This has been a busy year for cybercriminals: There were more than 600 breaches in 2015 that involved identity and data theft. Our customers, colleagues and fellow security professionals have asked us what we think 2016 will look like, so here are our cybersecurity predictions for this year.
These are insights and extrapolations for the serious practitioner who makes his or her living from keeping other folks safe online. Staying true to our brand of providing the highest-accuracy findings, we’re focusing on making accurate rather than sensationalist predictions.
The predictions are organized as a timeline to describe how trends in information security may evolve in 2016.
Breaches will continue to proliferate in severity and frequency
Cybersecurity for “Main Street” America will continue to be more of a privacy issue than a security issue, because for most people, the damage has not yet hit home. Like disasters and accidents, data breaches—in the majority of cases—are still happening to someone else. Although most incidents still occur in the U.S., breaches are becoming a global pandemic. Worldwide, 888 data breaches and 246 million records were compromised in the first half of 2015. Although the U.S. has the highest number of data breaches, incidents are increasing in Turkey, Japan, Russia, and the UK. Turkey accounted for 26% of compromised records, including its massive GDPCA breach, which involved 50 million records. The largest breach was that of Anthem Inc., a health insurance company, which exposed 78.8 million records, scored a 10 (highest) in terms of severity on the Breach Level Index, and represented almost a third (32%) of the total data records stolen worldwide in the time frame.
The widespread unawareness of the risks associated with weak cybersecurity will continue to result in exploitable apathy on the part of users and organizations. On the Electronic Privacy Information Center website the majority of content is more than five years old as it relates to privacy. As we come to look at the tools that are enabling our users and organizations, we need up-to-date information that allows for a higher level of professional growth. We must combat the cybercriminals not just stay with the status quo.
Regulatory oversight will continue to grow
As regulatory oversight grows, it will ensure that lack of awareness does not leave individuals and organizations exposed.
Witness the recent court rulings and regulations producing increased scrutiny, such as the Federal Trade Commission’s (FTC) actions aimed at enforcing tighter cyber security standards. For example in 2013 Neiman Marcus faced a data breach that resulted in 350,000 customers’ credit card information being stolen by cybercriminals. In 2015, the U.S. Court of Appeals for the Seventh Circuit reinstated a lawsuit against Neiman Marcus stating that the plaintiffs had proven concrete injury to themselves. This opened the door to other class action lawsuits that companies like Target and SONY were facing, holding those companies more accountable than ever before for customer information.
In the same year, the U.S. Court of Appeals for the Third Circuit upheld the FTC’s 2012 lawsuit against Wyndham Worldwide. The original lawsuit against Wyndham was for three data breaches in 2008 and 2009, where the fraudulent charges reached $10.6 million.
Witness also the death and rebirth of the EU’s Safe Harbor regulation. In the 1990s, the world saw the Internet experience massive growth from a small research- and defense-oriented communication tool into a booming new world of online commerce. With the new stream of commerce came massive sharing of information across international borders at the speed of light.
Countries in the EU independently developed privacy laws and the U.S. followed suit with a patchwork of laws and regulations from a number of government agencies. To further complicate the matter, the U.S. has a sector-based approach while the EU has data protection agencies whose sole purpose is to protect the privacy of individuals. How could differing international privacy standards be honored without bringing trade to a halt?
The introduction of the Safe Harbor Agreement in 1998 provided the EU and U.S. a clear set of standards to follow when sharing private information. For years, U.S. companies self-certified that they complied with Safe Harbor and therefore with the generally stricter EU standards. Under Safe Harbor, private information could now be shared with international companies who provided an “adequate level of protection.”
Safe Harbor as we knew it now no longer exists. However, the mutual interest for the EU and U.S. to encourage commerce remains strong. In light of recent terrorist attacks in Paris and with the soon-to-be-implemented Computer Information Sharing Act, we should not expect the NSA to lighten surveillance. From an EU perspective, the Paris attacks carried out by ISIS may in fact move the EU towards a surveillance-accepting environment.
While we do not know precisely what Safe Harbor 2.0 will look like in 2016, we do know that privacy is a fundamental right in the EU and compliance standards will only increase. It will be more imperative than ever for companies to know where their sensitive data is and whether it is being shared. Companies that equip themselves with information governance tools and programs will be in the best position to remain compliant.
More-robust regulatory oversight will increasingly expose a double standard
Will the FTC exercise the same oversight over other government agencies as it does over the private sector? As we saw in 2015, the FTC will continue to pursue litigation against companies that do not properly protect their sensitive data.
Politicians will continue to stand on their soap boxes and pretend to understand data security, but will ultimately continue to leak sensitive data. For example, while trying to be transparent and share personal sent and received emails during his time in office as the Florida Governor, the now Republican Presidential Candidate, Jeb Bush, leaked personally identifiable information including social security numbers, names, and dates of birth. This exposed more than 12,000 social security numbers. Hillary Clinton used a private (hackable) email server, raising such questions as who owns the content of her emails, since after 12 or 24 months, ownership of inactive emails typically reverts to the email service provider. And CIA Director John Brennan had his personal AOL email account hacked, even as he announced a new cybersecurity policy for the CIA.
In 2016, the FTC will hold both the private sector and government agencies more accountable for their actions, creating an environment of more educated individuals because they will be aware of the repercussions.
As fines and penalties continue to grow, information security will come under greater business scrutiny
As the fines and penalties increase, interaction between businesses and security stakeholders will force both business leaders and security professionals to become more literate in each other’s language. For example:
Very few organizations know how to financially quantify the cyber risk they are facing. They will need to make more-accurate predictions in order to justify increasing security investments.
- And few know how to analyze investments in cybersecurity compared with competing technology investment alternatives.
- In a recent SANS Research Report , our research into the correlation between types of post-breach damages and types of sensitive data breached will prompt requests for security teams to understand their own organizations’ correlations.
If a CISO can’t measure risk and cost, and fails to introduce data security technologies, 2016 will be the year these business imperatives are driven from the boardroom, with discussions focusing on these five questions:
- Were there any security incidents or damaging breaches that were unforeseen?
- Was the risk of a future breach of sensitive data reduced?
- Were the needed security investments made and security measures made more efficient?
- Are we able to quantify cyber risk and costs in financial terms?
- Can we insure ourselves against any residual risk we can’t manage or cover ourselves?
We also predict that businesses will continue to look for a quick fix to plug a hole they already have, and will leverage existing insurance or try to purchase more.
- Insurance companies will wind up having more cybersecurity policies and claims.
- The security industry will continue to adjust and reform as we see more policies with limits and extremely high deductibles.
- The current trend wherein approximately two-thirds of companies fail to qualify for cyber insurance will likely continue until more organizations can demonstrate stronger compliance and apply accurate sensitive data management techniques.
A greater degree of vendor experimentation and willingness to try innovative, new approaches
In the search for more-effective security solutions, enterprise security buying will shift from suite to best-of-breed purchasing, with a greater degree of vendor experimentation and willingness to try innovative, new approaches to information security. CISOs able to answer the above five questions from their boards will be able to clearly articulate the risks and costs associated with cybersecurity, and will have confidence that the latest techniques and technologies are being used to manage them.
A new fundamental for 2016 will be the creation of mature policies to manage sensitive data. This will become a requirement because of the high correlation between the amount of sensitive data lost in known breaches and the resulting post-breach financial damages.
The who, what, where, when, and how of sensitive data for CISOs
To safeguard an organization’s sensitive data, successful CISOs will need to understand the who, what, where, when, and how of sensitive data
Where is all our sensitive data located?
In 2015, many organizations could not answer this question, and that led to misappropriation of resources in the form of security controls being used broadly across the entire organization, resulting in increased cost to acquire and utilize technology.
Risk and cost reduction requires knowing where sensitive data resides and strategically applying the appropriate controls.
Who among our employees, contractors, and business partners have access to our sensitive data?
Simply knowing who has access to a document or file server stops short of understanding what they have access to. Without properly classifying those documents, an organization cannot know what sensitive data each person has access to, and then further set permissions to better protect their sensitive data.
What is the nature of the information that makes company data sensitive?
Are we protecting the information that is of most value to us, or are we only protecting the basics of PII, PCI, EU and other data types covered by regulations?
Successful CISOs will include company confidential data, proprietary trade secrets and intellectual property as part of their information security strategy.
When has the sensitive data most recently been audited for obsolescence, necessity, access control, and governance (ownership)?
Not all information needs to be kept indefinitely, and for information that does, are we auditing its use and access? Cost can be reduced by shrinking the sensitive data footprint of an organization.
How likely is sensitive data to be leaked, if we are hacked?
Measuring the risk associated with keeping sensitive data will allow CISOs to implement technologies and processes that will reduce both the risk and cost associated with protecting sensitive data.
As we begin 2016, there is one thing we can all agree on, there will be no lack of breaches. But, as we think forward into the year, we can find ways to safeguard our organizations’ sensitive data. This begins with properly identifying the who, what, where, when, and how of sensitive data, as listed above.
That’s our list of predictions for 2016. What’s yours?
We invite discussion and debate; visit us on Twitter and LinkedIn, or email us at firstname.lastname@example.org if you wish to publish a blog on our site with your take on our predictions.