Every year the Infosecurity community reviews the major incidents over the past 12 months and predicts the future of security for the forthcoming year. 2014 brought with it the threat of more cloud based attacks, and 2015 focused on the Internet of Things, but in reality, every year brings with it a host of headline hitting data breaches.
So what does 2016 have in store? The answer is – more of the same. There will be one or two really spectacular breaches next year in Europe, continuing the trend we’ve already seen this year. But the stakes will be even higher, with bigger financial losses and potentially millions being wiped off the value of companies that suffer data breaches, according to Barry Scott, CTO, EMEA Centrify.
The financial implications of a data breach are huge. Not only are there the risks of money being stolen as the result of a breach, but there is the cost ramifications due to reputational damage, legal expenditures and the risk of hefty fines from governing bodies such as the ICO. According to the IBM and Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million.
After a year of big data breaches in 2014, the future looked bleak. Unfortunately the breach headlines this year were even more striking than any of us could predict. 2015 breaches involved high profile criminal and state sponsored attacks. Breaches involved millions of personnel records of government employees, tens of millions of records of insurance customers, and hundreds of millions of customer records from various other companies. This year we even heard of a billion dollar bank heist says Corey Williams, senior director of products, Centrify.
Many of these companies had implemented advanced malware protection, next generation firewalls and delivered regular security training sessions for employees. Yet breaches are still happening. What we know from cybersecurity experts is that the vast majority of breaches occurring today are due to a single vulnerability that is still not adequately addressed. Compromised user credentials – AKA the humble username and password. Through phishing, Trojans and APTs, hackers today are focused on these digital “keys to the kingdom” used to access sensitive data and systems.
Williams notes that 2016 will (and must) adopt measures to mitigate the risk of compromised credentials. Complex and unique passwords are a start, but will never be enough. Multi-factor authentication will be implemented more broadly and across more apps and devices, adaptive access will be used to detect and stop suspicious login attempts and granular privilege management will be adopted to reduce the impact of compromised credentials. Companies will start to accept that compromised credentials are the new normal and will take steps to mitigate the risk they represent.
Scott believes that people will finally realise that multi-factor authentication is a necessity and not an option, where username/password authentication is being used, and will also realise that it can often be configured to trust your machine after the first time you use it, so it will only really inconvenience hackers rather than the genuine user. You will also get a warning when someone is trying to get into your account. Major consumer apps are already supporting it, as Amazon announced recently.
He also predicts that the recent events in France may swing the pendulum back in the ‘security vs. privacy’ debate, which will in turn affect attitudes to encryption. Everyone will be scrabbling around to work out exactly what they need to do to get on the right side of the upcoming EU General Data Protection Regulation (GDPR). But the question is whether the GDPR and protecting against data breaches will conflict with the general ‘security vs. privacy’ debate as it applies to crime and terrorism.
Whether it be new regulations, or a shift in hacking tactics, the outcome remains the same, there is a drastic need for a radical new approach to security. Organisations shouldn’t completely write off their existing security strategy, but take a holistic approach and adapt policies and strategies regularly. The more layers in place, the less likely you are of becoming a target. A data breach is imminent and we are all just one mistake away from becoming the next headline. If organisations want to make a difference, data security requires time, resources, and constant revisions of security strategies in order to protect it.