Security in the spotlight

In many organisations, keeping pace with the rate of emerging threats has put an enormous strain on IT security teams who are trying to get ahead of motivated attackers. In many cases, that requires advanced training for those who work in industries impacted by the increasingly complex Internet of Things and new skill sets that extend into rapidly growing areas like behavioural analytics. Investments in technologies that automate alerts on suspicious behavior or automatically contain threats can shoulder some of the burden. The emergence of a ‘Self-Protecting Network’ – a network that will learn to protect itself once an attack is detected - may be a response to the skills crisis.
 

The VTech data breach could very well be the watershed moment for consumer privacy and Internet of Things (IoT). However, according to the Altimeter Group, 87 percent of consumers don’t have any idea what the term “Internet of Things” means. That will need to change quickly. In the coming year, consumers will need to be better equipped to ask questions about how their information can be collected by vendors, and understand how this information can be breached if not properly secured by the vendor. The risk to consumer security arises from the single insecure IoT device being connected to the home network or other devices – for example, the case of the smart kettle, through which the home network could be breached and connected devices accessed. These risks for consumers can be even higher for organisations. As the connected workplace fast becomes a reality, security concerns surrounding IoT will continue to grow. While smart devices hold the promise to make our working lives easier, they are too often rushed to market and not designed with adequate security in mind, making them a significant risk for enterprises, particularly as their usage becomes ubiquitous and the number of devices increases.
 

Looking back at 2015 there were several reported instances of extortion, which threatened to halt victim organisation’s operations or IT. In 2016, these attacks will become more aggressive, targeting the theft of financial information, threatening to publish damaging information and the rise of enterprise-wide ransomware. Incidents of ransomware will escalate as attackers find more creative ways to blackmail individuals and corporations; attacks will continue to morph and adapt to enterprise environments and take approaches like embedding worm-like behaviour and targeting application credentials to new levels. This activity may also be the impetus to further evolve and refine the global cyber insurance industry to increase protection for enterprise victims. In the U.S., we could witness cyber attack risk and preparedness having a greater impact on organisations’ credit analysis and bond ratings.  
 

In 2015 we saw devastating acts of terrorism impact the global community. In 2016, we’ll see more convergence of physical and cyber terrorism. For example, we’ve already seen airlines being hacked into – instead of using the hacks to “bring a plane down,” the hacks could also be used to create confusion at an airport or similar hub (shutting down a ticketing system for example). We may see greater coordination between these two types of attacks – using a cyber attack to cause mass confusion and a physical attack to cause maximum damage. In addition to transportation, attacks targeting what is also considered “critical infrastructure” could impact health systems, financial markets and energy grids.  
 

Countries are introducing more legislation to try and curb malicious cyber activity, while entering into broad agreements to shape of the future of cyber-warfare. The risk is that regulations passed in countries could do more to harm technology advancement than it will curb malicious activity. To determine the long term impact of the German IT security law, EU Network Information Security (NIS) directive, and other examples like the Australian Signals Directorate (ASD) cyber intrusion strategies, it is necessary to find the tipping point between too much government involvement, and not enough. Defining compliance and holding organisations accountable for non-compliance will also play a role in determining if governments can flex their muscles on cyber security – and make a real impact.


(6) The encryption debate – can we balance encryption and civil liberties?

The terrorist attacks in Paris have renewed an ongoing debate being held since the Snowden revelations – should every day consumers have access to encryption technology? Does the need to monitor terrorist activities outweigh the privacy rights of citzens in blocking their communications?  Bottom line – will we see greater encryption and freedoms for citizenry, despite the security costs, or will 2016 be the year of greater civil liberties curtailment?  In some parts of the world, many citizens have already expressed their willingness to give up their privacy for increased cyber security.
 

In the past 3 years, the US Federal Government and private business have sustained massive breaches of private information. As with the U.S. Office of Personnel Management and airline breaches, the question asked often is “what did they steal,” while the question often un-asked is “did they enter any information INTO our systems?” Will 2016 be the year that we discover that a spy, terrorist, or other government actor was actually vetted and approved based on information ADDED during a breach?