From the Heartbleed bug that plagued our social networks, to the recent attacks on Amazon and Sony Pictures, 2014 was truly the year of the cybercriminal.
As the publicity surrounding cybercrime has increased, enterprise IT was forced to up its game. With a renewed focus on security, organisations have rewritten their policies, enhanced their encryptions and upped their anti-virus investments.
Yet despite these efforts, there remains one area of enterprise IT that is frequently left unchecked and under-appreciated: businesses’ application portfolios.
With more platforms, updates and apps, the odds of an application security breach have increased year on year. Now, with cybercrime setting the agenda for 2015, organisations are faced with an entirely new generation of potential threats.
Unlike traditional attacks, these threats represent a far subtler risk to organisations, placing company data at risk over a much longer period of time. As a result, they are more likely to slip past under an IT manager’s radar, going unnoticed for months, if not years.
>See also: Why 2015 is the year of DevOps culture
With this in mind, here are the five biggest application security threats to watch out for in 2015.
1. The rise of the Internet of Things
Within enterprise IT, many of the biggest security breaches arise as a result of out-dated technology and poor data management standards. In particular, internet-connected ‘customer-facing’ applications pose one of the most significant threats. Without the necessary patches and regular updates, these applications provide an easy backdoor to company data and sensitive corporate information.
Now, with the rise of the Internet of Things, the number of these connected devices is expected to increase by as much as 20 times. Where once, organisations would only need to update a small selection of software applications, they will now need to manage and migrate their software across hundreds of different devices. This could include anything from wearable technologies to smart office appliances. Without sufficient updates and administration, each one of these new connected devices will represent a potential security threat.
2. The move to cloud computing
As cloud computing moves from an ‘optional extra’ to a de-facto choice, many large enterprises are beginning to realise that making the switch isn’t quite as easy as it sounds.
Just like any large-scale system migration, the process of moving an entire application portfolio to a brand new platform should never be undertaken lightly. Unfortunately, however, due to the wide scale publicity surrounding the cloud, many businesses have rushed into a migration without considering the necessary security requirements.
While cloud security can represent a significant improvement over on-site storage, the rush to migrate has left many businesses facing serious breaches in data-protection. By moving sensitive information to externally owned servers, many businesses may be ignorant to the fact that they are breaking compliance legislation and could be placing their information at serious risk.
Businesses need to assess which apps can be moved to the cloud, and which might expose potentially sensitive data. And where possible, businesses should also start to get into the mindset of encrypting data at the file level.
3. The ‘hidden cloud’
For those organisations that do not move to the cloud, a whole new security threat is predicted to arise. In an attempt to access the very latest technologies, employees who have been denied use of the cloud are likely to go off-piste and rely instead on unregulated applications.
By storing company information on services such as Dropbox and Google Drive, employees begin to create their own ‘hidden clouds’, outside the gaze of corporate IT departments. These invisible storage systems not only place private information outside of the company’s control, but are also far more susceptible to infiltration attempts due to their prominence in the public domain.
While it’s clear that a poorly attempted cloud migration poses a significant risk, to avoid the cloud entirely is simply no longer a feasible strategy. Employees will access the cloud-based applications, with or without their IT department’s permission. By providing controlled access, such as the use of a corporate app store, businesses can help to minimise this risk.
4. The final phases of BYOD
At this point, BYOD is already largely integrated into most company’s IT infrastructures. As with cloud migration, fighting against such progress has merely prolonged the inevitable. As we move into 2015, however, the questions surrounding BYOD are no longer as simple as: “Should we allow employees to use their own phones?”
With the recent influx of new devices, corporate employees now expect to bring their own applications, laptops, phones, tablets and even smartwatches. They expect these devices to work seamlessly with each other, without restrictions, and in conjunction with corporate apps.
For enterprise IT departments this poses a number of serious security threats. Firstly, by storing sensitive information on such a wide variety of devices the potential for security breaches and ‘misplaced data’ increases dramatically. We’ve all heard the stories of unencrypted USBs and phones left on trains exposing hugely sensitive data.
Secondly, with more devices to manage and maintain, it is increasingly likely that employees will fail to keep their applications up-to-date with the latest security patches. These issues, combined with reduced control on behalf of the IT department, represent a perfect storm for application security.
5. The increasing pace of change in IT
While the above trends pose unique security threats for enterprise IT, they all occur as part of a much wider change in the IT landscape. Throughout 2014, the rising pace of technological change has become increasingly evident, with many businesses struggling to keep on top of the latest trends.
>See also: 10 predictions for data protection in 2015
Whereas previously, corporations would have had months – if not years – to prepare for a significant change in their application processes. Now, the time between upgrades and migrations is barely a matter of months. This year alone businesses have been faced with the end of Windows XP, the launch of Windows 10, the closure of Server 2003 and the wider shift to cloud computing. For those who fail to update, all of these changes represent yet more application security risks and further holes in their IT armour.
This is possibly the hardest security issue to address, as in many ways it is never going to go away. While businesses can adjust to a new system, it is far harder to adjust to an entirely new mind-set. This, however, is exactly what they must attempt to do.
Rather than focusing on individual migrations or updates, IT managers should now consider application security to be a continuously evolving ‘living’ process. By undertaking this change in mind-set, enterprise leaders can help to address all of the above issues at once.
Whether this is as part of a move to the cloud, a BYOD implementation, or even a company’s first steps into the Internet of Things, application security cannot go on as a purely reactive process. It’s time we upgraded our thinking, not just our apps.
Sourced from Adrian Foxall, CEO, Camwood
