Each November and December, cybersecurity companies and professionals put on their prognosticator’s hat and predict the security issues that we should expect to see in the coming year. IT and security decision makers can use these predictions to dictate their security priorities in the coming year, which allows for better allocation of security budgets. Here are a few security issues that the experts recommend as priorities in the coming year.
Address the Shortfall of Qualified Security Experts
Organizations need to focus on solving the security talent gap in 2018, and this may be the most urgent priority of the year. “We first need to fill the growing shortfall of qualified security experts who have the necessary skills and experience to solve these problems for organizations of all types and sizes. Hiring and training enough skilled security workers will continue to be one of the biggest challenges facing CISOs in 2018 and beyond. Due to this lack of trained personnel in-house, we expect that more companies will leverage external managed security service providers (MSSPs) to help fill this need in the New Year,” said Jack Miller, chief information security officer at SlashNext.
Educate Employees Already on Staff
Even if you hire security talent in 2018, everyone else on staff needs to have better security training and education. As Scott Youngs, CIO for Key Information Systems, stated, “Often the weakest link in the enterprise's cybersecurity is the person behind the endpoint. Even with security solutions, there is no substitute for making users aware of potential threats, and hackers are only getting smarter and more dangerous.”
Better Defenses Against Insider Threats
Education is important, but it won’t solve everything. “If the user is the weakest link in the IT security chain, organizations should place more emphasis on identity and access management. In 2018, security measures should be more closely aligned with IT users and their ‘identity.’ For example, behavioral monitoring can detect even the smartest cyber criminals lurking behind privileged credentials, by discerning deviations in baseline behaviors – even based on minute biometric traits such as typing speed or common spelling errors,” said Csaba Krasznay, security evangelist at Balabit.
More Emphasis on Data Security
Companies experiencing success with digital transformation are realizing that network data is a critical -- but up until recently, missing -- piece of cybersecurity, according to Justin Ryburn, a former network engineer who now serves as a technical marketing manager at Kentik. “Many security issues can now be proactively stopped and/or more quickly and deeply investigated by leveraging data coming from the network,” Ryburn said. “For example, where an HVAC is communicating with a point-of-sale system. In 2018, the companies who leverage their network data for security will see better security posture.”
Pay Better Attention to Your Vendors
Too many of the security incidents organizations see are the result of a security failure by a third-party vendor or consultant. Better vetting for service providers and paying up for better service should be security priorities in 2018, said Bob Ertl, senior director of Industry Solutions at Accellion.
Improve DDoS Defenses
Organizations are now experiencing an average of eight DDoS attack attempts per day, up from four per day at the beginning of 2017, fueled by unsecured IoT devices and DDoS-for-hire services with a goal of taking these organizations offline or stealing sensitive data, according to the security experts at Corero Network Security. A fifth of the DDoS attack attempts recorded during Q2 2017 used multiple attack vectors, which shows that cyber criminals are evolving their techniques and DDoS attacks is frequently their tool of choice.
Securing Wi-Fi Networks
In 2018, more hackers will target poorly secured, unpatched IoT devices to get access to corporate networks, predicted Peter Tsai, senior technology analyst with Spiceworks. And with the recently discovered KRACK Wi-Fi exploit taking advantage of a flaw in the WPA2 handshake process (that may never be patched on many IoT devices), organizations have even more to worry about. “In order to avoid these security threats in 2018, companies will need to prioritize securing their data on both corporate and public Wi-Fi networks, which requires an additional layer of protection, including locking down access to Wi-Fi, use of VPN and encryption and of course, end-user training.”
Don’t Forget About IoT Risks
IoT security is likely to be near the top of every prediction this year, with malware specifically targeting IoT vulnerabilities. Protecting IoT by instituting new passwords and paying attention to firmware updates need to be addressed in 2018.
Re-Think How You Protect Credentials
“NuData Security, a MasterCard Company, sees a shift beyond prevention strategies, and a new emphasis on real-time detection and on authentication methods that defy re-use by hackers,” said Robert Capps, vice president of Business Development for NuData Security. “Organizations that handle billing data and other sensitive PII will increasingly migrate beyond dependence on static credentials. They’ll explore adopting intelligent layers such as passive biometrics and behavioral analytics to accurately identify and verify a user before they can access any sensitive information, in ways that can’t be mimicked by would-be thieves.”
Focus on Virtual Patching
2018 will be the year of virtual patching and the year that improving patch cycles for enterprise applications becomes a priority, predicted John K. Adams, CEO at Waratek. “The ability to rapidly apply a patch that functions like a physical patch without taking the vulnerable app out of production or making any code changes must be an evaluation (and ultimately, deployment) priority in 2018.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba