One thing is certain – there is plenty of job security in the business of protecting data. Attackers keep upping their game therefore, so must we. 2014 can be characterized in a number of ways: the year of (another) mega breach, the year of supply chain attacks, the year POS systems lost their credibility.
For these reasons and many, many others, the infosec industry must step up. Likewise, businesses of all shapes and sizes must prioritize information security discussions similar to sales and supply planning. In 2015, I believe we will see advances from both the bad guys and, because I’m an optimist, in enterprise response. Here are my top 5 predictions for what we see in 2015.
1. Supply chain attacks will increase and so will enterprise response. The mega breach that hit Target stores and dominated the headlines earlier this year really woke us up to the reality of supply chain attacks. In 2015, organizations will slowly start to better understand the breadth and depth of vulnerabilities in their own supply chain, but unfortunately, not before more sizable breaches occur. I believe we will see more attacks that originate from within the supply chain and as such, organizations will scramble to secure their back doors.
Facebook and Google are already attacking this problem head-on and I expect more proactive enterprises will follow suit, similar in strategy rather than scale, by offering security alerts, tools and training to their partners, suppliers and, where applicable, even their customers. All of this will be done for the sake of their own security. And because the problems of cyber defense today are largely non-technical, rather human behavioral, we will see a move toward more good ole fashioned information sharing, collaboration and daily diligence in awareness across business networks.
2. Point of Sale attacks will become as common as Windows viruses. Year to date 2014, the retail industry has certainly seen its share of cyber crime, largely attributed to attacks on point of sale systems. SurfWatch Labs’ data tells us attacks against retail stores doubled each quarter over quarter this year and unfortunately, I don’t expect that to improve anytime soon. Retail is a numbers game – millions of people buy things every day and the way they may make purchases is also expanding.
First it was swiping your card in a store or at the gas pump, then came processors like Square and a barrage of mobile apps and most recently of course came Apple Pay. With these new payment processing options come new exploit opportunities, more vulnerabilities, etc. And the individuals setting up these systems are average people no more security aware than the next guy. For this reason, attacks on POS systems will not only increase but sadly become the new normal – just like the numbers of viruses that attack the Windows operating system every day. If we aren’t careful, it too will become cyber white noise.
3. Enterprises will rely on business intelligence tools to analyze and report cyber risk. Enterprises will begin to track cyber events with more traditional, fundamental business intelligence processes and in KPI-driven ways. Much like monthly board or staff meetings that discuss financials that then link to supply and sales, organizations will increasingly add cyber risk into the discussion.
How is cyber affecting the other key elements of my business and budgets, cost centers? How do I do more than just double my budget? How do I begin to do ROI in a real way on security investments? How do I respond faster and more ahead of time to emerging threats? These and more are interlinked to the overall success of any organization.
4. We will renew our focus in the practice of risk management – for cyber risk, not cyber threats. The security industry continues to focus on identifying threats and this mind set needs to shift. In this day and age, cyber threats represent an overwhelming flood of data, too much to effectively manage. Data is great but until you can correlate it to a vulnerability you currently have and translate that into a fix, that data isn’t very helpful.
Organizational cyber risk (not threats) must be quantified and assigned a process for inventorying, monitoring and mitigating. While admittedly a little pie-in-the-sky, I do believe organizations will start to realize this and consider detailed risk management programs for their cyber risk.
5. At ground zero, new solution sets will emerge. Just as medical researchers often realize the need for returning to ground zero in the fight against persistent disease, the infosec industry will slowly realize we too have to start again in the war against cyber crime. It is killing our economy and broad-spectrum, defense-in-depth protection isn’t working. While it won’t happen overnight, some vendors will realize they have to return to ground zero and look at the problem differently and as they do, new solution sets will emerge.
In 2015, we will start to see “green fields” development of totally new approaches on top of the landfill that is the current solutions space. We know we can’t continue to rely on bare bones, snort-type signature-based defenses. Things like spear-phishing, social engineering and the shear speed at which new attacks are being developed and executed have rendered most of the defenses like a Maginot Line. I believe we’ll see very specific, focused solutions sets emerge (like anti-botnets) and new, different approaches being tried (“behavioral’ signature systems). Cyber crime is killing us. It’s time to fight back significantly.