The 2016 news headlines were once again dominated by stories of high profile data breaches as big brand names, government agencies, financial institutions and media companies around the globe succumbed to cyber attacks. What’s more, the intensity and scale of attacks targeting small and medium sized businesses highlighted how no organisation is too big, or too small, to escape the attention of hackers, writes Asma Zubair, pictured, of IT security testing company WhiteHat Security.
On a more positive note, this generated widespread awareness of the enduring nature of the data breach menace. It was this recognition that complacency was no longer an option that propelled organisations into taking action, advancing their security practices to better counter potential cyber threats. But as cybercriminals continue to evolve their modus operandi, finding new ways to penetrate corporate defences and target individuals, 2017 will no doubt be marked by a further slew of sophisticated attacks. With advanced persistent threats becoming more prolific and complex, here are our top five security predictions and trends for 2017.
1 Applications continue to represent a weak spot
Offering a large and vulnerable attack surface for attackers to prey on, applications represent the Achilles heel of enterprise security. According to the 2016 Verizon data breach report, web application attacks were the number one source of data loss, accounting for 40 per cent of all incidents resulting in a data breach.
Despite web applications representing a favourite attack vector for cyber criminals, WhiteHat’s recent Statistics Report demonstrates the current dismal state of application security; remediation rates are typically under 50pc and vulnerabilities that are eventually resolved often stay open for months. With little sign on the horizon that organisations are making fundamental changes to their app development processes or security practices, expect to see stories of big data breaches originating from the application layer continuing to hit the headlines in 2017.
2 IoT attacks will continue to escalate
Billions of connected IoT devices are insecure and unlikely to be patched or fixed anytime soon. The sheer size of the IoT is increasing global vulnerability to cyber attack. With the number of IoT sensors expected to approach 30 billion by 2020, 2017 is likely to be characterised by more stories of ‘smart’ devices being hijacked to launch denial of service attacks, breach enterprise networks and put assets and operations at risk.
The recent major DDoS attack on Dyn – during which a host of insecure devices were hijacked simply by scanning open networks for devices using factory-default passwords – served as a major wakeup call. With calls for players outside the tech industry to step in, we can expect to see governments stepping in to regulate IoT security and mandate the security practices manufacturers implement on their devices.
3 Multi-factor authentication will curtail hacks
According to the 2016 Verizon data breach report, 63 per cent of confirmed data breaches originated from default, weak or stolen passwords. But usage of multi-factor authentication (MFA), a method of control requiring multiple pieces of evidence to authenticate access, is gaining popularity. Indeed, the research firm Markets and Markets estimates the MFA marketplace will reach 9.6 Billion USD (a CAGR of 17.7 per cent). We expect that the growing adoption of MFA will help to curb the number of cyber attacks taking advantage of weak, default or stolen credentials.
4 Vendor risk management will take a major step forward
Mitigating third party vendor risk is a known area of concern for security professionals, who frequently have to deal with ad-hoc processes and a lack of transparency from vendors. Vendor security was a hot topic in 2016 and there were signs we may well be on the brink of a major transformation in this area. In March, Google open-sourced their vendor security review in the hope that this would help other companies improve their own vendor security programmes. And in October, the Vendor Security Alliance published a questionnaire designed to help organisations assess and benchmark third party product and service risk. In 2017, expect to see vendor security risk management processes become even more streamlined and automated.
5 Tackling organisational silos to enable a more security-centric culture
Cyber security is now a top priority for organisations, yet organisational silos represent the biggest hurdle to putting security into practice. Frequently, the development team’s priorities aren’t aligned with those of the security team. Meanwhile, there can be major disconnects within the security team itself; for example, those tasked with Application Security won’t necessarily collaborate with the network security or cloud security teams.
We know from talking to our customers that organisations recognise this issue and are striving to address it. In 2017 we expect to see the organisations taking steps to address the weaknesses created by organisational silos, particularly those between the security team and the rest of the organisation. Processes will be streamlined and priorities aligned in the interests of enabling improved cyber security. While 2017 will serve up a variety of challenges for security teams, we believe organisations will push forward with the adoption of DevSecOps and implement enhanced risk management, information transparency and collaboration. While this work may not be completed within 12 months – it will mark a turning point that should ultimately deliver enhanced online security for all.
* Source: IDC Worldwide and Regional IoT Forecast 2015.
