This year, we will likely see a shift in the way we respond to cyber attacks, as both the business community and consumers finally accept that data breaches are a part of life. After a series of high profile data breaches in 2015 – including TalkTalk, Ashley Madison and Hacking Team – consumers are becoming increasingly aware of the seriousness of security breaches and their potential impact on data theft victims. As a result, we anticipate that these highly-publicised incidents will help lead to a shift in the way that businesses respond to attacks, with security teams looking to strengthen their incident response methodologies and collaborating to find new ways to protect themselves from emerging threats.
In the wake of these major breaches, there is a greater need for companies to respond quickly and effectively. This is not just from a technology perspective, to get their systems back up and running again; companies also need to make sure they have the right communication strategies in place to reassure both stakeholders and customers. There have been several examples throughout the year where the public relations part of a breach was not handled optimally. So in 2016, we expect the boardrooms of many companies to increase their focus on all aspects of incident response as they look to acquire or further develop the skills required to respond effectively.
As high-profile breaches become more commonplace, better collaboration will be needed among IT security teams in order to share information on emerging threats. Next year, we expect to see more formal processes in place for sharing information on potential security threats. This will not only be among organisations and industry verticals, but perhaps more importantly, among individual security practitioners as well. With the creation of more trust networks for the sharing of threat data and best practices, companies will be in a better position to defend themselves against threats.
To help consumers understand the potential dangers involved, we expect to see an increased push around security awareness training in the coming year. User awareness training has been the bane of many a security professional’s existence in recent years. However, such training has begun to expand out of the corporate world, with government educational initiatives and programs aimed at teaching children to be safe online. This awareness training trend will likely continue and expand in 2016.
Next year we are also likely to see criminals start to combine personal data stolen from different breaches to cause maximum damage to affected individuals. Traditionally, it’s taken a while for people to notice the impact of a data breach. Identities get stolen, as does money from bank accounts. However, the Ashley Madison breach changed the dynamic because it brought to light the fact that, given the right context, both personal and professional lives could be much more severely impacted by data breaches than previously thought. Unfortunately, the rising frequency of breaches doesn’t look to be slowing down any time soon, and so, going forward, the cumulative impact of data correlated from multiple breaches may pose a significant threat to victims.
Privacy will also continue to be a key issue next year – both for companies and individuals alike. The continuing evolution of attempts to regulate privacy in different countries across Europe will pull information security issues to the forefront of many debates. Most prominent will be the case of Safe Harbour and how such European rulings will affect the global transfer of personal data going forwards.
The proliferation of the ‘Internet of Things,’ and the security threats that come with it, have been in the news repeatedly in 2015, as researchers discovered and made public potential vulnerabilities around the plethora of Internet-connected consumer devices. Researchers found serious vulnerabilities in things like aeroplanes, medical devices, guns and cars, where hacks could have potentially devastating consequences. The discovery of new security vulnerabilities in the expanding number of Internet-connected things is likely to continue in 2016.
However, as more security vulnerabilities come to light, we can also expect to see further delays in the time taken by companies to respond to security researchers who contact them about potential problems. Earlier this year, an AlienVault survey revealed that the majority of IT professionals (64 per cent) believe that if security researchers get no response from manufacturers when disclosing vulnerabilities with life-threatening implications, then such information should be made available to the public.
Security researchers are positioned at a pivotal time in breach history, and 2016 could bring about radical changes in how vulnerabilities are discovered, confirmed, reported and addressed. The emergence of tech companies adopting bug bounty programs has helped facilitate company/researcher relationships; however, there are still large segments of manufacturing and industry that would rather utilise lawyers to block research than address discovered vulnerabilities. Researcher self-regulation has been touted as another option for security researchers to consider. It is unlikely that we will see the conclusion to this debate, but we will likely see some major moves being made in 2016.
Javvad Malik is a London-based Security Advocate at AlienVault.
Image Credit: Kutlayev Dmitry/Shutterstock