Major data breaches exploded in 2015 as hacktivists, cybercriminals and nation states set their sights on stealing troves of sensitive information and proprietary data. Evolving malware, as we saw with AlienSpy RAT reemerging as JSocket RAT, kept cybersecurity professionals on the lookout and vigilant throughout the year. The rise of cyber legislation emerged as lawmakers tackled encryption and access issues. As we look forward, Fidelis Cybersecurity CSO Justin Harvey shares his thoughts on the top security trends and advanced threats to hit in 2016.
Expect organizations to embrace encryption: The extent to which data threats should be considered real – or can be dismissed as hype – will largely depend on the security precautions taken by enterprises. At an absolute minimum, data must be encrypted while it is at rest or in transit. Recent incidents, such as the TalkTalk breach in the United Kingdom, demonstrate how this lack of encryption can expose vulnerabilities enabling an attack.
Prepare to shore up the endpoint: The network perimeter is rapidly disappearing – as phones, tablets and cloud computing replace traditional PCs and on-premise servers. Bring-your-own device policies and the ubiquity of cloud services keep files encrypted between users and cloud networks, and increasingly hidden from IT – creating security gaps that are ripe for attacks. In 2016, enterprises must evaluate their cloud service policies, monitoring strategies, and endpoint detection and response capabilities. They will continue to improve how they classify the sensitivity of their information, better understand where it resides within the network, and secure and monitor all endpoints.
Expect increased cyber-related legislation. We watched lawmakers rush to enact legislation around the classification of sensitive data, sharing of cyber threat intelligence, consumer privacy issues, and breach notification. We’ll continue to see encryption topics making political headlines. Expect ongoing interest by both federal and state/local authorities to obtain back doors into devices and user communications.
The data broker industry will face greater scrutiny. Just a few years ago, a typical data broker collected an average of 40 data points per consumer. Today, these companies gather up to 1,500 data points. Expect a push toward a data broker governance law as well.
Anticipate discussions around the vulnerability of the Internet of Things: Manufacturers are jumping on the IoT craze by introducing both new and traditional products – from toys to lightbulbs to home sensors – with a connected twist. These new IP-equipped products make it possible to send telemetry data to the owner, back to the vendor, and even receive remote commands – a disturbing concept should access fall into the wrong hands.
The burgeoning IoT market and mainstream adoption of connected technologies represent large security risks because most homes lack appropriate protection levels. Many new IP-enabled products cannot be secured, leaving them vulnerable to a variety of attacks (denial of service, exposed latent vulnerabilities, etc.). IoT devices and internet-enabled automobiles pose potential risks in causing bodily harm, as seen with the Jeep Cherokee breach.
Brace for bigger, badder breaches. Enterprises capture and retain data at levels unfathomable just a generation ago – making them an attractive target for cyberattacks. In 2015, we witnessed organized crime syndicates and nation states hit federal, retail, healthcare, and financial services companies, grabbing sensitive data on millions of people. Look for more large-scale attacks to continue — resulting in higher losses of personal and proprietary information.
Attacks will focus on both the public and private sector. Cyber criminals will set their sights high, zeroing in on industries that hold vast amounts of valuable company and consumer data. Global corporations and governments – especially those involved in defense interests – will be in the crosshairs of state-sponsored espionage actors. Expect additional breaches designed to embarrass or enact retribution, as we saw with the Ashley Madison breach.