The last twelve months may well go down in history as the year that data breaches went mainstream. As businesses continue to struggle to keep pace with the ever-evolving sophisticated techniques of cybercriminals, the likelihood is that 2016 will see business systems continue to be breached and consumer data increasingly stolen.
Key trends in the next 12 months will see dated code come back to haunt businesses, threats from the Internet of Things increase significantly, the lucrative threat of new domains become more appealing to attackers, and the US election to pose a significant threat to consumers.
Ghosts of the Internet past will come back to haunt businesses
Like barnacles spreading across a boat, the cost of security maintenance will grow over the next 12 months and create massive problems with the Internet and security practices. A surprising number of the most popular websites on the Internet are not as secure as they should be with respect to certificates, which leaves them vulnerable to exploitation.
Out-of-date software applications invite compromise, rapid OS updates and new trends in software end-of-life processes cause havoc, and new applications built on recycled code with old vulnerabilities still linger. All of these ghosts of Internet past will come back to haunt businesses in 2016.
Businesses must make every effort to migrate to current versions of infrastructure products to avoid being taken by surprise when upgrade costs snowball and support dwindles. The security risks posed by aging systems should be evaluated on an ongoing basis to make sure no loose ends are missed, and that the drag caused by older systems is minimised.
The Internet of Things will help (and hurt) us all
The websites, apps and electronic devices that comprise the Internet of Things make navigating personal and business tasks more convenient than ever. However, their popularity also means a wider attack surface, expanse of data and range of vulnerabilities for threat actors to exploit.
As a result, industries that utilise a large number of connected devices and networked systems in the course of their everyday business, such as healthcare, are likely to face a wider range of security vulnerabilities and threats in the next 12 months.
To counter this, businesses must rationalise policies between devices for security consistency, and take into account the number, and type of devices and applications, connected to their network and adjust their security parameters accordingly. Those that haven’t already must introduce employee training programs on cybersecurity best practice and acceptable use policies to mitigate risk.
The US elections cycle will drive significant themed attacks
The Internet is now a key part of reaching constituents on election campaign trails. Next year’s US presidential race will likely see the most prolific use of social media campaigning yet, as candidates and their teams turn to Facebook, Twitter and Instagram to reach voters.
But this approach is not without its perils, as attackers will use the attention given to political campaigns, platforms and candidates as an opportunity to tailor social engineering lures. There’s little to prevent incendiary, inaccurate information from virally spreading and being accepted by the public as factual, while hacktivists may reveal personal details or use compromised accounts to spread false information that appears to come from the candidate.
Security lapses and gaps in defences will prove costly for those who are not diligent during this time. Even if such information is later corrected, this false information lives forever on the Internet with the potential to inform opinions and, as a result, misinform and potentially direct the actions of the electorate.
In addition to the obvious social engineering of threats around the political campaigns, platforms and candidates, the tools and infrastructure of those involved with the political process will be targeted (i.e. candidates, news sites, support groups).
.Cyber and .Criminal are coming for your .Money and .Computer
The age of .com, .co.uk, .net and .org is well behind us, with the likes of .car, .wine and .PlayStation now joining the domain party. The number of generic Top Level Domains exceeded 800 domains in November, with around 1300 more on the waiting list.
This new wave of top-line domains will be rapidly colonised by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.
These new domains will make it significantly more difficult to protect users, as many defenders are unprepared for the new landscape, so it’s vital to consider how these new resources and facilities might be abused by an attacker.
Cybersecurity insurers will change how security is defined and implemented
As data breaches intensify through 2016, corporations will gradually realise the value of their data is a large part of their assets, and a huge potential cost during a cyber event. For some companies, a data breach could be the largest single risk for business continuity – especially considering the liability from loss of personally identifiable information (PII).
It’s therefore likely there will be an increased sophistication in how the risks associated with a cyber breach are factored into policy cost. Insurance companies may even turn to intelligence and security companies to help provide actuarial data on attacks to develop more consistent, specific tables and ratings for companies.
Insurance companies will mature their offerings with qualifications, exceptions and exemptions allowing them to refuse payment for breaches caused by ineffective security practices. Premiums and payouts will become more aligned with underlying security postures and better models of the cost of an actual breach. Further, insurance companies will greatly affect security programs, as requirements for insurance become as significant as many regulatory requirements (PCI, HIPAA, ISO 27001).
As cyberinsurance becomes increasingly mainstream, savvy cyber defenders must consider policy costs and the impact of verifiable security risk exposure in their buying decisions. Regularly training employees to be smart with email attachments and browsing behaviour will be vital to reducing the risk of breaches and in turn lower insurance premiums.
The age of post-privacy
The increasing frequency of data breaches are changing the way people think about PII. Further breaches and loss of PII will drive major shifts in the way in which privacy is perceived – to the extent that we will reach a ‘post-privacy’ society where it is not uncommon to have access to information previously considered as personal.
We are already seeing Millennials willing to share more information online as their activities become increasingly digitalised.
This will increasingly create major headaches for businesses as the increasing prevalence of BYOD, applications and gadgets that record personal health information means they may have PII in areas they didn’t suspect. This mixing of corporate and personal information will become a real mess for security and compliance officers to sort out.
Just as the previous decade saw the introduction of “the right to be forgotten,” anticipate that within the next decade similar large shifts in privacy rights and expectations will emerge.
Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud
We’ve already seen the potential size and scale of retail hacks in 2015, but tumultuous shifts in the payments and payment security landscape will play right into the hands of savvy cybercriminals in the next 12 months.
Hacks targeting mobile devices and new payment methodologies will impact payment security, while the increase in non-traditional payment methods on mobile devices or via beacons and smart carts will open up the doors for a new wave of retail data breaches.
Data Theft Prevention technology adoption will dramatically increase in more mainstream companies
Data theft was almost a weekly occurrence through 2015 with a huge increase in data theft attacks affecting companies across various industries, from Government agencies, healthcare and financial services to higher education and even the security industry itself.
As a result of the very public breaches of 2015, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, there will be a more aggressive adoption of data theft prevention strategies. The prevailing assumption among security teams will become ‘we are already compromised’ to help them strengthen their ability to deal with the inevitable.
Carl Leonard, principal security analyst at Raytheon|Websense
Image Credit: jijomathaidesigners / Shutterstock