We reached out to our security experts to see what they thought 2017 would bring us in the cybersecurity space, and narrowed it down to nine solid predictions. Read on for the list.
#1. The Internet of Things (IoT) will come under government cyber security scrutiny and require manufacturers to tighten security
Ongoing threats related to IoT devices will force manufacturers to tighten security layers, including patchable firmware/software, secured authentication, and controlled privilege access. Regulation will be pushed forward for vendor responsibility around IoT device software updates. Today, most IoT devices are considered throw away devices and security patches are not issued. But, new regulations will be driven by large scale attacks using IoT to amplify the attack as we saw with Krebs on Security against an industry that has powerful lobby interests.
One of the largest denial of service (DoS) attacks to date targeted a French service provider and was hosted on mobile smart devices, proving that if it is connected to the Internet, it can be weaponized. Internet connected devices need to meet minimum security standards just like automotive safety. This type of hack will escalate until legislators step in and provide a plan. We predict that a major hardware manufacture will disclose vulnerabilities that are in firmware of devices they ship. Until then, IoT devices will be released with all sorts of flaws and potential exploit vectors, and many of them will be used to conduct malicious activity. - Joe Schramm, VP of Strategic Alliances, BeyondTrust
#2. Crime syndicates will take a quantum leap
Criminal organizations will most definitely become increasingly more sophisticated. The year hasn’t even ended yet and they are continually gaining a scary amount of momentum. As the Information Security Forum (ISF) describes it, “the complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level.” Some organizations will stem from existing criminal structures, while others will emerge for the sole purpose of cybercrime. This is going to a tough year for organizations, and almost no one is immune. Even businesses that are in top security shape will struggle to keep up with the increased level of sophistication of attacks. “Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.” - The Information Security Forum’s (ISF) 2017 Global Security Threat Outlook
#3. There will be a shift in channel IT spending, resilience/DR and Security
In the next year we are going to see a rebalancing of spend from traditional security solutions to data protection and recovery. Whilst security spend protects the perimeter fence, there are simply too many cases of breaches getting past these defenses to not have a plan B in place. A hacker only needs to be right once to gain access, whereas the company has to be secure 100% of the time. CIOs and CEOs are starting to recognize that millions of dollars in IT security investments, while critically important, are just not enough when a disaster such as a hack or ransomware breaks through the perimeter or a natural disaster like a hurricane floods their data center. In the wake of a disaster, companies quickly come to the realization that without the right investments in a disaster recovery solution, their businesses are exposed. To be proactive, companies need a plan and tools in place to recover from any disaster very quickly with as little revenue and end-user impact as possible. Even if an organization has implemented the best preventative security technology, disasters can and do still happen. - Paul Zeiter, president at Zerto
#4. There will be a heavy security focus from DevOps
DevOps will continue to see rapid expansion in 2017, particularly in the enterprise where it has been slower to take hold. Every year, more and more new technologies enter the market, allowing developers to bring innovations faster to market. Recently the pace of technology innovation has outpaced the security of those technologies. I expect we'll see a correction in 2017 with a heavier security focus from DevOps teams, particularly in more conservative enterprise organizations. - Mike Kelly, CTO of Blue Medora
#5. There will be an uptick in cloud migration
In 2017, enterprises will be transitioning IT workloads to the cloud at a significant pace that will drive the biggest growth in hybrid cloud infrastructure, along with a significant increase of SaaS service offerings from vendors that address niche needs. While cloud computing makes it easier to traverse the network, the biggest issues will still be security, management and compliance. In order for enterprises to have control over all of these areas we will see private clouds still continue to proliferate. The lack of cloud talent in-house and lower TCO costs to run IT workloads off-prem vs on-prem will be key factors driving the broader adoption of managed cloud offerings in 2017. - Curtis Peterson, SVP of Cloud Operations at RingCentral
#6. Security will go from Wall Street to Main Street
While historically, it was the biggest organizations with the most attractive data that got hacked, increasing numbers of malicious attacks targets smaller, often weaker, targets. In 2017, we will likely see medium-sized enterprises raising their security and business continuity efforts. Often, they’ll turn to cloud vendors to provide that security and maintain those systems, as they represent a fast path to the latest technology.² - Justin Giardina, CTO of iland
#7. The IoT will add unmanaged risks
While the political, social and economic implications are not fully clear, Gigabit connectivity is going to be a huge, abrupt leap forward. What does this mean? Essentially, it will enable the IoT, as well as a new class of applications to emerge that will exploit the combination of big data, GPS location, personal-health monitoring devices, industrial production and even weather. Connectivity is now so commonplace affordable, that sensors are being embedded everywhere, increasing the flood of data and creating a massive ecosystem of embedded devices. The obvious glaring issue with this is that this makes them nearly impossible to secure. In 2017, there will be a significant uptick in issues over privacy and data access, and the threat landscape will expand exponentially, increasing the security burden for many organizations that are unaware of the scale and penetration of internet enabled devices that are deploying IoT solutions without due regard to risk management and security. - The Information Security Forum’s (ISF) 2017 Global Security Threat Outlook
#8. Companies will focus on “hardening” the internet
Gartner estimates there are 6.4 billion connected gadgets out there, and each of those devices has the potential to generate volumes of DDoS traffic. To avoid the next big IoT attack we’ll see more companies focusing on hardening the internet to make it more resilient. Early innovators are implementing software-defined networking architectures that route traffic more intelligently, thwarting a potential DDoS attack. In 2017, we will see more companies popping up to build smarter, more resilient internet architectures to avoid these looming security vulnerabilities. - Curtis Peterson, SVP of Cloud Computing at RingCentral
#9. The role of the end user will become the weakest or strongest link in the security chain
In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a wild card. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of security awareness, the real commercial driver should be risk, and how new behaviors can reduce that risk.
With attackers more organized, attacks more sophisticated, and threats more dangerous, there are greater risks to an organization’s reputation than ever before. In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers, have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we¹re no longer talking about merely personal information and identity theft. High level corporate secrets and critical infrastructure are regularly under attack and businesses need to be aware of the important trends that have emerged in the past year, as well as those we forecast in the year to come. - Steve Durbin, Managing Director of The Information Security Forum (ISF)