This year has been characterised by a familiar litany of the same old problems which have bedevilled organisations in previous years. While we saw a few cunning new variants of existing cyber-attack techniques, the vast majority of breaches could and should have been foreseen and prevented. Even worse, there was no let-up in the steady stream of breaches caused by carelessness, and often downright negligence.
Corporate leaders and their technical experts have also continued to talk in different languages. CEOs know that “cyber” is important – crucial, even – to the business but see it as essentially a support service. Their main duty is to focus on improving shareholder value. If they do not understand how security, communications technology or other ‘support services’ affect shareholder value – for good or ill - they will rightly pay little attention.
We have also started to detect the signs of ‘cyber-security fatigue’ among executives, perhaps driven by a mixture of fatalism and an awareness of the ever-rising costs of counter-measures. This has dangerous implications because some organisations might decide that, if they cannot absolutely guarantee protecting themselves, they might as well not try very hard.
In brief, 2016 has been a year where the same old mistakes have continued to occur and breaches have therefore persisted. Unfortunately, we will only see more of this to come next year. However, with emerging technologies increasingly used in business IT infrastructure, in 2017 we will see some changes in the security space which will lay the foundations for a more proactive approach to cyber-security:
1. Resilience and recovery will become commercial differentiators
Cyber-attacks are now so powerful that only a fool will claim to be invulnerable. Even the smartest organisation can be hit by an attack, so in 2017 the differentiating factor is how they deal with it. A quick, slick and full recovery will attract sympathy and respect from the markets, while an incompetent recovery will attract criticism and lawsuits.
At the end of November, the San Francisco Municipal Transportation Authority suffered a major ransomware attack but, because of a robust backup process, restored most functionality within a day.
Next year, we will see which companies are serious about the challenge by whether they take a coordinated approach combining protection, detection and response.
2. Curation of data will become a key focus for all organisations, not just the data-rich
Investors, shareholders, customers and regulators will increasingly demand to see prudent stewardship of sensitive data (not least because of the impending General Data Protection Regulation). Specialist data loss prevention (DLP) tools are valuable if used properly, but many businesses either approach DLP piecemeal or assume that using a DLP tool is enough.
In 2017, organisations will need to assess the risks, identify the key data to protect, monitor their networks diligently, update policies, train staff and maintain a healthy security culture. Organisations also usually hold the sensitive data of third parties, and must protect it as well as they protect their own.
3. Global clients will demand to inspect their supply chains’ data security
Most organisations already realise that their sensitive data is held in their supply chain as well as internally. There is often a stark gulf between what organisations expect of their suppliers and the contractual obligations they impose on them.
As awareness of cyber-security risks grows, we are starting to see global businesses seek demonstrable proof of data security competence from key professional advisers such as law firms, accountancy practices and business consultancies. The biggest clients are well placed to insist on good data security as a condition of placing their business with such advisers, and it is a trend which we believe will only grow long into 2017 and beyond.
4. Board meetings will routinely discuss IT security, as they try to meet the challenges of a developing digital enterprise
There are now so many disruptive cyber-attacks against major organisations that even the most technophobe senior executives are sitting up and taking notice. They may not care about IT as such, but they certainly care about the business goals it helps to deliver. No longer can they ignore the problem of cyber-security or dismiss it as ‘something for the IT guys’.
2017 will be the year that Boards will finally come to see IT security as a critical business risk, will review it regularly, and will want to discuss it in language they understand. Organisations will need to equip senior IT staff to bridge the communication gap, by understanding the needs of the Board and striving to talk their language. This is a major shift in mindset, and is likely to require a deliberate and well-structured programme of training for executives and IT experts alike.
5. Poor routine IT practices will still cause the most avoidable harm
Most of the cyber-security problems which affect organisations do not happen because of ingenious new cyber-attack techniques or sneaky malicious insiders. We continue to be amazed at how many businesses fail to do the vital housekeeping tasks which reduce their risks. Whether it is effective vulnerability patching, appropriate threat intelligence, an access management system which truly reflects only current users, implementation of ‘least privilege’ access, or taking action on the recommendations of penetration tests, many organisations fall short. This will unfortunately continue into 2017.
Too many data-rich organisations which do not take reasonable steps to do the housekeeping basics are needlessly vulnerable to data loss, data theft or external disruption of their systems. This means that most of the headlining breaches of 2017 will be avoidable.
Sadly, 2017 will be much the same as 2016.
2017 will be a year in which information security breaches continue with grim regularity and ever-increasing power, among a seemingly infinite range of organisations across all major business sectors and governments worldwide.
Well-established mega-corporations, major governments and household names will all be caught out. Some will be unlucky, others will continue to be incompetent.
Image Credit: Den Rise / Shutterstock
Mark Stollery, Managing Consultant, Enterprise and Cyber Security, Fujitsu