1. Security reaches the boardroom
In 2017, security breaches will be a regular occurrence.
Organisations will continue to struggle to deal with them, causing board-level executives to pay more attention to security, as the financial and reputational consequences become more apparent – the average cost of a serious data breach to a company is now $3.5 million.
The fact is that many company boards have abdicated their responsibility regarding IT security for a long time, and are only now overtly recognising that breaches are a business risk, the same as a foreign exchange risk or a fire risk, and they need to understand it and manage it.
Business leaders will increasingly demand clarity around the security risks that their organisations are exposed to, and how secure they are in response to those risks, particularly around issues like PCI compliance. Alongside this, they will require ongoing monitoring and board level reporting.
As such, IT professionals will need to deliver a clear-cut definition of proper measures to tackle the risks.
2. Tackling existing threats and employee behaviour
Most vulnerabilities will continue to either be known vulnerabilities or down to employee behaviour, and organisations shouldn’t be distracted by the big cyber-attack headlines in the press, or knee-jerk responses and marketing hype from security vendors.
Organisations need to address their vulnerability management in a structured fashion so they are progressively working their way through managing their own vulnerabilities, rather than getting distracted by the latest data breach that’s making the news.
>See also: The Trojan horse: 2017 cyber security trends
Keeping a core focus on the key elements of security, while still responding to upcoming threats, isn’t easy, but CISOs need the strength to push back to the board to say, “We need to deal with this first.”
3. More cloud breaches
There will be continued growth in cloud breaches. It’s an attack vector that contains significant vulnerabilities around identity management and mobility or off-site access.
Consequently, cloud access security broking will experience significant growth and there will be more interest in Identity-as-a-Service (IDaaS).
Indeed, Gartner predicts that 40 percent of identity and access management (IAM) purchases (see below) will use the identity IDaaS delivery model by 2020, up from just 20 percent in 2016.
4. Identity access management comes of age
Across all areas, identity access management will at last move into where it should have been ten years ago, and experience strong growth.
Organisations are starting to recognise that simple passwords have always been insecure but in this new world they now are totally insecure. Particularly with user passwords being harvested in the hundreds of millions from social media sites.
Identity access management involves a range of solutions based on multi-factor authentication, linking between physical access and logical access, e.g. card systems, tokens, mobile phone biometrics, etc.
While biometrics can appear as a panacea, bear in mind that that your biometric is a core unique identifier, and if the underlying database is breached, that identifier is useless from that point on.
5. Total security still not achievable
Companies will realise total security is not achievable, and that they will be breached. The consequence of that is that they will increasingly move to secure key assets rather than try to protect everything.
They will increasingly invest in technology such as data leakage protection and encryption, as they look to protect their security perimeter against attack, from both inside and outside the organisation.
6. IoT insecurity
The Internet of Things (IoT) will continue to show the stupidity of rolling out applications prior to considering security.
The challenge for organisations will be both dealing with the security threat of IoT technology getting into the organisation – probably through shadow IT implementation – which is a nightmare scenario for CISOs.
IoT will also drive growth in DDoS solutions, particularly following the recent high profile attacks on Twitter, Spotify and Reddit using ‘smart’ home devices.
7. Growth in user training
One much overlooked area is user training, testing and awareness, but one that continues to experience strong growth, as organisations realise that insecure behaviour at home leads to insecure behaviour in work-mode.
More than 60% of all network intrusions stem from compromised user credentials, so education, awareness training and user testing will increase as companies realise employee behaviour is a key vulnerability – but it can be resolved by teaching and managing employees’ awareness skills and competence.
Measurements show that, for most organisations, initial testing of employee skills demonstrates average failure rates of 20%, which slowly declines over time – but worryingly rarely reaches zero!
8. Mobility and wireless worries
Mobility security will continue to represent an ever-increasing challenge to organisations both with device management and user interaction – as will the use of wireless networks.
A large majority of mobile device users will connect to Wi-Fi networks without considering the risks that involves and the credentials they are exposing. Inside organisations, first generation wireless deployments are, in many cases, particularly insecure.
There is an increasing focus on providing high capacity and high performance networks but that carries with it not only the need to do it securely, but also to offer the right user credentials, particularly in distributed organisations where there have been many high-profile breaches.
9. GDPR preparation
In 2017, General Data Protection Regulation (GDPR) will drive a lot of changes within organisations in preparation for the May 2018 deadline, as the consequences of not meeting the deadline sink in.
If an organisation fails to protect their data, they will be liable to a fine that represents a percentage of their turnover.
Bear in mind there are organisations only making two or three percent profit as a percentage of their turnover, so that’s going to hurt – and possibly cause a collapse of share prices. Companies need to start thinking about how to mitigate that risk.
10. Implementing best practice
There will be more press coverage of stolen data in 2017, which for many organisations, will expose unresolved issues around passwords, content, and payment card vulnerabilities.
In most cases, companies are unaware when they’ve been breached. Just because you think you’re safe, doesn’t mean you are; if nothing appears to have happened, it doesn’t mean it didn’t happen or isn’t still happening.
Shockingly, the average length of time an attacker stays inside a network before detection is more than 140 days – that’s if the attacker doesn’t just copy the data and disappear.
As a result, you may not find out you were breached for a long time. Some recently discovered breaches date back over four years.
Organisations need to look at encrypting their data, changing login credentials, removing user privilege, etc., on a regular basis.
At worst, you will have spent the time implementing best practice, and at best you’ve stopped potential attackers using your own data against you.
If you’re waiting for a breach before implementing these safeguards, you might want to think about the financial and reputational consequences compared to the cost of fixing it before it happens.