This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.
We analyse a large sample of the annual deluge of predictions from security vendors, analysts and pundits to arrive at a consensus.
The internet is a vast repository of valuable data and also, increasingly, connects up the devices that control the infrastructure we all rely on. Few things are more certain that, as the 'internet of everything' gathers pace, the bad guys — criminals, terrorists, activists and nation states among them — will continue to find new ways to target and exploit the resources it harbours.
The past 12 months were predictably busy in the cybersecurity arms race, with the usual crop of high-profile breaches, a high level of background data loss, and the evolution of new methods of attack and defence.
According to security firm Gemalto's Breach Level Index there were some 1,670 data breaches in 2015, with around 630 million records compromised worldwide. That compares with 1,541 breaches and over 1 billion records in 2014.
Although the ranking of the affected industries depends heavily on the particular high-profile breaches in a given year (in 2014 the retail and financial sectors accounted for 75% of compromised records, while in 2015 government and healthcare headed the hit list), the cast of threat actors remains fairly consistent:
Enjoying this article?
Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.Join Premium Today
As the chart shows, malicious outsiders remain the most common threat, accounting for 58 percent of breaches in 2105 and 55 percent the previous year. Note that although state-sponsored attacks may be few in number, they are more likely to have far-reaching consequences: for example, the top-ranked breach of 2015, suffered by US-based healthcare insurance company Anthem Inc., was a state-sponsored identity-theft attack that compromised 78.8 million records.
What will happen in 2016?
At the turn of every year, organisations with an interest in security — vendors, analysts and other pundits — dutifully issue lists of predictions for the coming 12 months. Individually, these predictions are often coloured by the organisation's vested interests. However, if enough of them are collected and categorised, a reasonably unbiased picture of what's concerning the security industry emerges as we move into a new year.
With this in mind, I amassed 244 cybersecurity predictions for 2016 from 38 organisations, and assigned them among 22 emergent categories (occasionally splitting a prediction among two or three categories). Here are the results:
Heading the ranking by some distance are predictions concerning the Internet of Things (IoT), which includes everything from industrial control systems and critical infrastructure to smart homes, connected cars, drones and wearable technology. The IoT and critical infrastructure figured prominently in a similar exercise last year, but its leap to a dominant first place suggests that it's time to take IoT security — particularly when it concerns critical infrastructure — very seriously. Meanwhile, Trend Micro goes so far as to suggest that "At least one consumer-grade smart device failure will be lethal in 2016".
Cybersecurity is an increasingly hot topic for enterprises, so it's no surprise to find a wide range of 'CxO issues' in the second-ranked category. These include: changing priorities ('Cyber risk — and attempts to mitigate it affordably — will evolve from an IT problem into a key risk issue for company leaders': BAE Systems); strategic developments ('Defense in Depth will move from just being a buzzword to an actual strategy': NSFOCUS Global); skills gaps ('Cyber talent: brother can you spare a researcher?': Blue Coat); user education ('End-user education and monitoring will become the focal point of data security efforts: Varonis); budgeting ('S&R pros will increase spending on prevention by 5% to 10%': Forrester); and professional standing ('The CISO of the future will have a new and expanding role': Seculert).
The third-placed category, 'Politically-motivated cyberattacks' includes predictions on state-sponsored attacks, espionage, terrorism, hacktivism and attacks centred on the upcoming US Presidential election, and sees much greater prominence in 2016. This highlights the general point that cyberattacks are no longer motivated by simple greed or the desire to cause random mischief, but form an increasingly important part of the armoury of a wide range of threat actors.
In fourth and fifth place are mobile and cloud security, which should surprise no-one. Mobile security predictions include the use of vulnerable mobile devices as a route into enterprise networks and the exploitation of new mobile payment systems. The cloud security issue is well summarised by Blue Coat: "The keys to the kingdom are now in the cloud. As more organisations store their most valuable data in the cloud (customer & employee data, intellectual property, etc.), the bad guys will find a way to gain access to this data. In 2016, we expect to see an increase in breaches of cloud services, and hackers will use credentials to cloud services as a major attack vector. Social engineering tactics will focus on mimicking cloud login screens to gain credentials."
The bad guys are constantly probing organisations' defences, which is why there are plenty of predictions under the heading 'New cyberattack vectors and targets'. These include social media accounts, spear-phishing attacks, attacks on Apple devices, attacks hidden in SSL traffic and the manipulation/disruption of strategic data rather than its theft. Noteworthy are Lancope's prediction that people's DNA data may be vulnerable, and LogRhythm's assertion that education will be the next big attack target.
Ransomware and other forms of extortion feature more often in the 2016 predictions than last year, with Vectra Networks forecasting that "Ransomware will focus more on holding enterprise assets hostage and less on individuals" and Kaspersky seeing a looming overlap with the IoT ("How much would you be willing to pay to regain access to your TV programming? Your fridge? Your car?"). Trend Micro makes this subject its number-one prediction, asserting that "2016 will be the year of online extortion". You, and the company you work for, have been warned.
The increasing profile of cybersecurity means that predictions surrounding security, privacy, law enforcement and cyber-insurance make a strong showing. Proofpoint forecasts that "Businesses will be increasingly squeezed between the demands of data privacy and law enforcement", while Sophos claims that "Data protection legislation changes will lead to increased fines for the unprepared". Little wonder Symantec foresees that "Cyber-attacks and data breaches will drive the need for cyber-insurance".
Cybersecurity is an arms race, so there are plenty of predictions concerning the evolution of malware. OpenSky, for example, notes that cybercrime will become "easier and more lucrative" thanks to the availability of malware toolkits with after-sales support and DDoS capabilities packaged as volume-priced cloud services. "Tried and true malware will continue to evolve", says Appriver, via "savvier malware and social engineering ploys", while ThreatStream sees an increase in "malware sandbox and anti-virus evasion".
Cybersecurity is a high-profile subject thanks to the increasing frequency and scale of cyberattacks, so pundits have plenty to offer in this area: "Incident response is becoming a daily undertaking for all businesses" (OpenSky); "DDoS attacks will continue to grow in size" (NSFOCUS Global); "The frequency of public data breaches will increase substantially" (Varonis); "Big healthcare hacks will make the headlines but small breaches will cause the most damage" (Experian); "The US Government will experience another significant breach" (Forrester). Governments and enterprises aren't the only ones in the bad guys' crosshairs either: "SMBs will become a bigger target for cybercriminals," says Sophos.
When it comes to defending against cyberattacks, increasing importance is placed on 'Analytics and cyber-threat intelligence', which marks the halfway point in the ranking chart (above). As OpenSky puts it: "Identifying emerging methodical and technological trends in the field of cybercrime as early as possible and analysing their level of criticality can help companies to optimise their own cyber-security defence. This is why the demand for Cyber Threat Intelligence (CTI) specialists is growing". For Palerra, the future of threat intelligence platforms lies in the prediction that "Vendors will emerge to provide real-time collaboration around Indicators of Compromise (IoCs) and threat intelligence platform vendors will drive collaboration across the industry to share IoCs".
Making predictions about cybersecurity is a paradoxical business: it's gratifying to be proved right, but few would wish the dire consequences of some predictions — on cyber-terrorism, for example — to actually happen.
Experian is one of the few organisations that explicitly graded its 2015 predictions, awarding itself 'A+' for Persistent and growing threat of healthcare breaches; 'A' for Missing the mark: employees will be companies' biggest threat and Shifting accountability: business leaders under increasing scrutiny; 'B' for Fresh breach surface via the Internet of Things; and 'C' for Rise and fall of payment breaches and Safeguard your password: more hackers will target cloud data. This is useful, and more pundits should do it.
As 2016 begins to unfold, the message from the cybersecurity community is pretty clear: if you're tempted to deploy any IoT devices, investigate their security features closely; if you're a C-level executive, put information security front-and-centre in your planning, with particular emphasis on mobile and cloud, or be prepared to answer awkward questions after a breach occurs; and be aware that threats are likely to come from nation states, hacktivists and terrorists, as well as criminals and troublemakers.