As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and the media immediately upon learning of a breach? Will they do so only if it is required by industry compliance regulations, or will they attempt to downplay the breach? While many midsize businesses will hopefully increase their infosec budgets and talent pools, there are three areas that will definitely take center stage.
BRING YOUR OWN DEVICE TO WORK
BYOD, or in other words, Bring Your Own Device to Work, is no longer a phenomenon. Today, BYOD plays a large part of most businesses’ infrastructure – due to ease of use and cost savings. However, despite those positive reasons for BYOD adoption, IT and security personnel now have to look at the extra bandwidth that these devices consume and the security issues that arise from an individual’s device hygiene – download behavior, system updates, and antivirus, to name a few. Will companies consider mobile device management (MDM) as a way to protect their networks from BYOD issues?
Mobile malware is on the rise and will continue to be a problem, especially for Android users. The majority of malware is aimed at Android and is becoming harder to spot. For those with Android devices – especially for those who use their devices in business settings – the threat of malware is very real.
“While it’s true that other mobile devices like those produced by Apple are not immune to malware, it’s a fact that the vast majority of mobile malware hits Android devices – 97% of it.”
The rise in the use of mobile payments is now becoming a larger concern and is giving hackers another way to monetize their actions. So by targeting Android devices with specific malware, bad actors can create a “target rich” environment pointed directly at commerce on a national and global scale.
INTERNET OF THINGS
Since Internet of Things, also known as IoT, vendors lack a security knowledge base and don’t think of securing their devices, there will be an increase in the number of attack vectors. IP cameras, SOHO routers, smart TV’s, and other appliances are just the beginning. With IoT, economies of scale will result in lower prices and a dramatic rise in attack surfaces. Once a vulnerability is discovered in one device, it opens the door for others with that device to attack as well. One problem with IoT is that device manufactures have either not figured out or are ignoring the importance of software/firmware patches. So far, companies are being reactive and not proactive. A user should not have to log in to his/her router or device software to discover that a patch has been released. Patching should be handled in the same manner as Microsoft does it. When new vulnerabilities have been discovered, new patches are released, delivered, and installed on reboot. Given the number of devices that will soon be online, the responsibility to provide patches should fall on manufacturers who sell equipment – not the end-users.
In addition, all IoT devices are gathering information about users. Since laws are far behind today’s reality, gaining access to the data stored by these devices may not be as hard to obtain as accessing other devices.
CIA Director David Petraeus believes that, “Even mundane appliances like your dishwasher could soon be used to gather intelligence about you. Appliances including dishwashers, coffee makers and clothes dryers all now connect to the Internet. This helps the manufacturers troubleshoot performance and improve energy efficiency, and it gives owners the chance to order a fresh cup of coffee or a dry bin of clothes from their phone, computer or tablet…Knowing when you make your coffee sounds innocuous enough, but that little piece of data could help snoopers geo-locate you, and learn your habits and schedule for all manner of malfeasance.”
In the words of White Hat Hacker Barnaby Jack, “When you actually look at these devices, the security vulnerabilities are quite shocking.”
According to Raimund Genes, Chief Technology Officer of Trend Micro, “We anticipate 2016 to be a very significant year for both sides of the cybercrime equation. Governments and enterprises will begin to see the benefit of cybersecurity foresight, with changes in legislation and the increasing addition of cybersecurity officers within enterprises. In addition, as users become more aware of online threats, attackers will react by developing sophisticated, personalized schemes to target individuals and corporations alike.”
So, keeping all of these security concerns in mind, if your business has a data breach during 2016, how soon will you alert your customers? Will you write a letter to customers and post it on your website, send an email, and notify the media? In the event that you find yourself in this position, here are a few examples of communications to stakeholders:
• Dow Jones:
• Bed Bath & Beyond:
• UCLA Health:
How will your business deal with these three areas during 2016 and what other issues are concerns to your business or industry? Please chime in.
To learn about the latest data breaches, visit the Privacy Rights Clearinghouse
“Empowering Consumers. Protecting Privacy.”
Image Credit: hin255 via FreeDigitalPhotos.net
This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.