Whilst 2014 proved to be a significant year in terms of major data breaches, 2015 has certainly taken things one step further and proved that data protection needs to drastically improve. In a year that has seen major stories such as the Ashley Madison and Vtech breach, the current state of organisations' cyber defences is definitely questionable.
Whilst the breach barrage has continued to capture headlines throughout 2015, it’s clearly not enough to raise industry awareness of the reality of the ever evolving security threats. As we look forward to the rest of the year, it’s the perfect time to reflect on past security events, the current state of the industry and provide a glimpse of how we anticipate the threat landscape to evolve.
Below, Barry Scott, CTO, EMEA Centrify, and Corey Williams, Senior Director of Products, Centrify give their lowdown on what to expect in the year ahead.
Organisations should not rest on their laurels with the thought that they may have escaped a data breach and need not do anything about further securing their data. The likelihood is that 2016 will bring more of the same. There will be one or two really spectacular breaches this year in Europe, continuing the trend we saw in 2015. But the stakes will be even higher, with bigger financial losses and potentially millions being wiped off the value of companies that suffer data breaches, according to Barry Scott, CTO, EMEA Centrify.
The recent events in France may also swing the pendulum back in the 'security vs. privacy' debate, which will in turn affect attitudes to encryption. Everyone will be scrabbling around to work out exactly what they need to do to get on the right side of the upcoming EU General Data Protection Regulation (GDPR). But the question is whether the GDPR and protecting against data breaches will conflict with the general 'security vs. privacy' debate as it applies to crime and terrorism.
Scott also believes that people will finally realise that multi-factor authentication is a necessity and not an option, where username/password authentication is being used, and will also realise that it can often be configured to trust your machine after the first time you use it, so it will only really inconvenience hackers rather than the genuine user. You will also get a warning when someone is trying to get into your account. Major consumer apps are already supporting it, as Amazon announced recently.
Unfortunately the breach headlines last year were even more striking than any of us could predict. 2015 breaches involved high profile criminal and state sponsored attacks. Breaches involved millions of personnel records of government employees, tens of millions of records of insurance customers, and hundreds of millions of customer records from various other companies. This year we even heard of a billion dollar bank heist says Corey Williams, senior director of products, Centrify.
Many of these companies had implemented advanced malware protection, next generation firewalls and delivered regular security training sessions for employees. Yet breaches are still happening. What we know from cybersecurity experts is that the vast majority of breaches occurring today are due to a single vulnerability that is still not adequately addressed. Compromised user credentials - AKA the humble username and password. Through phishing, Trojans and APTs, hackers today are focused on these digital “keys to the kingdom” used to access sensitive data and systems.
Williams notes that 2016 will (and must) adopt measures to mitigate the risk of compromised credentials. Complex and unique passwords are a start, but will never be enough. Multi-factor authentication will be implemented more broadly and across more apps and devices, adaptive access will be used to detect and stop suspicious login attempts and granular privilege management will be adopted to reduce the impact of compromised credentials. Companies will start to accept that compromised credentials are the new normal and will take steps to mitigate the risk they represent.
There have been some significant shifts in the threat landscape in 2015 with more significant large scale data breaches occurring. Despite this, organisations should continue to follow the basic security fundamentals and best practice and focus on finding alternatives to passwords. Increased use of multi-factor authentication to plug the holes passwords can leave will prove effective at mitigating the risks.
Barry Scott, CTO, EMEA Centrify
Image Credit: Sergey Nivens/Shutterstock