2014 was known as The Year of the Breach. It could be that 2015 will be known as The Year of the Really Big Breaches. Or perhaps it will be remembered as the year that mobile malware really began to make a statement or cyberespionage entered the American lexicon. If nothing else, the year that is ending was the one when everyone, from executives to the average citizen, became aware of how much damage a cyberattack can cause.
So what is on the horizon for 2016? Most experts expect to see continued growth in mobile malware and even more security breaches, especially in the health care and financial industries. The PIN and chip EMV standard is still too new and not well-enough implemented for anyone to have a good feel on what effect it will have on credit card security. We’ll always have new strains of malware and innovative phishing attacks. Those are the easy predictions.
Here are 10 security trends that the experts think we should keep an eye on in 2016.
2016 Security Trends
Click through for 10 security trends that the experts think we should keep an eye on in 2016, as identified by Sue Marquette Poremba.
DevSecOps will be where it’s at in 2016 as security becomes integrated with DevOps.
In 2016, expect to see security and DevOps teams working together to deliver more secure applications at a faster and more frequent pace via a continuous integration and testing process, according to Maria Bledsoe, senior product marketing manager, Fortify for Hewlett Packard Enterprise. Collaboration between security and DevOps will allow organizations to find and fix vulnerabilities earlier in the development process, providing better protection while saving both time and cost.
Wearable Tech Risks
Wearable technology risks will continue to rise.
As the market for wearable technology grows, so will security and privacy concerns for consumers, said Troy Gill, manager of security research with AppRiver. Health and fitness apps on wearable devices may be the worst offenders. These technologies monitor our every move, heartbeat and location. Paired with compromised security or even just poor privacy settings, they create the perfect storm for personal data breaches.
The exploitation of human vulnerabilities will escalate.
Expect criminals to increasingly focus on humans as a rising number of defenses
against advanced threats make it harder to breach organizations technologically, according to independent cybersecurity expert Joseph Steinberg. For example, he said, expect to see more crooks scanning social media for over-shared information that can be used to craft highly effective spearphishing emails that can be used to social engineer people into doing things that put computer systems and data at risk.
Threat Intelligence Budgeting
Threat intelligence line items will start to appear in budgets.
We know that breaches and other security threats go undetected for months, even years. We also know that cybersecurity efforts have been poorly budgeted historically. Expect that to change in 2016. More organizations are realizing how tough it is to defend your organization if you don’t know what your specific risks are and you aren’t spending the money to build defenses and strategy. According to Jason Polancich, founder and chief architect of SurfWatch Labs, we can expect to see more businesses adding threat intelligence as line items in their security budgets this coming year. And for those companies without the resources to field robust cyberdefense teams, threat intelligence will need to be more full service, less technical, higher level and, most of all, directly linked to business operations to allow a company to make use of it as an early warning system.
Open Source Vulnerabilities
High-impact vulnerabilities from open source software will continue to be discovered.
Heartbleed (of OpenSSL) and Shellshock (of Bash) vulnerabilities hit hard over the past years. If OpenSSL and Bash, which have been in existence for a long time, still have vulnerabilities, what can be said about more recent open source software applications such as Hadoop, OpenStack and Docker? As the popularity of open source projects grows, security researchers and hackers will be attracted to the projects and more vulnerabilities will be discovered, security experts at Hillstone Networks believe. The impact of newfound vulnerabilities will be directly proportional to the popularity of the open source project, and we can expect this to be a growing concern as we go into 2016.
Ransomware is likely to grow substantially in 2016.
Current estimates from the Cyber Threat Alliance put the damage caused by CryptoWall ransomware at $325 million, up 1800 percent since the FBI’s report in June 2015, said Stu Sjouwerman, founder and CEO of KnowBe4. This type of threat usually comes from clicking a link in a phishing email, thereby infecting your machine or your network and encrypting your files with a sophisticated unbreakable encryption. If your systems are not backed up, said Sjouwerman, your data will be lost or worthless unless you pay the ransom. Even the FBI recommends you pay up, so why wouldn’t the criminals put a greater emphasis on this money maker?
Data integrity attacks will become the new “cash cow” for hackers.
Ransomware isn’t the only way that cybercriminals are making money from your data. For sophisticated hackers, it’s not about stealing data anymore; it’s about accessing and changing it, according to Gemalto’s Vice President and CTO for Data Protection, Jason Hart. Cybercriminals can take actions that are difficult to detect, leading to lucrative paydays that may take years to affect a company or industry. Over time, Hart pointed out, bad data can lower or raise the prices of stocks, enabling hackers to earn high dividends. For those with an axe to grind, corrupt data can force poor corporate decision-making and take down a company. Worst of all, until the pain is felt financially, data integrity attacks remain invisible.
Geopolitics drive C-level decisions when it comes to cybersecurity.
Increasingly, the geopolitical aspect of security is becoming more relevant. Rhetoric continues to heat up and relations are cooling between the United States, China and Russia. China already allegedly demands that vendors backdoor sites and apps, and this has created a real division between companies that are willing to do this and those that are not, Joan Pepin, VP of Security and CISO with Sumo Logic stated. This is tying the hands of IT and security professionals everywhere. In 2016, these issues will continue to escalate and drive the C-suite to take even more of an interest in the organization’s security strategy.
Malware will target the cloud.
It is only a matter of time until the cloud becomes the latest target of malware, and Tom Byrnes, CEO of ThreatSTOP, thinks this is the year it will happen. Cloud-targeted malware will compromise the computing power of the cloud, infrastructure, apps and data. Although malware has traditionally targeted endpoints, Byrnes said as we move more information and computing power to the cloud, endpoints and mobile devices will become “dumb terminals” and the cloud will be an increasingly attractive target.
Internet of Things
Internet of Things challenges will continue.
The Internet of Things (IoT) introduces new network devices into your environment, all with their own vulnerabilities, said Wolfgang Kandek, CTO at Qualys. The best way to limit their reach into your corporate network is to have a guest network where end users can install these devices and where no access to enterprise devices is available. Kandek recommended using features such as AP isolation to make sure that devices are sheltered from each other’s network. Speaking of IoT, a positive security note that Kandek thinks we’ll soon see is overall automatic patching in IoT devices, similar to what we’ve been seeing with smartphones.