Predictions are never easy, and they are seldom right or very useful: but they are always fun. And as the holiday season is upon us and the New Year approaches so does the time of year reflection and, you guessed it: cybersecurity predictions.
Here’s my attempt at highlighting what I see as some of the bigger trends that are likely to keep security professionals struggling to keep up in the year ahead, and how I see these trends continuing.
Big cybersecurity trend 1: The information wars heat up
If cybersecurity taught us anything in 2016, it’s that data breaches can now be as much about the damage that can be wrought when private information is made public than data theft for financial gain or competitive advantage. The hacking of the Democratic National Committee (DNC) and email systems, for instance, brought the resignation of Debbie Wasserman Schultz as chairwoman of the DNC. Email server security also plagued candidate Hillary Clinton to the very end of her campaign to become the 45th President of the United States of America. And as 2016 was quite the eventful year when it came to cybersecurity, it’s forgivable to have forgotten Sigmundur Davíð Gunnlaugsson, Iceland’s Prime Minister, for having to step down because of the Panama Papers breach.
These types of events, where large amounts of data are made public as part of a whistleblowing campaign or to publicly embarrass some type of opponent in government or business, are going to increase. And they will continue to be extremely disruptive to our institutions and those who currently have power.
Big cybersecurity trend 2: Nation state meddling
We saw accusations of nation state driven data breaches increase this year. It was in the summer of 2015 that the Obama administration decided to retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management. This year, U.S. Senator Marco Rubio (R-Fla.) warned Russia that there should be consequences to election meddling.
This is another trend that will continue, and the risks of a (hopefully) measured cyber-conflict exchange between nation states increases every year.
Enterprises need to understand if they are operating in a critical infrastructure industry (healthcare delivery, finance, power generation and distribution, manufacturing, etc.) or support such industry than they need to prepare for the possibility of getting caught in the crossfire.
Big cybersecurity trend 3: Fraud is dead, long live credit fraud
As the US, has deployed chip cards, and more people have embraced chip-enabled EMV cards and digital wallets such as Apple Pay and Google Wallet, point of sale system fraud rates have fallen, and this category of fraud is expected to continue to fall. However, card not present fraud was only $10 billion in 2014, it will be more than $20 billion by 2018.
According to this story, New Trends in Credit Card Fraud, in 2015, identity thieves moved from cloning counterfeit cards of existing accounts to opening new fraudulent accounts through identity theft. Expect that to continue, as well as more online fraud. Crime never goes away, it just moves to the paths of least resistance.
That means fraudsters will take aim at your website systems, especially any that accept payments. Watch your online systems and look for ways to detect fraud, such as behavior analysis.
Big cybersecurity trend 4: The Internet of Things (IoT)
For a couple of years now, experts have been predicting that the Internet of Things was creating an emergent set of risks – but as with the rise of most new technologies the hype arrives long before reality. Unfortunately for us, the cybersecurity predictions around IoT began to come true in 2016. A big part of this is not only because these devices have been adopted by so many consumers, but they are also being embraced by enterprises. In fact, roughly 31 percent of organizations, per IDC’s Global IoT Decision Maker Survey, have launched an IoT initiative, with 43 percent planning to deploy IoT in the next twelve months. Most enterprises don’t view these initiatives as trials, but strategic.
This situation is going to get considerably worse. One of the biggest challenges with IoT isn’t enterprises securing these devices – it’s that the device makers are shipping inherently insecure devices. They are too often shipping with default passwords that don’t require they be changed, or communication with the devices doesn’t require proper authentication, firmware updates can occur without being properly signed. And the list goes on.
Organizations are going to continue to get hit by attacks directly attributable to IoT weaknesses, whether a continuation of distributed denial of service attacks – or by encroachments onto their networks made possible by IoT weaknesses.
Big cybersecurity trend 5: Regulatory upheaval
Government and industry regulations that affect cybersecurity are about to get volatile. In the European Union, IT will face data security and breach notification operational changes from the General Data Protection Regulation (GDPR). And in early 2018 the GDPR becomes a legal requirement. Many expect that the GDPR will increase costs of doing business as new data protection measures are put into place to control how, who, and when data is accessed.
Expect more data privacy and security harmonization changes, government surveillance law changes, as well as the potential for Internet of Things cybersecurity design and implementation regulations (maybe not next year for this one, but it’s likely coming soon.).
The regulatory landscape will be changing swiftly, and enterprises will need to be ready to have their security, privacy, and overall risk posture adapt.