Cybercrimes will continue to grow to an enormous $6 trillion in annual losses to the world by 2021.
2016 has been an epic year for cyber security threats. Current projections published from a Cybersecurity Market Report indicate that cybercrimes will only continue grow to an enormous $6 trillion in annual losses to the world by the year 2021. Due in part to our hyper-connected world, advances in collaboration technologies, multiple devices, and increased use of outsourcing, hackers are seizing opportunities and becoming more sophisticated in their attack techniques. Their quest has gone beyond stealing data for a profit to leaking incriminating information to influence and expose individuals and governments. However, hackers are only part of the challenge faced. Third-parties partners also carry a potential threat to organizations as they often have authorized access to organizations’ information and systems with little oversight or monitoring.
Organizations that fail to increase their security budget and make security a top priority, are most likely to suffer the greatest financial losses. So what do we predict for 2017 besides building a better offense? Here are Guardian’s Top Six Security Predictions for 2017:
1. 2017 Will be a Historic Year for US Cybersecurity Legislation
…legislation will likely start with mandatory breach notification…
Next year will be a historic in terms cybersecurity legislation. We’ve already seen the beginnings of this in 2016, and high-profile incidents such as the breaches at the Democratic National Committee and Yahoo, and the Apple encryption debate have further increased public awareness around the importance of data security and privacy. The Chinese government was also recently implicated in buying stolen national defence research related to the F-22 and F-35 and C-17 fighter jets from a cybercriminal who hacked Lockheed Martin and Boeing.
The growing awareness, coupled with the government’s willingness to acknowledge the national security risks posed by cyberattacks, makes us hopeful we’ll see meaningful progress made in the fight to create effective cyber-legislation by the end of 2017. This legislation will likely start with mandatory breach notifications, which initially eliminate undisclosed (or slowly disclosed) cyber incidents, but will eventually take the form of specific guidelines for how citizens’ data must be protected wherever it travels or is stored. Europe is leading the way with the General Data Protection Regulation (GDPR) act and we expect North America to follow with similar legislation.
2. Global Leader’s Will Take Steps Towards Establishing Standards for Cyberwarfare (InfoSec Geneva Convention)
…the global community will at least begin acknowledging the catastrophic repercussions that could result from an all-out cyberwar.
2017 will (hopefully) be the year global leaders finally recognize the need for an InfoSec Geneva Convention, setting standards for what cyber-activities are and aren’t acceptable. Holding highly confidential information hostage and using it as black mail or manipulate elections is a whole new level of warfare. I’ll admit, this is an optimistic prediction, considering the current geopolitical landscape, but technology has reached the point where having clear rules of engagement is an absolutely necessity. In fact, the idea was floated back in 2015 by members of the House Intelligence Committee. While this may not happen in 2017, I expect the global community will at least begin acknowledging the catastrophic repercussions that could result from an all-out cyberwar.
3. Hackers will Continue to Exploit the Weakest Link (Service Providers & Law Firms Beware…)
The ransomware epidemic is a reminder that the cybercrime economy is based on principles of capitalism.
The ransomware epidemic is a reminder that the cybercrime economy is based on the principles of capitalism. Until organizations persistently protect information at the data level (and stop paying the ransom), these attacks won’t slow down. And, as companies increasingly utilize third party service providers to reduce costs, more and more information will be at risk.
In 2016, the healthcare industry was revealed to be especially vulnerable to ransomware attacks with 75% of hospitals surveyed in a poll by Health IT News and HIMSS to have been hit by one. And while that will remain true next year, we expect hackers will expand into other verticals. Hackers will look for the weakest link and exploit industries who have highly sensitive information and lower investments in security solutions. These attacks sometimes only require one employee mistake to initiative, meaning it’s only a matter of time until an overworked employee clicks the wrong link and exposes his/her firm to a hacker looking to steal critical data.
4. Organizations will be More Stringent on the Security of Their Third-Party Vendors and Collaboration Partners
67% of independent contractors and employees take IP with them for the express purpose of leveraging it at a new position, costing organizations more than $400 billion in annual losses.
In 2017, we can expect to see organizations placing stricter compliance regulations on their third-party outsource vendors and other external collaboration partners. Third-parties such as advisors, vendors, sub-contractors and business partners pose a huge risk to organizations because they require access to systems and data to conduct business, yet there is no accountability in the way they handle a company’s data. In fact, 1 in 4 companies believe they have had data stolen from a third party vendor. Once information is shared with a third party, the organization has lost control over what happens to their sensitive data.
Often, the third party organization or contractor do not have the necessary security mechanisms in place; hackers are always looking for the weakest link in the information supply chain. The Panama Papers breach is a great example of how information shared with a third party, in this case a legal firm and corporate servicing agency, has caused personal and corporate reputations to be deeply tarnished or ruined.
Then we have the continued challenge of employees and sub-contractors stealing intellectual property. 67% of independent contractors and employees take IP with them for the express purpose of leveraging it at a new position, costing organizations more than $400 billion in annual losses. With on-going pressure to achieve profits, organizations will become ever more reliant on third-party vendors and processing partners in 2017. However, profitability can no longer trump security when it comes to collaboration.
Ultimately, companies are responsible for the safety of their data (and their customer’s data) regardless of where it is being stored. Our prediction is that in 2017 organizations will begin to invest in solutions that persistently protect information, keeping it under their control even when it is shared with third parties. Servicing organizations will also find a competitive advantage if they can provide assurances that information on their servers is secured with granular usage controls at the data level.
5. InfoSec Teams Will Give Up On Perimeter Security, and Instead Adopt a Data-Centric Approach
Data is flowing through and outside of organizations at an unprecedented speed, and it will only continue to accelerate in 2017, especially with the growing adoption of outsourcing, a global/mobile workforce, and the use of innovative (but perhaps non-IT sanctioned) technologies such as Enterprise File Synch and Share (EFSS). These trends mean that the security of the infrastructure and the devices that are storing sensitive data become far less important, as information is likely present on multiple systems/devices and shared via numerous routes, many of which lead outside the traditional corporate perimeter.
The free flow of information will warrant a paradigm shift in the InfoSecurity community, who will be unable to assure the security of data as it moves across and outside of corporate boundaries. Instead, the InfoSecurity teams will shift their focus to securing the data itself, striving to achieve persistent security through solutions that control granular usage policies regardless of where the information resides.
6. Data-Centric Security Solutions Will Become an InfoSecurity Fundamental, Joining the Ranks of Anti-Virus and Firewall Technologies
2017 will be the year that organizations acknowledge the need to secure the data itself, and not just infrastructure and devices.
The value offered by firewalls and anti-virus solutions has been on the decline. We predict that 2017 will be the year that organizations acknowledge the need to secure the data itself, and not just infrastructure and devices. The shift to persistent data-centric has already begun, with Gartner pointing to Enterprise Digital Rights Management (EDRM) capabilities as a key requirement in their Enterprise File Synch and Share (EFSS) Magic Quadrant. In fact, a number of vendors have already jumped on the data-centric security trend in 2016, with Citrix and IBM adding Rights Management features to their EFSS and Enterprise Content Management (ECM) offerings. You can expect more vendors to follow suit in 2017, and I’d be surprised if any of the major EFSS, CASB (Cloud Access Security Broker) and Virtual Data Room (VDR) vendors hadn’t integrated EDRM capabilities with their offerings by the end of next year.
For the organization itself, 2017 will be the year that Rights Management becomes part of an overall data-centric security infrastructure, seamlessly integrating with the organization’s ERP, EFSS, ECM, Data Loss Prevention, Data Classification and SIEM solutions to provide automatic protection (and auditing) of information as it is downloaded, discovered and shared.
In 2017 we predict a move towards stronger legislation combined with securing the data at the source. These will be two imperative shifts in the fight against the litany of unceasing data breaches. As hackers are taking a more targeted approach by exploiting higher value breaches beyond credit cards and social security numbers – think, US Office of Personnel Management where hackers got away with federal employees fingerprints, security clearances and comprehensive personal details – no longer can we rely on just securing the infrastructure or devices. And as new collaboration technologies and the use of outsourcing continue to grow at a breakneck speed, it will be virtually impossible to keep up with hackers unless organizations evolve their infrastructures to support a data-centric security model.