patches. Additionally, many vendors choose convenience (e.g., using default credentials in their appliances) over implementing proper security measures, which is a flagrant violation of best practices in product development.
This has resulted in a dangerous mis-alignment of stars that allows IoT devices to become weapons (in DDoS attacks), targets (for IoT ransomware), or privacy nightmares (when they’re used to obtain information about users). In 2017, IoT device security will become even more controversial, putting pressure on manufacturers to architect fundamental security principles into the designs of internet-connected products.
We may even see governments around the world take an active role in IoT safety legislation.
7. The death of passwords
The death of passwords has been predicted for many years. While waiting for the other shoe to drop, many experts have been debating whether a burial would be more appropriate or a cremation. While the end might be in sight, passwords are still going strong – like an aging rock star getting up on stage every night to belt out classic hits from his hey days.
It’s unlikely that passwords will go out in a blaze of glory. Rather, they’re more likely to fade into relative obscurity as alternative methods complement or replace password use altogether. A large number of online services now utilise two-step verification with SMS, and fingerprint authentication is also making its way onto more mobile handsets and laptops. Even facial recognition or ‘authentication by selfie’ is being trialled in some areas.
Smaller websites that don’t have the resources to develop their own stronger authentication mechanisms can opt for OAuth, which allows users to log onto their services via their accounts at Google, Twitter, Facebook, LinkedIn and other social platforms.
Although no perfect authentication solution is available that can scale as efficiently as passwords, more methods will continue to be developed, pushing pure password authentication further into the background in 2017.
Javvad Malik, security advocate at AlienVault
Image source: Shutterstock/jijomathaidesigners