As 2015 draws to a close, we can expect the size, severity and complexity of cyber threats to continue increasing in 2016, says Steve Durbin, managing director the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members.
"For me, 2016 is probably the year of cyber risk," Durbin says. "I say that because increasingly I think we are seeing a raised level awareness about the fact that operating in cyber brings about its own peculiarities."
Durbin says the ISF sees five security trends that will dominate 2016.
"As we move into 2016, attacks will continue to become more innovative and sophisticated," Durbin says. "Unfortunately, while organizations are developing new security mechanisms, cybercriminals are cultivating new techniques to evade them. In the drive to become more cyber resilient, organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include risks such as those to reputation and customer channels, and recognize the unintended consequences from activity in cyberspace. By preparing for the unknown, organizations will have the flexibility to withstand unexpected, high impact security events."
Durbin says the threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles. He adds that we should expect new threats to emerge over the course of the next year.
Conflicting official involvement in cyberspace in 2016 will create the threat of collateral damage and have unforeseen implications and consequences for all organizations that rely on it, Durbin says, noting that varying regulation and legislation will restrict activities whether or not an organization is the intended target. He warns that even organizations not implicated in wrongdoing will suffer collateral damage as authorities police their corner of the Internet.
"We've seen the European Court of Justice kicking out Safe Harbor," Durbin says. "We're seeing increasing calls for backdoors from governments, while certain technology vendors are saying, 'Good luck, because we encrypt everything end-to-end and we have no knowledge of what this data is.' In a world where terrorism is becoming more the norm, there is a cyber-physical link here. How do we legislate in the face of that"
Moving forward, Durbin says, organizations will have to understand what governments are able to ask for and be open about that with partners.
"Legislators will always be paying catch up, and I think legislators themselves need to raise their game," Durbin says. "They'll always be talking about yesterday, and cyber is about talking about tomorrow."
Organizations are increasingly embedding big data in their operations and decision-making process. But it's essential to recognize that there is a human element to data analytics. Organizations that fail to respect that human element will put themselves at risk by overvaluing big data output, Durbin says, noting that poor integrity of the information sets could result in analyses that lead to poor business decisions, missed opportunities, brand damage and lost profits.
"There is this huge temptation that, of course, if you've accessed [data], it must be right," Durbin says. "This issue of data integrity, for me, is a big one. Sure, data is the lifeblood of an organization, but do we really know whether it's 'A-neg' or 'O-neg'"
"There's this massive amount of information out there," he adds. "One of the things that scares me to death is not necessarily people stealing that information but actually manipulating it in ways that you're never going to see."
For instance, he notes that organizations have outsourced code creation for years.
"We don't know for certain that there aren't back doors in that code," he says. "In fact, there probably are. You're going to need to be much more skeptical about this: Question assumptions and make sure the information is actually what it says it is."
And, of course, it's not simply the integrity of code you need to worry about. You need to understand the provenance of all your data.
"If it's our information, we understand the provenance, that's fine," he says. "As soon as you start sharing it, you open yourself up. You need to know how the information is being used, who it's being shared with, who's adding to it and how it's being manipulated."
Smartphones and other mobile devices are creating a prime target for malicious actors in the Internet of Things (IoT), Durbin says. The rapid uptake of bring-your-own-device (BYOD), and the introduction of wearable technologies to the workplace, will increase an already high demand for mobile apps for work and home in the coming year. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.
"Don't confuse this with phones," Durbin says. "Mobility is more than that. The smartphone is just one component of mobility."
He notes that there are an increasing number of workers just like him that are constantly mobile.
"We don't have offices, as such," he says. "The last time I checked in it was a hotel. Today it's somebody else's office environment. How do I really know that it is 'Steve' coming in to this particular system I might know that it's Steve's device, or what I believe to be Steve's device, but how do I know that it's Steve on the other end of that device"
Organizations should be prepared to embrace the increasingly complex IoT and understand what it means for them, Durbin says. Chief Information Security Officers (CISOs) should be proactive in preparing the organization for the inevitable by ensuring that apps developed in-house follow the testing steps in a recognized systems development lifecycle approach. They should also be managing user devices in line with existing asset management policies and processes, incorporating user devices into existing standards for access management and promoting education and awareness of BYOD risk in innovative ways.
Cybercrime topped the list of threats in 2015, and it's not going away in 2016, Durbin says. Cybercrime, along with an increase in hacktivism, the surge in cost of compliance to deal with the uptick in regulatory requirements and the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm. Organizations that adopt a risk management approach to identify what the business relies on most will be well placed to quantify the business case to invest in resilience.
Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, cause disruption or even bring down corporations and governments through online attacks. Organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events.
"I see an increasing maturity and development of the cybercrime gangs," Durbin says. "They're incredibly sophisticated and well-coordinated. We're seeing an increase in crime as a service. This increasing sophistication is going to cause real challenges for organizations. We're really moving into an area where you can't predict how a cybercriminal is going to come after you. From an organizational standpoint, how do you defend against that
Part of the problem is that many organizations are still focusing on defending the perimeter in an era when insiders — whether malicious or simply ignorant of proper security practices — make that perimeter increasingly permeable.
"We have viewed cybercrime rightly or wrongly from the perspective of it being an external attack, so we attempt to throw a security blanket over the perimeter if you will," Durbin says. "There is a threat within. That takes us to a very uncomfortable place from an organizational standpoint."
The fact of the matter is that organizations won't be able to come to grips with cybercriminals unless they adopt a more forward-looking approach.
"A few weeks ago, I was speaking to a CISO of a major company with nine years on the job," Durbin says. "He told me that with big data analytics, he now has almost complete visibility across the entire organization. After nine years. The cybercriminals have had that capability for ages. Our approach is continually reactive as opposed to proactive."
"Cybercriminals don't work that way — based on history," he adds. "They're always trying to come up with a new way. I think we're still not that great at playing a defensive game. We need to really raise it to the same level. We're never going to be as imaginative. There's still this view inside the company that we haven't been broken into already, why are we spending all this money"
The information security professionals are maturing just as the increasing sophistication of cyber-attack capabilities demand more increasingly scarce information security professionals. While cybercriminals and hacktivists are increasing in numbers and deepening their skillsets, the "good guys" are struggling to keep pace, Durbin says. CISOs need to build sustainable recruiting practices and develop and retain existing talent to improve their organization's cyber resilience.
The problem is going to grow worse in 2016 as hyper connectivity increases, Durbin says. CISOs will have to become more aggressive about getting the skill sets the organization needs.
"In 2016, I think we're going to become very much more aware that perhaps we don't have the right people in our security departments," he says. "We know that we've got some good technical guys who can fix firewalls and that sort of thing. But the right sort of people can make the case for cybersecurity being linked to business challenges and business developments. That's going to be a significant weakness. Boards are coming to the realization that cyber is the way they do business. We still don't have the joined up linkage between the business and the security practice."
In some cases, it's going to become apparent that organizations simply don't have the right CISO in place. Other organizations will have to ask themselves if security itself is sitting in the right place within the organization.
"You can't avoid every serious incident, and while many businesses are good at incident management, few have an established, organized approach for evaluating what went wrong," Durbin says. "As a result, they are incurring unnecessary costs and accepting inappropriate risks. Organizations of all sizes need to take stock now in order to ensure they are fully prepared and engaged to deal with these emerging security challenges. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will better understand the true nature of cyber threats and how to respond quickly and appropriately."