Security was the big story of 2015. High profile hacks of major organisations have forced security to the top of the news agenda. But the reality is that it should have been there already. Yet, despite millions spent, companies still do not do cyber security properly.
In 2016, sadly, this is unlikely to change. The same old roadblocks to progress remain: boardrooms do not fully understand the nuances of cyber security, while in-house experts lack the access or the language to explain threat implications to the business.
Where is this threat going to come from?
Disruption for ransom will be ever-present. 2015 reminded us that no-one is safe – and organised criminal groups (OCGs) with sophisticated cyber-attack and money-laundering capabilities will see it as an easy way to make a lot of money.
As in previous years, another element of the threat landscape that will continue to haunt us is social engineering. It is unlikely to evolve that much in 2016, as it is already remarkably (even embarrassingly) effective for criminals.
However, the techniques used by nation states, particularly spear-phishing, may become more widely used by organised crime groups, shadier headhunters, and others.
As the workforce becomes more fluid and flexible, bonds of employee loyalty become looser and more susceptible to betraying corporate confidences in exchange for money.
Organisations should protect themselves by educating employees and designing defences accordingly. This could be by removing the technical capability for users to complete the most damaging actions, while applying ‘nudge theory’ and other psychological tools to change specific behaviors. ‘Awareness raising’ alone is not enough.
How can companies respond?
We have not seen what we would consider ‘breakthrough technologies’ in security, although many vendors will argue otherwise.
Instead, wise companies will seek to drive as much value out of existing technologies, either through optimisation or through integration with systems such as SIEM (Security Information and Event Management).
There is no lack of technical solutions to cyber security problems, but we continually see a lack of appropriate skills and understanding which mean that those solutions are not used as well as they could be to benefit the business. Organisations are therefore failing to address many of the challenges, and to gain the best impact from what is already in place.
Given the comprehension gap between many boardrooms and their IT departments, a prudent organization will have a CISO or CSO who has the skills to interpret between them. If a business is to deal properly with the cyber threats of 2016, it will need to bridge the gap between, on the one hand, the board members – who are more likely to have an accountancy qualification or MBA than a technical degree – and those who deliver the IT services which empower and protect the share price and P&L account.
Companies which are serious about cyber security also taking a multi-faceted approach, considering elements of protection, detection, and response. Historically, budgets have been focused on protection. At Fujitsu we believe greater focus has be made to detection and response in the future. And it is not just about buying more kit – even the best IT system is a waste of money if it is not used wisely and effectively.
To this end, in 2016 we expect to see a greater focus on security operations integrating with the wider business in order to better deal with breaches. We could also start see better business governance which is currently lacking in many sectors.
Could biometrics provide one of the answers?
We are expecting the use of biometrics to rise in the coming years, and many people already assert that “the ‘password is dead”.
Some sectors are already moving to ‘contactless’ environments or are reducing the reliance upon password authentication, so the days of the password are indeed numbered in some areas of activity. Moreover, access management technology is increasingly reliable, effective and financially viable.
Cultural challenges will have to be overcome if the reduction of passwords is to be realised. Many people feel comfortable with the concept of passwords as a security measure, and may need persuading as to the benefits of shifting to biometric access controls. But there is definitely a shift to biometric measures, and the introduction of mass-market measures such a fingerprint authentication for smartphones helps to shift public perception in this area.
Whichever way you look at it, cyber security certainly is not going away – everyone is vulnerable, but some organisations fail to realise or acknowledge it. They need to sharpen up their game in 2016 if they are not to suffer commercially.
Image credit: r2hox
Latest posts by Mark Stollery (see all)
- Cyber security trends to keep an eye on this year - February 21, 2017
- Cyber security headache will continue to hurt in 2016 - January 4, 2016