In this article, we look at some key Information Security trends to look for as we begin 2016, along with the things you need to consider if you want to stay ahead of the curve…
It should come as no surprise that the stakes for information security have been steadily increasing over the past two decades. As individuals and businesses have grown increasingly dependent on interconnected technology to manage their daily lives, we have seen a corresponding growth in technology-based crime. And, as breaches have grown in size and scope, larger and more sophisticated players have entered the scene – making things unsafe for everyone.
Let’s take a brief look at some of the security trends we can expect for 2016, and also look at some of the ways that organizations and security professionals can prepare themselves to deal with these trends.
Small businesses need enterprise-class support
Due to the fact that the owners of many small businesses are likely to ignore or understate the security threats that affect their businesses, the bad guys have been increasingly targeting the small-to-medium business (SMB) market through social engineering, including spear-phishing campaigns. Small businesses can no longer afford to avoid hiring skilled information security professionals. They can also no longer afford to make cost the primary consideration for security-related tools and infrastructure. For many SMBs, a single breach could be a business ending event, so they need to invest wisely in information and network security resources.
Internet of Things (IoT)
There is much hoopla about connecting fridges, stoves, cameras, toasters and dishwashers to the Internet, and we’re finally starting to see some of these devices come to market. The problem is that they are being built and marketed by organizations or corporate divisions that have little to no information security experience. Not only are these items not being built with security in mind, but there is no real thought given to the corporate infrastructure needed to roll out support and updates and fixes. These are things that the Googles, Microsofts, Apples and Oracles of the world have problems with – and they have experience in this area. Can you count on your washing machine vendor to put that same kind of effort into managing security remediation for their interconnected products? Businesses are going to need to employ good policies and effective technology to manage IoT in the workplace.
Ransomware, Ransomware, Ransomware
There is no indication that ransomware is going to decrease in the next few years. If anything, we are going to see more sophistication and greater ransom demands. The encryption being used will be harder to break, and the malware is going to get smarter about grabbing data in cloud storage. Organizations are going to want to take a good look at how and from where they allow their employees to access critical corporate data. Disaster Recovery practices are going to need to focus more of data denial scenarios than on hardware failure or terrorism scenarios. Redundancy alone will not help here. Business and technology leaders will need to take a good, hard look at where data resides, how it is backed up, and who has access to it.
It has already been noted that spear-phishing attacks have been growing against the small business market. The truth is that they are growing against firms of all sizes, with some tailoring to the type and size of the organization. Business Email Compromise (BEC), where spoofed emails are used to induce an employee to wire funds to a bad guy, are growing in prevalence and sophistication. According to the FBI, these “CEO Fraud” scams were responsible for over $1.2 billion loss from October 2013 to August 2015. And there is no sign that it is slowing down. Organizations will need to prioritize security awareness programs, and also configure their mail systems to reduce or eliminate these types of emails from making it into the system. They will also need to tighten up their business processes so that “moving at the speed of business” does not become synonymous for “opening themselves up to massive fraud.”
Mobile as a gateway to the enterprise
Mobile devices continue to take on more substantial roles in the business world, improving the flexibility and access of employees and customers when it comes to accessing corporate data. All of this functionality and benefit must come with improved security practices, or the risk of data loss will be significant. In 2016, expect to see at least one breach where a mobile device is clearly implicated as the attack vector into a business that leads to an embarrassing corporate breach notification. Mobile devices need to be made into good corporate citizens so that the balance between function and security can be managed for the health of the overall business.
Even though the various three-letter agencies of the world are pushing for restrictions on encryption use – all in the name of security, of course – we are going to definitely see more end-to-end encryption solutions that are available to big companies, small companies and individuals alike. We will see more organizations look to deploy encryption throughout their organization, and not just at the perimeter. Yes, encryption can be a bit cumbersome to implement, but that’s not what is on everyone’s mind when a breach is announced. No… everyone is asking, “Did they encrypt that data?!?” It’s 2016. There is no reason not to encrypt data coming in, going out, and traveling in between.
Protection must be applied at many layers – including the data itself. The goal here is not to focus on security as an end to itself. It’s not about “doing security,” as much as it is about “conducting business operations securely.” And it starts with thinking of security as just a basic part of successful business operations.