Cybercrime will not go away or be defeated in 2016, and will instead continue its spread into all sectors of the economy as the digital revolution brings more and more firms into the firing line.
Simon Viney, a director of Security Science at Stroz Friedberg, the investigations, intelligence and risk management company, believes the threat will increasingly have ramifications for corporations, boards, governments and regulators, and is predicting a number of key changes to the cybersecurity landscape in the year ahead.
Cyber takes a seat on the board
Companies are coming under growing pressure from investors, customers and regulators to provide reassurance that cyber risks are being actively managed. Where they fail, heads will increasingly roll. There is a lack of cyber awareness and associated specialist skills in boardrooms worldwide, but this can be addressed by treating cyber risk in a similar manner as financial risks. Boards will establish committees responsible for studying cybersecurity risk, modelled on existing audit committees. Leading companies, especially in high risk industries, will appoint specialist, non-executive cyber directors. Regular updates by the CIO or CISO, as well as briefings by outside experts on issues such as threat intelligence, will soon become as common within corporate boards as considerations of financial risk.
Insider threats come to the fore
Until now, the business world’s attention has been focused squarely on external threat actors when it comes to cybersecurity. But in 2016, insider threats – in other words, current or ex-employees with knowledge of, and access to, the corporate network – will take centre stage, forcing human resources leaders into the growing cross-functional cybersecurity team. As boardroom oversight of the risk environment grows, forward-thinking companies will start proactively addressing the insider threat by investing in processes and technologies that help to identify and, in some cases, neutralise such risks, before they cause material damage.
Focus shifts from prevention to mitigation
This is already happening, as corporations recognise cybercrime as an enterprise risk and begin managing it as such, using a universally understood approach. Mitigation is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches - a sufficiently motivated and well-resourced adversary can and will get into a network. Consequently, terms like cyber defence are increasingly being seen as unhelpful because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. As the year evolves, more and more executives will start to think of the board-level cybersecurity review goal as a combination of ‘cyber resistance’ and 'cyber resilience', the idea being that, whilst you seek to limit attacks, some breaches will still happen, and so it is more important to focus on preparing to respond and recover from breaches as effectively and rapidly as possible.
Regulators will demand action
Within the sectors that are at greatest risk of cyberattack, UK regulatory bodies are already taking steps to move cyber resilience up the agenda. In financial services, Operation Resilient Shield was the latest example of cooperation between the Bank of England and other UK and US financial authorities, to stress-test key institutions' responses to a simulated attack. As a greater understanding of the industry's preparedness emerges, we will likely see regulators push the concept of 'cyber competent' persons as a requirement for boards. But cybercrime knows no boundaries, and other sectors are gradually likely to follow suit with demands relating to cybersecurity, especially as the use of large volumes of customer data becomes commonplace across all areas of industry.
Cyber insurance premiums will skyrocket
Continued strong demand for cyber coverage would drive gross written premiums up in 2016 even if other factors remained equal. However, the market is also affected by restricted supply, as the constantly evolving nature of the threats, immature risk models, and an underdeveloped reinsurance market all put insurers off entering this particular niche. Together, these factors look set to cause a dramatic increase in premiums, particularly for retailers, healthcare providers, banks, and others considered high risk. At the same time, uncertainty about concentration of exposure to cybercrime is likely to see some regulators impose cyber incident ‘stress testing’ similar to that introduced for banks following the financial crisis. Such testing would model the impact of multiple, simultaneous incidents on cyber insurance underwriters and, potentially, stop those that fail these tests from writing new policies.
Hackers attack the Internet of Things
Much like the 2014 spike in data breaches that propelled businesses to treat cybersecurity in earnest, 2016 will be the year of the consumer awakening as the Internet of Things emerges as a dangerous target allowing hackers to gain access to previously unimaginable aspects of life and business. As a result of a major physical disruption engineered through the breach of a connected car, medical device, or even a connected toy, regulators and consumers will demand action. Expect companies to spend untold amounts testing and retrofitting connected devices to meet hastily approved ‘privacy and security by design’ rules across a range of sectors and jurisdictions.
Data processing and storage goes local
The recent demise of the EU-US Safe Harbour agreement, which allowed the transfer of European citizens' data to the US, will continue to disrupt data flows for multinational companies and even many of those just trading across the Atlantic. Huge fines now loom for illegal trans-border transfers, political disputes over alternatives look set to drag on. Distrust of US government surveillance and subpoena power, and expanding European nationalism, mean that a new agreement is unlikely to be forthcoming. This uncertainty is expected to drive some EU companies to avoid doing business with the US altogether, while other multinationals will opt to segregate business functions geographically by building local cloud services and data centres that protect them from penalties.
Cyber threats influence the 2016 US election
During the US elections in 2008 and 2012, cyberattackers targeted both presidential candidates’ websites and emails. Now that campaign websites are used to raise money, their desirability and profile as targets for 'hacktivists' and cybercriminals alike will increase. US primary frontrunners and eventual nominees from both parties will be successfully targeted, and at least one campaign undermined by a data breach.
As the commercialisation of politics becomes ever more pervasive around the world, hacktivism such as this targeting of political websites will expand globally, including to the UK.
Simon Viney, Director of Security Science at Stroz Friedberg
Image Credit: Manczurov / Shutterstock