Cyber security trends to keep an eye on this year

Mark Stollery
By , - Information Security

We’re barely two months into 2017, and cyber security issues continue to dominate the headlines.

Just last week, the Queen snipped the ribbon on the government’s National Cyber Security Centre and key decision makers have reiterated the importance of presenting a robust defence against all possible threats.

But what does all of this mean, in real terms, for those working at the coal face of cyber security operations?

Here are a few thoughts on the trends we’ll see developing over the course of 2017.

Defence will be the strongest form of attack

To say “no one is safe” is perhaps a little dramatic, but only a fool would claim to be invulnerable to cyber-attacks in today’s technological landscape.

Since even the smartest organisations are at risk of attack, the major differentiating factor between companies in 2017 will be how quickly they can deal with a breach.

Culpability, transparency and – ultimately – a quick, slick and effective recovery will be what wins not just sympathy but respect from stakeholders. Incompetence will be met with criticism and possibly even lawsuits.

With attacks on the rise, we’ll see this year which companies are taking the challenge seriously and mounting a coordinated approach that combines protection, detection and response.

Data protection and curation will be everyone’s responsibility…

The increasingly attack-prone environment, as well as the enforcement of the General Data Protection Regulation, will mean that investors, shareholders, customers and regulators will be keeping an even closer eye on how sensitive data is being handled.

For many organisations, specialist data loss prevention tools may seem to be the solution to this. However, whilst valuable when used properly, these tools are not enough on their own.

This year, further measures will be vital. Full risk assessments, identifying key data to protect, diligent network monitoring, updating policies and, perhaps most importantly, maintaining a healthy security culture and ensuring staff are properly trained will all be key to a strong cyber security strategy.

…which means your supply chain will need to be secure too

In a globalised world, there are few organisations whose sensitive data is contained solely within their own walls.

Much of it will be held in supply chains too – and yet there can often be a distinct difference between what is expected of suppliers and the contractual obligations imposed upon them. That is, the attention paid to data security competence in the supply chain isn’t always as rigorous as that being paid to internal regulation.

In 2017, we’re likely to see businesses mandating the highest levels of data security practice from their key professional advisers – think law firms, accountants, business consultancies.

Indeed, the biggest clients may even insist on demonstrable proof of data security competence before tendering their business to such advisers.

IT security will be a board issue – even if the C-suite isn’t interested in IT

Cyber security can no longer be something that’s left for the IT department to care about. The rising threat of cyber-attacks – and the very real business consequences they can have – means that, technophobic or otherwise, senior executives can no longer afford to be disinterested in the technology that powers their businesses. 2017 will see board members taking a deeper interest in the work being done to protect their organisation’s data and business interests.

Crucially, though, they’ll want to receive updates in language that they understand. Bridging this communications gap will arguably present the biggest challenge, but it’s one that will certainly be worth meeting.

Most breaches will still be avoidable…

Poor routine practices are often to blame when it comes to successful security breaches – it’s rare that they result from some ingenious new technique, or the sleight of hand of a disgruntled insider.

There’s a whole raft of simple, bread and butter tasks which can greatly reduce the risk of attacks doing damage, but they’re often not implemented regularly enough.

Effective vulnerability patching, appropriate threat intelligence, maintaining an up-to-date access management systems, implementation of ‘least privilege’ access or following up from penetration tests: these are all things that are fairly simply to carry out, but that many organisations fall short on.

This leads to needless vulnerability, and occasional catastrophe. We can only hope that the tide begins to turn in 2017, and these catastrophes – through appropriate action – become few and far between.

…but the Internet of Things will provide a new frontier of vulnerability

September of last year saw one of the most significant DDoS attacks to date as OVN, a French ISP, suffered an attack of over 1.5Tbps via a botnet army of more than 150,000 hijacked connected devices.

DDoS attacks, while relatively unsophisticated, are growing in power thanks to an influx into the market of connected and often insecure devices.

We also saw instances in which a manufacturer built malware into devices to covertly retrieve data from the people using them – and the scope of this kind of behaviour only increases when you consider the millions of devices receiving over-the-air updates on a daily basis.

As more of the world and the ‘things’ in it gets connected, the security threat will increase too.

Social engineering attacks will grow in frequency – if not popularity

Frustrating as it might be, any advances made in improving technical security are likely to invite the proliferation of new or different problems.

This year, it’s likely that social engineering – which in practical terms usually means criminals or shady head-hunters masquerading as colleagues over the phone or via email to extract information – will become more common.

They’re blunt, but remarkable effective techniques. The key, as with so much of the work done to ensure an organisation’s cyber security, is to keep your workforce informed.

Leave a Reply

Your email address will not be published. Required fields are marked *