Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

CYBERSECURITY PREDICTIONS 2016: LUCK OR LEADERSHIP?

By Simon Crosby, Co-founder & CTO, Bromium

Simon Crosby
Simon Crosby

In the blink of an eye, 2015 is almost over. When looking back at it and what it meant for the cybersecurity industry, this year has been predictably busy. We saw large acquisitions, including those of EMC by Dell and Websense by Raytheon, while companies such as Rapid7 and Sophos went public. Large funding rounds were a near weekly occurrence, and as a result the sector raised more than $2.3 billion within the first nine months.

Cybersecurity spending increased sharply and by the end of the year should finish at around US$80 billion, according to Gartner’s estimates. While the U.S. House and Senate continued to debate cybersecurity legislation, US government agencies amassed a whopping security budget of $12.5 billion, collectively.

There were unforgettable breaches — like TalkTalk, Hilton, and Carphone Warehouse, although the sexiest headlines went to the Ashley Madison breach. There also were countless daily reports of breaches due to “sophisticated attacks” and resulting losses from companies whose infrastructure — despite all the spending — remained woefully vulnerable. Even United States President Barack Obama stepped into the fray, cementing an agreement with China in the hope of limiting the scope of nation-state hacking. Good luck with that!

Looking back, it’s painfully clear that while we may not have known then the names and faces of the victims, or the numbers behind the M&A, funding, budget and breach news, most of this was predictable in 2014. So will next year be any different, or are we doomed to repeat the past, yet again?

Unfortunately in most respects, 2016 won’t change much: users will still unknowingly click on malicious links; IT departments will still be bad at staying up to date with patching; the bad guys will continue to attack; and the tide of misery from breaches will persist. What matters most is whether your organisation will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organisation to the high ground based on a well-considered, security-first strategy.

It is important to remember that, despite their claims, most security vendors cannot help you. Within the market we see too many “me too” vendors, who’s main focus in on the staple of detection. Within the endpoint security sector alone, over 40 vendors are bringing to market a feature set that Gartner terms “EDR,” or endpoint detection and response. The sole goal of this is to help find a breach in progress — provided you know what to look for in the first place. Despite vendor claims, detection can’t protect you, and it isn’t advancing much, even when disguised as artificial intelligence (AI). In a world of adaptive, intelligent attackers, even the best AI technologies have a tendency to make masses of mistakes. In fact, Ponemon estimates that a typical large enterprise spends up to 395 hours per week processing false alerts — approximately $1.27 million per year.

Of course, security (still) won’t be solved inside the Beltway. Year after year, public sector companies hang their hats on the hope that cybersecurity legislation will somehow do the trick. This year was no different. You may recall recall that CISA and the Wassenaar Agreement both sparked industry-wide debates around data security, civil liberties, privacy and exploit controls. There is no doubt that security is a serious issue and a hard problem to solve, but it’s one that is not going to be solved by governments. . Much like healthcare, security is a systematic problem that requires more than a band-aid or firewall to fix. Security legislation will require government collaboration that it is simply unrealistic to expect at this current time. .

It is also important to remember that the same vendors that promise to secure you still won’t be held accountable for breaches. PwC predicts that the cyber insurance market will triple in the next five years. While insurance will do little for the peace of mind or job stability for CISOs whose companies experience a breach, it will hopefully force organisations to take a long, hard look at the cost of their continued insecurity. It’s time for you to force your vendors to be accountable instead. If a vendor claims to secure your network, force them to accept liability if your organisation is breached. Pay your endpoint security vendors based on the value they deliver.  Free is a good option when regulations demand the functionality, but the vendors fail to protect you. Force your vendors to put their money behind their marketing messages. Greater accountability means greater drive for cybersecurity technologies that do what they claim to do and actually help to mitigate threats.

My recommendation: Instead of relying on post-hoc analysis in the hope of spotting a breach, your focus in 2016 should be on adopting solutions that make your infrastructure more secure by design, to prevent a breach before it starts. Move to the cloud. Adopt micro-segmentation and micro-virtualisation. And upgrade to the latest operating systems.

I don’t think we’ll see an end to data breaches in the near future, but if organisations stop relying on faith in marketing claims and government and being complacent and start questioning the status quo and demanding answers and accountability from vendors, we’ll be able to see many of the breach news headlines disappear.