The waning days of 2016 were dominated by dark news on the IT security front. Headlines about massive DDoS disruptions, state-sponsored hacking and other evolving threats are unlikely to change drastically as we enter the new year, but 2017 will have a bright spot. With cyber threats increasing and the pool of skilled security talent failing to keep pace, organizations are reaching a tipping point in what they can tolerate. In the coming months, we should see companies aggressively fight back to protect themselves and their customers.
The following are the 2017 cybersecurity trends we’ll be tracking.
1. We’ll see an increase in new vulnerabilities introduced through the Internet of Things (IoT).
The Mirai code that was released on the Internet in mid-October aided in deploying an unprecedented DDoS attack against service provider Dyn, disrupting organizations such as Twitter and Spotify. It essentially takes over “smart” devices, or devices that are connected to the Internet, to launch denial-of-service (DoS) attacks. More than 4,800 smart devices connect to the Internet each minute, and malware such as Mirai, offering the capability to allow attackers to control these devices, represents an enormous vulnerability. Like so many other pieces of malicious code before it, Mirai will morph and undoubtedly fall into the hands of more potential attackers as it continues to spread.
2. With more hacktivism and nation-states sponsoring cybercrime, countries will have to consider “cyber arms treaties” to reverse the trend.
Anonymous, New World, WikiLeaks and state-sponsored hackers dominated the news in 2016. From claiming responsibility for DDoS attacks and website defacements on organizations as a sign of civil disobedience to stealing highly classified data and correspondence from the securest of organizations and politicians, hacktivism in its various forms has been successful. The real concern for organizations and governments now is the growing armies of state-sponsored hackers who have essentially unlimited resources. Countries including China, Russia and the U.S. will have to get serious about an “arms treaty” or something similar to reverse this trend.
3. The mainstream move to the cloud and mobile computing will turn up the volume on demands for security that covers the expanding attack surface.
Applications and data are moving to the cloud and mobile devices to increase access and productivity, as well as to reduce infrastructure and maintenance costs for organizations. Obviously, all of these are benefits for employees, customers, organizations and society as a whole. This transition, however, will undoubtedly create new vulnerabilities. After all, the “cloud” is just someone else’s computer, and by moving and sharing information across more devices and people, the attack surface grows—and so does the opportunity for attackers.
4. Companies will struggle to adapt, understand and adjust to updates in privacy frameworks.
The General Data Protection Regulation (GDPR) of the EU goes into effect in May 2018. For companies that control or process the personal data of Europeans—regardless of whether they’re actually based in Europe—the GDPR will impose mandatory breach reporting, the right to private-data erasure and the adoption of privacy by design (which includes data protection in the development of business processes). Failure to comply will come with steep fines (4 percent of annual global revenue or 20 million euros for violations), so businesses will spend 2017 preparing.
5. Consumers and others will lobby more aggressively for protection.
Governmental surveillance will remain under the spotlight, and human-rights organizations will push for stronger privacy legislation. This pressure for change will be felt in the private sector, as well, where customers will ask for more protections in the face of major corporations suffering data breaches without repercussion. The FTC will become increasingly active in protecting customers, and the SEC will monitor publicly traded companies more closely. President-elect Trump will have to choose an orientation with regard to cybersecurity to consolidate all these regulatory interventions.
6. The security skills shortage will continue.
Defending an organization against cyber attacks takes enormous resources in both technology and expertise. Many folks forget that the Internet wasn’t designed to be secure; it was designed to allow people and organizations to share information. Thus, adding security has been secondary. Most organizations are trying to plug holes and vulnerabilities, even as new ones are constantly surfacing. The experts who understand how to anticipate these vulnerabilities and adequately secure the organization are scarce. This is one trend that will persist for some time, as attackers need not be as smart as cybersecurity experts to be successful. And let’s face it: hackers only have to be right once. The experts have to be right every time. Attracting new talent and training them adequately will continue to be a challenge.
7. Companies will fight back.
There is no question that attackers, hacktivists, black hats and other adversaries have a leg up on the good guys. But every phenomenon has a tipping point when the pain of these attacks spurs investment and action. The coming year represents that tipping point. In 2017, companies will get serious about protecting their intellectual property, customer data and business continuity. Customers are walking away from businesses that suffer breaches, and the regulatory environment is such that businesses will need substantial protection, whether they build it into their organizations or outsource the responsibility.
In many ways, 2017 represents the continuation and evolution of cybersecurity stories that began in 2016. The plot twist we can all look for, however, will inevitably be that organizations of all shapes and sizes are realizing the stakes of this cyberwar and are taking a firm stand to protect their customers, employees, intellectual property and ability to thrive amidst constant attacks from the world’s malicious actors.
About the Author
As the SVP of marketing at Above Security, Fadi Albatal is responsible for building a marketing and product-management organization to support the company’s global operations and goals. Before joining Above Security, Fadi was the founder and CEO of Bimand, and he also served as a marketing executive at FalconStor Software and EqualLogic, where he led the company’s strategic alliance and go-to-market strategy with Microsoft. EqualLogic was acquired by Dell in 2008 for $1.4 billion.
Above Security is a Hitachi Group Company that builds and delivers custom security services for monitoring and protecting critical IT assets (MSSP).