Ian Kilpatrick, EVP Cyber Security for Nuvias Group (incorporating Wick Hill), looks at the rapidly changing security scenario faced by companies in the coming year
1. Security reaches the boardroom
Over the next year, security breaches will be a regular occurrence. Organisations will struggle to deal with them, causing board-level executives to pay more attention to security, as the financial and reputational consequences become more apparent. For a long time, many company boards have abdicated their responsibility regarding IT security, and are only now recognising that breaches are a business risk that needs to be managed.
Business leaders will increasingly demand clarity around the security risks that their organisations are exposed to, and how secure they are in response to those risks. Alongside this, they will require ongoing monitoring and board level reporting.
2. Tackling existing threats and employee behaviour
Most vulnerabilities will continue to either be known issues or down to employee behaviour. Organisations need to address their vulnerability management in a structured fashion so they are progressively working their way through security issues, rather than being distracted by the latest data breach in the news. Keeping a focus on the key elements of security, while still responding to upcoming threats, isn’t easy, but CISOs need to say to the board to say, “We need to deal with this first.”
3. More cloud breaches
There will be continued growth in cloud breaches. It’s an attack vector that contains significant vulnerabilities around identity management and mobility or off-site access. Consequently, Cloud Access Security Broking will experience significant growth and there will be more interest in Identity-as-a-Service (IDaaS).
4. Identity Access Management comes of age
Across all areas, identity access management will at last experience strong growth. Organisations are recognising that simple passwords have always been insecure, but in today’s world they are totally insecure. Identity Access Management involves a range of solutions based on multi-factor authentication, linking between physical access and logical access, e.g. card systems, tokens, mobile phone biometrics, etc.
5. Total Security still not achievable
Companies will realise total security is not achievable, and that they will be breached. As a consequence, they will increasingly move to secure key assets rather than trying to protect everything. They will increasingly invest in technology such as data leakage protection and encryption, as they look to protect their security perimeter against attack, from both inside and outside the organisation.
6. IoT insecurity
The Internet of Things (IoT) will continue to show the stupidity of rolling out applications prior to considering security. The challenge for organisations will be dealing with the security threat of IoT technology getting into the organisation – probably through Shadow IT implementation – which is a nightmare scenario for CISOs. IoT will also drive growth in DDoS solutions, particularly following recent high profile attacks on Twitter, Spotify and Reddit using ‘smart’ home devices.
7. Growth in user training
One much overlooked area is user training, testing and awareness, but one that continues to experience strong growth, as organisations realise that insecure behaviour at home leads to insecure behaviour at work.
More than 60 percent of all network intrusions stem from compromised user credentials, so education, awareness training and user testing will increase as companies realise employee behaviour is a key vulnerability – but it can be resolved by teaching and managing employees’ awareness skills and competence.
8. Mobility and wireless worries
Mobility security will continue to represent an ever-increasing challenge to organisations, both with device management and user interaction – as will the use of wireless networks.
A large majority of mobile device users will connect to Wi-Fi networks without considering the risks that involves and the credentials they are exposing. Inside organisations, first generation wireless deployments are, in many cases, particularly insecure. There is also an increasing focus on providing high capacity and high performance networks, but that carries with it not only the need to do it securely, but also to offer the right user credentials, particularly in distributed organisations.
9. GDPR preparation
In 2017, General Data Protection Regulation (GDPR) will drive a lot of changes within organisations in preparation for the May 2018 deadline, as the consequences of not meeting the deadline sink in. If an organisation fails to protect their data, they will be liable to a fine that represents a percentage of their turnover – for many companies, that’s going to really hurt. Organisations need to start thinking about how to mitigate that risk.
10. Implementing best practice
There will be more press coverage of stolen data in 2017, which for many organisations, will expose unresolved issues around passwords, content, and payment card vulnerabilities.
In most cases, companies are unaware when they’ve been breached and may not realise they have been breached for a long time – on average 140 days!
Organisations need to look at encrypting their data, changing login credentials, removing user privilege, etc., on a regular basis. If you’re waiting for a breach before implementing these safeguards, you might want to think about the financial and reputational consequences compared to the cost of fixing it before it happens.