IoT complexity leads to security vulnerabilities
According to Cisco’s Visual Networking Index (VNI), it is predicted that by 2020 there will be around 26 billion devices connected to IP networks. With the Internet of Things (IoT) reaching the levels of corporate networks, government systems and general user handsets, security vulnerabilities at scale will continue to plague these connected devices. Due to the complexity of protocols and standards, lack of skilled resources to manage the IoT environment, inferior products with vulnerable security measures and complicated architectures, IoT devices have already been attacked by hackers, which is expected to get worse in 2017. In fact, companies are still not armed enough to scan even their popular apps for malware, leading to DDoS attacks and even leading to providing an entry point into corporate networks for APTs and ransomware.
The way forward: Whoever can secure their IoT devices with tailor-made solutions will win the battle.
Cloud security to gain importance
Cloud security breaches have long deterred many organizations from using cloud computing. This year, however, a reverse pattern could emerge as cloud security is expected to become more important in the IT ecosystem. Cloud security certifications such as the Certificate of Cloud Security Knowledge (CCSK), Cloud Security Alliance (CSA), and Certified Cloud Security Practitioner (CCSP) offer a sense of reassurance to organizations planning to join the cloud computing trainwagon. Additionally, the industry generally shares best practices and advice on how to securely integrate the cloud. As organizations gain confidence in cloud deployment, as well as their on-premises solutions, cloud adoption is expected to increase in the coming year. However, the speed of acceleration would depend entirely on strengthening security practices in the cloud and curbing cloud security breaches.
The way forward: Investing in cloud security-as-a-service would make sense for businesses as it will help minimize security breaches while reducing the cost of purchasing and maintaining firewalls.
Ransomware and malware everywhere
Malware attacks have become more sophisticated over the years as they continue to evolve and go beyond the defenses offered by most antivirus products and security vendors. As companies adopt remote working, adopt wearables, and connect distributed workforces via IoT-enabled devices, attackers are also expected to use technology to gain access to corporate networks through employee devices and hack the system. Mobile malware could be one of the leading issues of 2017 that organizations need to proactively address. According to a study by Lookout, a mobile security company, and the Ponemon Institute, an independent research firm focused on privacy, data protection and information security, a mobile data breach can cost an organization around $26 million. Also, with the proliferation of 4G and 5G services and the increase in internet bandwidth, mobile devices may have greater vulnerability to DDoS attacks.
In addition to malware, ransomware will also continue to evolve in the coming year. Ransomware attacks on cloud and critical servers could increase as the hackers would keep organizations in suspense to part with the extortion money or risk shutting down an entire operation. However, such payouts may not even guarantee companies the future safety of their data or even the recovery of their current data.
The way forward: Stop being held for ransom. Secure your devices and servers with tailor-made security solutions.
Automation to bypass skill gaps
The search for qualified IT resources will continue to be a major issue for the industry and with it newer methods to bridge this gap are also expected. One of the key trends predicted this year would be the use of automation to perform certain tasks, particularly those that are repetitive or redundant. This would help IT professionals focus on important tasks and enable organizations to maximize their workforce.
The way forward: Implementing the right automation solution helps IT pros gain instant access to malicious threats instead of manually checking for breaches.
Secure SDLC, the way forward
Although testing is considered an important part of application security, it is often relegated to a later phase of code development. In the absence of regulations or industry standards, it is often observed that companies adopt their own methods when it comes to coding, with an emphasis on developing code quickly rather than securely.
The current Software Development Life Cycle (SDLC) process, with its five main phases—design, development (coding), testing, deployment, and maintenance—has a major flaw as testing is performed at a later stage. Vulnerabilities are typically verified using methods such as pen testing at a time when the solution is close to being ready for the market. This could leave the uncontrolled code system vulnerable to attacks. The industry is expected to go a step further in the coming year by adopting Secure-SDLC (sSDLC) to circumvent such issues. With sSDLC, changes in the code are automatically analyzed and developers are immediately notified in the event of a vulnerability. This will help educate developers about bugs and make them security conscious. In addition, providers will also be able to prevent vulnerabilities and minimize hacking incidents.
The way forward: Moving to secure SDLC will help organizations get the code right the first time, saving time and money in the long run.
MSP will continue to be the order of the day
Managed Services Providers (MSPs) were introduced to help companies manage their hosted applications and infrastructure, and many predicted they could become obsolete with cloud implementation. However, time has shown that MSP is still a core part of many enterprise services. While most companies have migrated to the cloud, many companies with critical applications are unable to move their infrastructure to the cloud ecosystem due to compliance or regulatory issues. These still need to be managed and maintained.
In addition, the implementation and management of mixed environments, cloud and on-premises, require mature skills. Not only do MSPs help provide the right guidance, they even help organizations choose the right hosting based on the organization’s budget, compliance and security policies prevalent in the industry.
The way forward: MSPs are expected to go beyond managing the IT environment. Such providers can become business extensions for companies to advise them on policy and process management.
Threat intelligence to become strategic and collaborative
According to EY’s Global Information Security Survey, while organizations need to make strides in how they recognize and withstand current cyber attacks and threats, there is still significant room for improvement to deal with sophisticated attacks. For example, 86 percent of respondents indicated that their cybersecurity function does not fully meet the needs of their organization. It is expected that the growing threats, increase in cybercrime, geopolitical shocks and terrorist attacks will continue to prompt companies to evolve their approach to countering cyberattacks.
Incorporating the cyber security strategy into the business process can also become an important component. For example, Microsoft recently announced its $1 billion investment plans to implement a new integrated security strategy across its portfolio of products and services.
The way forward: Cybersecurity can no longer be tackled in isolation from one company. Organizations need to address the issue by working collaboratively, sharing best practices and creating war room programs.