Glasswall Solutions issued its top five predictions for 2016.
“We believe the next 12 months will see some of the most significant developments in the history of cyber security as powerful new EU regulations loom and enterprises realise their defences are dangerously unprepared and antiquated. 2016 promises to be an extremely interesting year in which many new opportunities will emerge to boost our collective security – the question is whether businesses around the world will grasp them,” said Greg Sim, CEO, Glasswall Solutions.
Cyber security threats will continue to grow throughout the year, with email attachments the most dangerous point of vulnerability for businesses without effective defences in place. In 2015, cyber crime cost £36 billion and 94% of successful attacks were conducted via email attachments.
Criminals will continue to steal insights from leaky documents, websites and social media profiles for use in social engineering, targeting employees and turning them into dupes who unwittingly assist in the hacking of their own companies by opening files hiding malicious exploits.
A change in corporate culture
2016 is set to be the year when a change in culture sweeps through many organisations in response to the growing sophistication of cyber-attacks. As we have seen in the USA, C-suite jobs are now on the line and the forthcoming EU Data regulations hold the executives culpable for the security of their organisation’s data. The risk of loss of customer data and the knock on effects of supply chain confidence, customer loss and even share price demise is now too great.
From top to bottom, organisations must shift attitudes and take back control of document security. This will extend beyond the organisation’s own borders and into the supply chain where cyber-security will become a major factor in the on-going business relationship between organisations and their suppliers.
Within most organisations, a trusting culture has been bred, from sharing and collaborating on documents to being accepting of incoming files and URL links. This culture is commonly reflected from C-level executives down to the most junior employee – with everyone at equal risk of becoming a target.
Decisions on what is safe will no longer rest with employees but will be a matter of policy, determined in conjunction with experts in corporate cyber security technology.
Heads will roll, but the CISO will stand tall
Sadly, we can expect that continued reliance on outdated security solutions makes it inevitable that a serious data breach will occur in 2016, leading to a minor bloodbath in the C-suite.
Chief executives have been warned – they saw what happened to TalkTalk in 2015 – but too few are walking the walk when it comes to boosting security in their own organisations. A major loss of data or breach of old-fashioned perimeter security is going to cost a chief executive his or her head in 2016.
By contrast, in organisations where security is taken more seriously, the role of the Chief Information Security Officer (CISO) is going to have greater prominence. More and more CISOs are going to be appointed and increasingly, they will report directly to the CEO and ultimately sit within the board if information security is to be taken seriously.
In businesses where they are already at work, over half of them report to the Chief Technical Officer, demonstrating a real lack of urgency about cyber security at board level. This has to change.
Steve Katz, a member of Glasswall’s advisory board and the world’s first Chief Information Security Officer (Citigroup and JP Morgan), predicts a further development in 2016. He says the year is likely to see the emergence of the Chief Information Risk Officer, or CIRO.
“A single hacker only has to win once for an organisation to find its reputation has been torched,” says Katz. “The havoc wreaked by some of these attacks leaves such a trail of destruction that organisations never recover. Cyber security is now about managing risk, rather than just security and the board-level role of the CIRO should reflect that.”
The European General Data Protection Regulation comes into force in 2017, imposing increased penalties and fines on companies which fail to protect data adequately, or are subject to a breach.
In the first quarter of 2016, businesses will start to wake up to the potentially enormous consequences of this first real overhaul of European data legislation in two decades.
Minimum fines are likely to be set at two per cent of global turnover, with the maximum running to five per cent. Had the TalkTalk breach occurred under the EU regulation, the company’s fine could have amounted to £90 million.
In addition, the new regulation will impose disclosure of data breaches in the public interest, meaning there is no hiding place for firms caught with their cyber trousers down.
As businesses realise what is involved, we can expect to see them struggle to achieve compliance throughout the year, scrambling to hire consultants or investigate outsourcing solutions as 2016 draws to a close.
Amidst the backdrop of increasing threat levels, 2016 is going to be a great year for cyber security innovation, replacing legacy and even relatively modern security technologies which are failing their customers in protecting from the ever increasing wave of sophisticated attacks. The new wave of sandboxing and advanced threat analytics in particular are simply not working and Glasswall is seeing evidence of this every day. The overwhelming feedback from the industry is that they do not trust what they are being sold from the mainstream suppliers.
Expect to see innovation in security shift from USA-based companies, currently regarded as the bastion of trusted security, to new innovative companies such as Glasswall, referred to by the UK Chancellor of the Exchequer in his speech at GCHQ in November, when he stated “excellent British companies” breaking new ground in cyber security.
This is the year in which the best of those businesses fulfil the chancellor’s vision of “an ecosystem in which great ideas get translated into great companies.”
Reaffirming these views, industry analysts Frost & Sullivan stated in their 2016 predictions that “we can see widespread acceptance of a new approach to business risk and cyber security, moving the focus from detection of “known threats” to validation of the “known good.”