You’ll see and read plenty of 2016 year-end recaps and 2017 predictions articles. However, this list of cyber security trends for 2017 comes from the unique Delta Risk perspective, based on discussions with our clients, customers, experiences in the field, and what we’ve learned this past year.
Ryan Clancy, Senior Associate at Delta Risk, presents his 17 top trends for 2017.
Cyber Insurance Loopholes Get Trickier
The goal of cyber insurance is to offset the risk of a malicious cyber incident such as a data breach or loss of revenue due to down operations. Want to know something more disappointing than a visit to Colonial Williamsburg? Your cyber insurance may not cover all catastrophes. Insurance underwriters have used discretion to hand out claims money, and there are an assortment of loopholes in most policies.
Cyber insurance suffers from the same information problems as all types of insurance: asymmetry. You know more about your network, cyber hygiene, and response posturing than the insurer does. Underwriters have crafted language to ensure that if you are negligent whatsoever, your policy becomes invalid.
In 2017, we not only foresee cyber insurance guidelines becoming more mature, we’ll also see insurance underwriters attach clauses for standards in incident response, data management, and inspection requirements.
Internet of Horrifying Things
On trend for 2017 is continued research and identification of Internet of Things (IoT) vulnerabilities. Many IoT devices are manufactured cheaply, ship with unalterable default credentials, and have listening ports that can’t be disabled. Toss in a vulnerability or two, add a dash of exploitation, and this is a recipe for disaster worse than when your mom tried to give you a home perm.
The problem is, most IoT devices are fully functioning computers, yet they aren’t treated as such by developers and users. While IoT vulnerabilities might not be an issue for your Internet-connected cat box cleaner or your ice maker’s Twitter account, imagine the implications for medical devices or your door locks.
A Shift to People as a Key Security Input
For the past decade, companies of all sizes have focused on technology as the cornerstone of their security apparatus. The result has been that there is enough equipment at the network perimeter to sink a cruise ship. Don’t get us wrong: technology is critical to a solid security posture, but without people to configure, manage, leverage, and respond to the choral of security devices, we have the proverbial “lights are on, but no one’s home” problem. In 2017, the focus will continue to shift away from technology being the primary security input, to people.
Widening of the Skills Gap
If you’re like most companies, you’re digging through a minuscule number of candidates hoping to find the cyber equivalent of Katniss Everdeen. Why don’t we have a quarter-quell of qualified contenders? We are in the midst of a cyber skills gap, and data tells us the gap isn’t closing — it’s just getting bigger. And according to data from graduating college seniors, millennials aren’t the answer, as they are still not flocking to technical degrees or perusing computer careers despite the high salaries, engaging work opportunities, and attractive amenities.
Would you like it in a train? Would you like it in the rain? No, I’m not talking about the Dr. Seuss classic Green Eggs and Ham, I’m talking about ransomware. The pervasiveness of ransomware will continue for 2017, and could increase as the cost of delivery remains low and the rewards from success remain high.
A possibility for 2017 is that we might see the first large scale, high-dollar object held for ransom (think a car, MRI machine, or aircraft). The San Francisco Muni ransomware, though it didn’t affect the trains themselves, merely the ticketing system, could be a foretaste of things to come, and it doesn’t taste good.
Passwords Aren’t Going Anywhere
Just like that fruitcake that Aunt Donna gave you for the holidays, passwords are going to be around for a while. For now, they are simply the most cost-effective way to achieve a reasonable level of security. Password managers like 1Password, LastPass, and Dashlane are all the rage, and rightfully so. A password manager will allow you to create a complex password for each website you visit and will even do you a solid and remember the password for you.
Want to get the most protection out of your password? Transition to a lengthy but simple passphrase. For example, rather than picking something like “Ih8UAD0nna”, go for something like “IreallyhateFRUITcake#435.” Picking this password apart we can clearly see the phrase “I really hate fruit cake” and #435 was the number of times I dropped the fruitcake from my roof before the cement cracked. See? Memorable, easy, and effective. How effective you ask? It would take a computer one octillion years, or a 1 followed by 27 zeros to crack this password.
Investment in Incident Response
Earlier, we covered a shift in investment from technology to people. Companies in every sector are finding that people-focused investments are going the farthest by building up their incident response capability. Incident response and management is the practice of identifying malicious network events, and then remediating those events utilizing a combination of processes, technology, and people. Sounds like something you can’t do at your company? Don’t be so sure!
Incident response efforts can scale to companies of most sizes and unless you’re luckier than a leprechaun on his birthday, you’ll need your incident response team at some point. Rather not handle the detection and response process yourself? Consider hiring a managed security service provider to do the heavy lifting for you.
Your CISO Will Matter More Than Ever
In recent years, the Chief Information Security Officer (CISO) has moved from the technical to the mahogany C-Suite table. While CISO salaries still lag behind their other C-Suite brethren and sisteren, 2017 will be a year where having a capable, well-compensated CISO in your organization will pay off in droves. The spotlight is on CISOs like never before, as their responsibilities are increasingly broad in scope. They have to tackle everything from network management, IT frameworks, intelligence, compliance, risk management, security operations, and most importantly, explaining to employees for the millionth time why using USB drives is a poor practice.
Privacy Wars Escalation
As governments increase their surveillance apparatus, the ongoing debate concerning data, personal privacy, and security has heated up like a fist fight at a water park. The past few years have seen some pivotal privacy moments, including Apple vs. the FBI, EU safe harbor rulings, UK legislative changes, and challenges to law enforcement surveillance. With ongoing shifts in regulations, and a new administration in the United States, there will be more tension than a porcupine in a balloon factory.
A Renewed Love Affair with Your Backups
Given the projections for ransomware, DDoS’s, and cybercrime to increase in the next year, you might come to regard your server and workstation backups with more affection. “I wake up every day and kiss my backup server”, said Alvin Montana from CyberSquare Inc. By the way, I actually made up that person, company, and quote, but you get what I mean.
EMR CPR Comes to Life
The Affordable Care Act (ACA) offers a considerable number of requirements for medical practices. One of those requirements is the mandated migration to electronic medical records (EMR). Like most government programs, there are penalties attached to failing to comply, and in 2016, providers saw the first of an increasing wave of punitive measures for those who failed to adopt EMR standards. Given that medical record systems are still immature, and in many cases rushed to market to meet the ACA deadline, vulnerabilities spring up that are the cyber equivalent of H1N1 lurking beneath the shiny electronic surface.
Making Cyber Great Again
President-elect Donald Trump has tossed his hat into the cyber ring by providing his vision for cyber security. On his website, he lays out his concept for the future of cyber security, including a review of critical infrastructure vulnerabilities, creating a joint task force, and development of an offensive capability in an effort to deter attacks.
The President-elect hasn’t said when he’d like to make this wish list happen. With his first 100 days filling up quickly, and cyber resources already strained, this might be a trend that gets kicked to 2018.
DDoS of Death
2016 saw some heinous DDoS attacks. In a botnet arms race fueled by the absence of IoT security, DDoS has become a lethal weapon. Feel like you’re missing out on the action? You can purchase a hefty dose of DDoSing firepower for roughly the price of a tank of gas or two tickets to the movies.
Like all low-risk, high-reward activities, we prognosticate DDoS attacks to continue until the compensation/cost dynamics change. According to a study by Arbor Networks, the average DDoS attack is projected to be 1.15 Gbps by the end of 2016 (which is next week!).
It’s All About the Endpoints
If your company is like many, you can’t swing a bag of wet donuts without hitting some sort of perimeter defense equipment. Firewalls, SIEMs, IDS’s, IPS’s, mail gateways, proxies – can we put another device at the outer boundary? Conversely, endpoint devices are at the mercy of their human operator and thanks to phishing emails, USB usage, and web exploits, endpoint protection software (if it’s installed) has a lot to handle. For this upcoming year, companies will shift their focus to locking down their endpoints. You could say that endpoints are the new perimeter.
Third-Party Service Provider Scrutiny Ramps Up
There are many financial and operational reasons to use a third-party service provider. Some providers monitor HVAC and industrial equipment, some process payments, some remotely monitor logistics, and some don’t protect the credentials you give them. creating a gaping security hole in your network where malicious actors can snatch up your precious data like a contestant grabbing turkeys on the TV gameshow Supermarket Sweep.
Auditors and risk managers are becoming wise to this phenomenon and are starting to build third-party connection risk exposure into their frameworks. Legislators are even diving in on the action. Pending regulation proposed in New York State will change the policies and practices of assessing third-party risk for banks statewide.
Phishing’s Phinale? Phat Chance!
Know what the number one attack vector was for 2016? Phishing. Despite companies putting on multiple anti-phishing awareness trainings, installing email screening modules on their mail servers, and businesses emerging to provide phishing simulations and metrics (phishme), adversaries are still gaining access to internal networks with just the click of a mouse through phishing.
It’s not looking like 2017 will be the year phishing is dethroned. The problem is that phishing is cheap to implement, the rewards from success are high, and most importantly – it works.
Global Banking Paradigm Shift
While we’re busy making New Year’s resolutions like “Get to the gym more,” “Get a back tattoo,” and “Stop watching the movie Elysium,” New York bankers will prepare for a hearty dose of security regulations. New legislation on the horizon will change the governance frameworks for cyber security for all banks in the state of New York. Due to the size and number of the banks that call New York home, we feel these regulations will have wide sweeping effects on banking everywhere.
Here is a deeper look at the ramifications of the NY cyber regulations for law firms.
As you prepare to take a break from the 2016 madness during the holidays, please keep this tip sheet handy. 2017 is practically here, and if 2016 is any indication, it’s only going to become tougher to navigate the cyber security waters. Learn how we can help your business stay on top of the trends and stay out of the news.