With a new year just over the horizon, we asked six security experts for their views and opinions on what events and trends will unfold in 2017 in the cyber security space. These are people that have spent a great deal of time and energy on the front lines of the contemporary threat environment.
1) Cyber attacks and data breaches within small and medium-sized businesses (SMBs) will dramatically increase in 2017. SMBs need to invest in strong security defenses or risk going out of business. A study sponsored by Keeper Security and conducted by the Ponemon Institute titled, “2016 State of Cybersecurity in Small and Medium-Sized Businesses,” found that 55% of SMBs have experienced a cyber attack in the past 12 months. According to the U.S. National Cyber Security Alliance, 60% of small companies were unable to sustain their businesses more than six months following a cyber attack. A cyber attack costs a company $4 million, on average. With 71% of all cyber attacks targeting small businesses with fewer than 100 employees, it’s imperative that SMBs strengthen their defenses or risk going out of business.
-Darren Guccione is the CEO at Keeper Security, the leading secure password manager and digital vault for businesses and individuals
2) The death of passwords will once again be greatly exaggerated. I have always been fascinated by predictions of the year ahead and of the future. So my only prediction is that everyone who predicts the death of passwords next year will be wrong again, just like the past 10-15 years or so! One tip I have for next year is to write password policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it.
-Per Thorsheim is one of the world’s leading password consultants and founder of the PasswordCon twice-annual conference.
3) IoT has a big target on its back – watch for highly targeted attacks. As shown clearly by the big Dyn attack, the Internet of Things will fast become a major security concern in the year ahead. Many of these interconnected devices come with poor security, and attacks on them will result in new loss scenarios. The big loss issue of course is privacy. But with the IoT and all its home devices, medical devices, even home appliances, the different loss scenarios will include bodily injury and property damage. Liability lawyers will go after everyone associated with these breaches. This will include the manufacturer, and possibly even the person who is using the IoT device. Router makers could face exposure they never imagined.
The chief concerns regarding cybersecurity in the past several years have centered on privacy and ID theft. Going forward there will be greater probabilities of targeted attacks around network interruption and specific company systems because everything is so greatly interconnected. Think of a targeted attack on a key element of a global supply chain in a just-in-time manufacturing scenario, where all links in the supply chain are highly interdependent on one another. These attacks will be motivated by those seeking ransomware, as well as those just seeking to do a lot of damage – possibly working for competitors. We could see more environmentalist groups attacking oil and gas operations, possibly even the electrical grid. Imagine an animal rights group hacking into a commercial farming operation, compromising the security system, and turning all the pigs loose.
-Steve Bridges is SVP at the Cyber/E&O Practice at JLT, the world’s largest specialty insurance broker with a specific focus on cyber errors and omissions management liability
4) Exploiting workers via social engineering through their personal social media accounts at work. Social media seems harmless enough especially when your employees stick to using it for personal reasons. But it can indirectly be responsible for critical security breaches. With some social engineering and patience, an attacker can use persona social media profile information to gain access to your corporate network. The attack is completely outside of your control and uses a combination of social engineering and phishing techniques. It is fairly easy, as this blog shows.
The best advice is to educate users on the dangers of social media and phishing emails. You can install software on our email servers that check attachments for malicious content. And some email administrators simply block all executable attachments.
-Terry Kurzynski is a security consultant at Halock, a U.S.-based information security consultancy.
5) We’ll see FIDO come front and center. The Fast IDentity Online Alliance (FIDO) is a non-profit organization formed four years ago to address the lack of interoperability among strong authentication devices as well as password problems users face. In 2017 we’ll see the beginning of the FIDO impact. This will include protocol improvements, as well as support across multiple platforms and devices. And this accordingly will challenge enterprises, governments, and end-users to explain why they aren’t adopting FIDO authentication or similar technology to replace or modify failing access controls.
-John Fontana is an Identity Evangelist at Yubico, the creator of the YubiKey, a small USB and NFC hardware two-factor authentication device.
6) Is a full-scale cyberwar looming? My primary prediction for 2017 is the escalation of skirmishes like the infamous hack of the Democratic National Committee to gradually escalate to an overt, international incident. While the term cyberwar is thrown around a lot, we’re seeing all the major signs and lead-ins to what will be the first major cyber clash between two or more world powers.
-Ben Caudill is founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.