Looking back just 10 years, the cyber threat landscape is almost unrecognisable.
Back then most IT security threats were unsophisticated malware programs (mostly viruses, worms or trojans) written by people whose main aim was simply to cause trouble. Though some of these programs did do real harm, including erasing data files or formatting disks, most were simply an annoyance. However, the threats we face today are far more dangerous, planned and sophisticated. Hackers now know the real monetary value of personal data – which seems to be permanently rising – and how to get access to it.
Perceptions of the true value of data seem to have changed in the minds of the attackers, and organisations simply haven’t kept up. Whilst a determined hacker knows the potential pay day of breaking into protected health information in a hospital, for example, budgets to protect such data simply aren’t big enough to counter the threat.
Budget planning needs to be in line with the damage potential occurring from a breach – the average cost of a data breach will exceed $150 million by 2020. Furthermore, hackers will have increased opportunity as the human attack surface is predicted to reach 6 billion people by 2022.
GDPR – A ray of light
New cyber security challenges continue to rise every year. New strains of Ransomware, or simple-but effective phishing scams, are still favourites for many attackers. More Apple and Android vulnerabilities are likely to be discovered and exploited with new releases. Even smart home devices will play a role in increased distributed denial of service attacks.
Due on May 25, 2018, the GDPR represents the most significant change in global privacy laws in the last two decades. It’s actually a good thing. It will undoubtedly help organisations counter modern cyber threats by requiring IT managers/CIOs to beef up their cybersecurity processes and systems – otherwise they will face significant financial penalties.
How will cyber security risks evolve over the next 5 years?
1. Adoption of the GDPR
The GDPR is in full effect, and organisations have (for the most part) aligned their security strategies with it. European based organisations, or those doing business with them, know what their most sensitive data is and how to secure it. Unfortunately, we predict that this adoption will be slow in the beginning, and we may well see hefty fines being imposed until organisations start to take it seriously. But by 2022, we would hope that the number of data breaches concerning EU data will have drastically decreased.
Most organizations by this point will have implemented auditing and monitoring solutions to strengthen data protection. It will be the norm to regularly audit accesses made to data, user permissions or objects modified (including copying, removing or renaming). Protection of personal information will be ensured by detecting unauthorised changes.
2. Cloud security becomes the top priority
As the cloud environment is more widely adopted, it becomes more of a target for security attacks. It’s inevitable that we will see numerous security problems emerge in the cloud, if only because a shared cloud service becomes more unstable and unsecure as the demand increases. Organisations will need to ensure that they have developed security policies and guidelines for both public and private cloud use to mitigate the security risks.
3. Shifting focus from prevention to protection
With endpoint security breaches so prevalent across the world, many organisations are likely to move away from traditional prevention models (as they aren’t particularly effective) and into protection-based security models. In many organisations we expect this to take the form of more regular and proactive auditing and monitoring of access to critical systems and data.
4. Education will be key
Expect to see attitudes towards data security shift internally through staff training and education. Once all levels of an organisation – from third-party contractors to senior management and junior staff – take data security seriously and understand the risks faced with poor data handling, insider threats will begin to decrease. Data needs to be treated like cash, and you wouldn’t give everyone in your organisation the keys to the safe, would you?
5. Implementing a good risk management strategy
Companies will need to adopt a risk-based approach to security to align with GDPR. Risk-based strategies ensure that priorities are established and decisions are made, where security in concerned, through a process of evaluating data sensitivity, system vulnerability and the likelihood of threats.
6. Get familiar with Privacy by Design
GDPR states that data controllers are required to recognise and follow the “Privacy by Design” methodology, putting data protection at the forefront of employees’ mind at each stage of a project. Organisations will need to implement appropriate technical and procedural measures, both at the start of the project and at the time of processing data.
7. More intelligent response to ransomware
Ransomware is always going to exist, however in coming years, people will become more security savvy. They will know not to pay the ransom, and that they should be keeping regular backups and will likely have software in place to help detect and prevent the spread in real-time.
8. Data governance and accountability will be more important
GDPR places a heavy weight on accountability obligations on controllers and processors. Some of the elements established are clear, but some remain implied, such as the implementation of suitable governance models so that data protection receives a proper level of attention.
9. Incident Response
The arrival of big data platforms and enterprise-wide, cloud-based file sharing services means organisations must review their strategy for data security. They need to protect data from personal information that can identify a customer to sensitive intellectual property or proprietary information. Even the best preventive controls will not stop all incidents from occurring.
10. Better Security Communication
Boards are understandably now taking a greater interest in security and risk environment/processes. So there is a greater responsibility on the security function to translate the work they’re doing into a business context and align security with what’s going on in the rest of the organisation.
By Phil Robinson, Head of Marketing, Lepi