From a cybersecurity perspective, 2016 was a very devastating year for companies, schools, government agencies, organizations and even presidential campaigns. What we’ve learned from a record year for breaches, hacks, phishing, malware, and ransomware is what we’ve known all along: cyber criminals are clever and they are not bound by any rules or real strategy.
We also learned that no company, government agency, or organization is safe if they are in the bullseye of those determined to breach their networks. Hackers really have a single goal: to steal data or financial assets, crippling organizations in the process. Stolen data, such as passwords, social security numbers, personal information and possibly bank account credentials, is generally sold on the black market. This was the case in the first big U.S. hack of 2016.
In February, the University of Central Florida reported they’d been the victim of a data breach that affected approximately 63,000 former and current students, as well as faculty and staff. Cyber thieves compromised the university’s computer system and stole personal information, such as student/employee ID numbers and social security numbers.
Even the largest global companies, those with very large IT security budgets, fell victim to hackers this year, from Verizon Wireless to Cisco to LinkedIn and Yahoo! As of this writing, Yahoo! just announced that more than 1 billion user accounts have been breached since 2013, making it the largest breach in history.
So, where do we go from here? Will we see another record year of breaches that seem to take us by surprise every time? Possibly, and for one good reason: there is no fool-proof protection against human stupidity – inadvertent or otherwise.
People have a phenomenal ability to ignore the right thing to do – because doing the wrong thing can seem more convenient, more expedient, and more rewarding. Beyond that, some people simply don’t want to follow the rules, so you have to think about the Who, What, Where, When, and How of access to your systems: not just employees, but also contractors, suppliers, vendors and partners.
Cybersecurity predictions for 2017
Given this, my cybersecurity predictions for 2017 are the following:
1. There may be changes to consumer privacy laws in 2017. The incoming Trump administration may be a lot more aggressive in getting access to personal data to fight terrorism and cyber crime. This will undoubtedly cause increased friction between government, industry and privacy advocates. The sheer number and scope of breaches may prompt increased regulation.
2. We will continue to see adoption of the cloud in both the mid-market and enterprise market, but some companies will be hesitant to put business critical data, such as intellectual property or customer data, in the cloud due to unfounded security concerns. Some organizations will also be concerned about a lack of control. In reality, cloud environments might actually be more secure and resilient than customers perceive.
3. There will be an increasing number of attacks and breaches related to the increasing use of Internet of Things (IoT) devices in 2017.
4. Phishing and spam will continue to be one of the most effective attack vectors. Bad actors will continue to exploit existing vulnerabilities with increasing frequency.
Despite the gloom and doom of our current cybersecurity landscape, there are ways that organizations can step up their IT security posture, making it much more difficult for hackers to infiltrate your network. The harder it is to breach your network, the more likely it is that they’ll move on to a less well protected target.
Now is the time to take a hard look at your security policy and evaluate the solutions and services you have in place for effectiveness. Outdated and ineffective solutions should be either tossed out or updated. Good security doesn’t need to be expensive, it just needs to be effective.
Tighten your IT security
Consider adopting the following tips to help you tighten up the IT security “ship” in 2017:
1. One of the most effective ways to mitigate data breaches is to reduce the attack surface in the first place. For example, ask your employees (i) not to save their passwords in their browsers, (ii) to update default passwords, (iii) to use industrial-strength passwords with no personal information such as pets’ or children’s names, and (iv) to not click email links or attachments. It’s so easy to break into a network just by hacking passwords, which is why password management and access controls are so important.
2. Do everything you can to elevate the security IQ of your entire organization – employees, partners, suppliers – anyone who has access to your network and critical assets.
3. Commit to a security program through constant education, a defense-in-depth strategy, and continuous security intelligence.
4. Do whatever it takes to get continuous visibility into your organization’s security posture, where the gaps are, and what you can do to bridge those gaps.
5. Think of security as a strategic competitive advantage, not a cost center or administrative headache.
One can’t stress enough that your employees, contractors, vendors and partners may be your weakest link. It’s imperative that you educate the entire organization and create a sense of ownership for your organizations’ cybersecurity posture. Remember, security is not rocket science; it’s really just common sense. It requires commitment, some investment and awareness of the threats facing every business and organization.