In 2015, we witnessed a number of high profile cyberattacks and data breaches that affected a wide variety of industries. The swiss cheese defense of some of the nation’s largest healthcare providers (Anthem, Premera) resulted in the Protected Health Information exposure of close to 100 million American citizens. The hospitality industry (Marriott, Hilton) runs a close second in terms of reputation for lack of attention to information security and data privacy, as witnessed by a number of breaches, not just for PII, but for loyalty program points. One positive trend was the emergence of technical solutions that detect, and prevent the spread of advance persistent threats.
In our 2016 cybersecurity outlook, we expect the proliferation of cyberthreats to grow, as attacks become more sophisticated, the targets increase, and technical security solutions providers scramble to keep up. Here are some of the key cybersecurity issues we think will affect small and medium businesses in 2016:
While the Senate Select Committee on Intelligence, the White House, the National Security Council, the Department of Homeland Security and the National Institute of Standards and Technology push legislation to create encryption backdoors, expect commercial players, lobbyists, information security pundits and private interest groups to fight back. Both good and bad elements of the global society utilize encryption to protect their secret affairs. Cryptography plays a huge role for thousands of reputable organizations in the protection of confidential information assets and the avoidance of costly data breaches.
By law, US citizens don’t have the same individual privacy rights as our European counterparts. Many see the Cybersecurity Act of 2015, which President Obama signed into law in December, as the next opening for the government into our networks and systems. It’s currently expected to take six months to roll out the act, which is short considering that the legislation took upwards of three years to pass. We expect the roll out to be fraught with political debate. We expect future legislation attempts to be embroiled in partisan battle, even though lawmakers appear to be unified in pursuit of a strategy benefiting the government more than its people’s privacy rights. The US federal government should focus its efforts on exercising its global influence with world leaders and commercial global organizations to push for a common legal landscape and to find alternative approaches to fighting global cyberthreats.
Industry experts predict a spike in ransomware attacks, previously targeted only towards business, to increasingly affect consumers (as was the case with Ashley Madison). Wearable devices will now become a ransomware attack vector to your personal information, since they are typically connected via software to your smartphones, tablets and computers. Beware once the self-driving cars hit the mainstream – but that won’t be this year.
To keep pace, smart device manufacturers will increase their R&D spend dedicated to securing their appliances. This may mean that rate of new functional rollouts will slow, while marketers will try to figure out how to make security improvements more exciting to the general public. These efforts should help improve consumer awareness of the risk associated with reliance on their tech toys and gadgets.
Hackers will continue to use their skills to target organizations engaging in questionable ethical practices or opinions that oppose their own. The highest profile cases are likely to be carried out by global hacking organizations (Anonymous), governments (North Korea, Iran) or terrorist organizations (ISIS), but in 2016, we may see a rise in cyberattacks executed by bored, but skilled teenagers.
Apple’s approach to security has been to manage a closed environment; disallowing outsiders to easily introduce bugs, flaws and malware into its ecosystem through the use of the App Store. However, the proliferation of Apple smart devices and computers, coupled with its growing control of digital media content distribution and its move into the lucrative payment processing business make it a legitimate prime target with a wide range of attack vectors. Hopefully, Tim Cook has an army of security engineers keeping ahead of the threat pace. Realistically, users must share the burden to ensure their personal devices remain protected, by employing smart passwords, key phrases, biometric controls and yes, encryption of storage.
Businesses will increasingly procure cyberinsurance as a means to transfer the financial risk of cyberthreats. However, businesses will continue to retain liability for the misuse of information assets. The insurance company won’t have to answer for a breach affecting an organization; the senior management of the business will. Premiums and policy exclusions will also predicted to increase. Be on the lookout for legal activity between exploited businesses and their insurance carriers, who may claim the businesses didn’t exercise the appropriate due care to thwart cyber attack.
Unlike enterprise organizations, who are better equipped with the resources and budget to protect their security interests, smaller organizations are playing catch up. Cybernogoodniks most likely will exploit these opportunities. While the payoffs may not be as large, attacks may take less effort. Like their larger counterparts, small and medium sized businesses must make security part and parcel of the overall business strategy, integrating those efforts into everything they do. Not only will organizational leaders be better informed and prepared to deal with the inevitable attacks, but the value a strong security posture adds to the business, in terms enabling the ability to take risks and pursue greater opportunities and growth, may yield great rewards.
In addition to cleaning their own houses, small and medium businesses must exercise due diligence on their supply chain partners. The 2015 US Office of Personnel Management breach was caused by a contractor’s security vulnerabilities. Hackers gained access to OPM data through the use of the contractor’s system credentials. Information Security and Risk Executives must find ways to periodically assess the security controls of their partners, which should include onsite visits.
If you follow the information security press closely, as we do at SCS, you will have read about the increase in Board level involvement with Information Security matters. Large enterprise organizations increasingly are realigning org charts so that the dedicated Chief Information Security Officers (CISO) and/or the Senior Risk Executives report directly to Chief Executive Officers (CEO) or the Boards of Directors. Most small to medium businesses don’t have the luxury of an independent CISO or Chief Risk Executive. The Chief Information Officer (CIO) will continue to wear multiple hats, including an Information Security helmet.
To facilitate good governance and risk management, we recommend that small and medium sized businesses employ an Information Security Manager, who reports to the CEO, with dotted line accountability to a risk committee and the CIO. The amount of effort and skill required to implement security solutions, maintain documentation, assess security controls and drive continuous improvement efforts exceeds the capacity of any one person. An independent subject matter expert, who fulfills this role must sit outside of IT Operations to effectively assess the controls. The Information Security Manager must be empowered to report findings accurately and honestly, to affect positive change and to ensure the highest level of security possible, with limited resources.