2015 was a massive year for the cyber security industry, particularly with the discovery of malware including XcodeGhost, GunPoder, Dridex and KeyRaider – all of which pose significant threats to the digital economy.
But businesses also need to be prepared for the year ahead. Greg Day, CSO in EMEA for Palo Alto Networks, presents a glimpse of the future by sharing some predictions for the 2016 cyber security landscape.
1. 2016 will reshape perceptions of security in the EU
The Network Information Security Directive and General Data Protection Regulation Reform will both have material impact on cyber strategies in 2016.
By the end of the year, both will be on the cusp of going live, but businesses, whether part of critical national infrastructure or those that handle more than the expected 5,000 EU citizen records, will be required to have security capabilities aligned to the current state of the art capabilities, the latter regulation being aligned to their risk profile.
Today there is a clear gap between those that do leverage state of the art and those that continue to follow the same old practices many have followed for years. With potential auditing to check capabilities when incidents occur and potential notification, there will be more pressure to keep pace and prevent such instances.
All of this will amplify the importance of good cyber security in the boardroom. 2016 will be the year for businesses to make the transformation where required.
2. As Apple Pay and Google Pay and touchless mobile payments take off, cybercrime will shift to the smartphone
In the late 1990s, threat volumes exploded as criminals hooked into online banking and shopping growth. Now, the way people spend money is going through its largest transformation in decades, with mobile PAY platforms (in double digits of percentages of users, equating to millions of transactions), Venmo money transfers between friends and eWallets going mainstream.
As companies like Braintree enable millions of stores to be able to process payments through these new technologies, businesses must expect the volume of cybercrime to follow the money.
In recent months, exploits found in Apple iOS have joined the existing growth in Android attacks. Is this early probing into the complex supply chain that is mobile payment systems?
Just how far this will extend in the future is still not clear, as the scope of smart devices as our digital hub increases with ongoing announcements of the PLAY capabilities to enable media, connectivity and other services via the car.
Attackers have recently focused on hacking into automotive systems, resulting in major patches. As the opportunity grows, businesses must expect more focus, especially as cybercrime has typically followed the money. Today, far less attention is given to preventing incidents on the mobile device, but this is set to change in 2016.
3. Boundaries of attacks blur
In the last few years there has been a significant focus on APT and nation-state attacks, as their impact is typically more significant, yet the boundaries are blurring.
Many regular attacks are now leveraging more advanced concepts such as multiple components to avoid detection, taken from the APT attack lifecycle, as well as focusing in on more implicit targets.
Cybercrime is leveraging old-school techniques such as EXE infections and macros, and fraudsters are using reconnaissance techniques and targeting for big impact (such as honing in on big fish in the business with whaling techniques).
At the same time, nation-state groups are looking to commercial cybercriminals for both new innovative techniques and undisclosed vulnerabilities that the much larger knowledge pool behind cybercrime drives.
4. The changing position of the CSO
Historically the CSO has reported into the CIO, as security was considered a component of IT, but this is changing. A recent Palo Alto Networks report highlighted Europe as the only region to show a sizable shift from CISO/CSOs reporting to the CIO, moving from 50% in 2012 down to 33% in 2015.
Focus on cyber, its value and its impact is increasingly making it a board-level debate and elevating the investment and engagement, moving the CSO from a technical lead to a business risk leader.
In recent times, CSOs have reported to either the general council (tying into the legal implications when security fails), the CFO (due to the commercial implications), and directly to the CEO (due to the significance for the overall business).
There is a healthy tension in moving the role away from the CIO, whose primary focus is on enabling IT to make the business operationally effective. Breaking the alignment of investment between the two requirements – which are not linear to each other – and creating a healthy tension between enabling new business capabilities, thus ensuring they do not create undue gaps in risk for the business, will enable a better security practice.
As long as the CSO reports to the CIO, there will always be the concern that conflicting interests can impact balanced decisions being taken.
5. Traditional business networks are shrinking
By end of 2015, there will be three times as many IP-enabled devices active as people, over a zetabyte of data crossing global networks, and 90% of the world data having been created in the last two years.
Businesses are no longer able to justify the cost to build large, complex networks, and are increasingly looking to outsource, ‘cloudsource’ and consumerise their IT systems.
Business networks are shrinking as organisations shift to digital entities with only the most rudimentary core networks. Business tools such as CRM, email and file sharing are moving to the cloud.
Another recent Palo Alto Networks report highlighted a 46% growth in organisations leveraging SaaS resources in the last year alone. Add to this the growing adoption of IoT, devices such as machine-to-machine (M2M) in the workplace, and user-purchased wearables, and it’s not surprising to see that IT is changing.
As this happens, there is a new cyber security learning curve: how do you define best practices for shadow IT systems? Simple concepts such as visibility and policy control, through to meeting regulatory requirements, will require state-of-the-art capabilities that function in complex, multi-tenanted and multi-homed environments.
Looking to BYOD, a period of uncertainty was followed by a shift to a model with considerable benefits, highlighting the silent tidal force of momentum that pushes people towards a destination.
Despite similar concerns about moving to the cloud and IoT, Europe is heading towards transformational IT and the digital business entity. 2016 will be the year that businesses start to tackle these, whether that’s the simple wearable device, smart business tool or shared cloud resource.
6. Europe, the supply chain and security
While many have kept focus on the need for state-of-the-art cybersecurity, they remain dependent on the supply chain within. Organisations are only as strong as their weakest link, and some of the largest breaches worldwide in the last 12 months have highlighted this.
In Europe, outsourcing to complex international supply chains is common. There will be an increasing focus on trying to assess the risks these partnerships create and how businesses prevent them being the weak point of entry.
This may involve qualifying shared resource and access, and shoring up shared service to minimise risk from wide-open connections and validation of communications through them.
At a nation-state level, a significant contingent of critical national infrastructure (CNI) is made up of public and private partnerships, leaving many companies concerned about being caught in the crossfire of nation-state attacks.
Following growth in such attacks, confusion should be expected over just what level of security capability is required. Typically, the risks, and therefore cyber security investment, are lower for a business than CNI. But if that business is part of the supply chain for the CNI, confusion on where boundaries lie, what additional capabilities are required and funding models can only be expected as nation-state attacks grow, increasing focus on this complex and challenging space.