The cybersecurity space in 2015 was eventful, to say the least. Between major, catastrophic breaches like that of the Office of Personnel Management, new legislation targeted at the industry and record-breaking venture capital backed funding of cybersecurity companies, there was plenty for security beat journalists to write about.
Considering the events of the past year, here’s my take on trends and predictions for 2016.
Consolidation of IT Security
Michael Dell, CEO of Dell, said in reference to the acquisition of EMC, "The IT marketplace wants fewer vendors, not more,” and it seems like the industry is taking note. In 2015 alone, networking giant Cisco acquired network security company Lancope for $452.5 million, security analytics provider Rapid7 snatched up Logentries for $68 million and Microsoft bought a trio of Israeli security companies in Adallom, Aorato and Secure Islands. That barely scratches the surface, and there is likely to be a lot more consolidation in 2016.
It’s worth noting that offering up a “one stop shop” experience is completely different than being able to integrate technologies together to offer a seamless user experience.
The Internet of Things to Run Rampant
Gartner is predicting that 6.4 billion connected “things" will be in use globally by the end of 2016 - up 30 percent from 2015 - and that number is expected to reach 20.8 billion by the year 2020. As more Internet connected devices hit the market, so too do the vulnerabilities that come with them, as evidenced by highly-publicized incidents of 2015 where researchers exploited vulnerabilities in planes, guns, medical devices and automobiles.
As the Internet of Things market expands and innovates, researchers will continue to find and uncover exploitable vulnerabilities in these newly connected “things,” which will in turn continue to fan the flames of responsible disclosure.
The upcoming year could bring about fundamental changes in how security researchers discover, prove, report and address vulnerabilities. “White hat” hackers, hired to scope out flaws in systems, are already facilitating company / researcher relationships within the technology industry via bug bounty programs. However, it seems that many segments of the manufacturing industry would rather utilize lawyers to block research altogether than address the vulnerabilities that are uncovered. Another option for security researchers to consider is self-regulation, where they accept the risks and responsibilities associated with their findings.
The debate around responsible disclosure will continue well into 2016, and we’ll likely see some moves being made.
Security Awareness to Expand to Consumers
In order to combat internal breaches, we have see a trend towards companies providing their employees with cyber security awareness training. In light of the multitude of recent data breaches affecting consumers, this security awareness training has begun to expand into the consumer world. In fact, government plans and initiatives meant to educate the masses on best practices for protecting themselves online have already launched, and this trend will likely continue and become more uniform in its approach.
Data Breaches to Cause Extensive Implications
In the past, there have been significant delays in victims noticing the effects of a data breach – if at all. Cybercriminals use stolen data to take over identities and bank accounts, but generally, the aftereffects of a data breach haven’t ominously impacted a group of individuals in one go. That is, until the hack of Ashley Madison, which highlighted the extent to which the personal and professional lives of a large group of people could be negatively impacted by a data breach.
We’re sure to see major data breaches well into 2016, and the collective impact of data correlated from multiple breaches may be substantial.
Oftentimes, privacy and security go hand in hand – and with the ongoing debates around privacy regulation in Europe, security will undoubtedly be included in the conversation. Of particular note will be discussions around the case of Safe Harbor and how such European rulings will affect the global transfer and storage of personal data.
As these debates continue, the role and skills required of security professionals within organizations that transfer personal data overseas will be impacted.
SMBs to Invest More in Security
2015 was an unfortunate year for the many companies that were hacked, including LastPass, Securus Technologies, VTech and TalkTalk. As these types of stories are publicized, SMBs are becoming increasingly aware of the implications of such breaches. Additionally, cybercriminals are increasingly targeting SMBs because they’re seen as less secure, while oftentimes owning valuable customer data.
‘Randomware’ tops the list of company concerns for SMBs, and instances of cyber attacks targeting SMBs will continue to grow.
Cloud Security to See Increased Shared Responsibility
Deploying a cloud-based IaaS, PaaS or SaaS provider can be a good business and security investment for companies with limited IT resources. However, companies must also understand that simply hosting in the cloud does not absolve them of security responsibilities. Amazon’s shared responsibility model outlines the security measures that companies can and should take when adopting cloud computing.
Incident Response to See Improvements
The onslaught of high-profile breaches has created a greater need for companies to respond to breaches in a timely manner. This includes responses related to technology – i.e. what needs to be done to get systems up and running – as well as from a communications perspective to reassure stakeholders and customers. Moving forward, we expect companies to focus on improving all aspects of incident response, including developing and acquiring the skills needed to do so effectively.
Collaboration Amongst Community to Increase
More than ever, security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats. We expect this to increase and become more formalized amongst organizations, industry verticals and individual practitioners over the next year. As more organizations share threat data and best practices, they will be better equipped to protect themselves against emerging threats.
(About the author: Javvad Malik is security advocate at AlienVault)