4 Predictions from the Cybersecurity Crystal Ball
Given the high frequency of hacks in 2014, we can expect worse cyber-attacks in 2015. Here are my own cybersecurity predictions for 2015.
6 January 2015
Given the high frequency of major hacks in 2014, we can expect that barring some major development, companies are going to face even worse and more clever attacks on their network perimeters in 2015 (and in the years to come).
This is gloomy news — some chief information officers and chief information security officers already are feeling powerless to stop incursions into their enterprises. But if we know the scope of the problem, at least we can begin to define its solution.
With that, below is my own personal short list of predictions for 2015.
Prediction One: Hackers Will Target FSS Providers
Without a doubt, I think we’ll see an increase in the number of penetration attempts on consumer file sync and share (FSS) service providers, such as Dropbox. Already, hackers have used FSS services as a vector for malware assaults (for examples, please click here, here, and here). Infecting a provider saves the hackers the trouble of trying to cyber-burglarize many individual accounts.
It’s a question of numbers: The popularity of these FSS solutions potentially gives hackers an open door to hundreds of millions of end users. In turn, regrettably, the roster of these end users will include some professionals who work in corporations. Some of these end users may even be using these solutions to store or share business information.
Many information technology departments may or may not be aware that there are cloud and FSS-enabled gaps in their network protection. And FSS applications will be a gateway for hackers to seek access to the bigger rewards — administrative rights.
To address this sort of threat, CIOs and CISOs should have a clearly defined policy about what cloud applications — FSS ones in particular — are allowed in their networks. Also, it's important to define what FSS solutions are safe for storing or sharing company data. The policy should be very specific, and known cloud apps that don’t meet security demands should be blacklisted.
Remember to enforce the policy. Don’t settle for substandard protection technologies and practices — use available tools, such as encryption and strong passwords. Go beyond just guarding your identity and administrative rights: Secure critical data with an additional protection layer — in the future, this step will be a necessity, and not just a nice-to-have.
Prediction Two: Cyber Hacking to Become a State Project
The assault on Sony indicates that national governments — or organizations with state-scale capabilities — may be willing to select targets in the private sector and cause devastation. If the Sony incident is a guide, these penetrations will be extremely sophisticated and thorough.
The hacks won’t be performed to gain inside information for profit — at least not in the near-term — by stealing data, such as credit card numbers. Rather, the assaults will be the equivalent of political-commercial terrorism. There won’t be any one special remedy for this. But the situation demands that all companies take cybersecurity as seriously as they treat any other crucial business operation.
Prediction Three: The Law Will Play Catch-up to the Hackers
Given the staggering number of cyber-attacks on companies, I think it’s likely (perhaps even inevitable), that the authorities will respond. The public is vulnerable; universal mistrust of the privacy of electronic transactions could, potentially, seize up the wheels of commerce. So, expect regulators and legislators to update and change existing regulations.
As a result, the rules will become tighter and more precise. It’s already started in finance, where regulators are reviewing specific cybersecurity policies. Because of the Sony breach, and the apparent geopolitical nature of that attack, the government and regulators may be looking to implement more stringent controls.
As a corollary, there may be an increase in penalties and sanctions for those companies that are noncompliant with these new regulations. The demands on IT departments will grow. So, again, the best approach is to get out ahead of the problem.
Managers in companies in regulated industries must continually review the laws and best practices guidelines with both the IT and legal departments. Then, as a group, these managers must ensure that their methods for storing and protecting data are adequate. If we don’t fix the security shortcomings in our companies up-front and voluntarily, we can expect the government to force corrective change on us, on the back end, by levying fines and sanctions.
Four: Cyber-crime On-demand?
Every company is vulnerable. This year, we saw the FIN4 hacking organization target dealmakers, presumably in the hope of extracting data to manipulate the stock market. I think this may be an indication there will be a rise in mercenary hacking rings — ones that work independently of any state or for any political gain. Rather, these rings will perform penetrations for hire, for specific purposes.
The way to prepare for this threat is to assume you are on some person’s — or company’s — attack list.
So, boost your data security and be ready. This year will see increased corporate board scrutiny on the CISO and CIO. Those working in either role will need to be prepared to reassure board members that their companies have adequate protection, and have a proactive plan in place to prevent all types of security threats. As a result, this will also be the year that the IT department can make a very legitimate case that a company needs to spend more on information security technologies, policies, and training.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.