Cybersecurity threats and trends to watch this year

Data breaches are persistent worldwide risk as criminals and companies step up their game

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The year 2015 was one in which cyber crim­i­nals con­tin­ued to inno­vate and expand their activ­i­ties. As 2016 com­mences, look for insid­er threats to take cen­ter stage, and for lead­ing com­pa­nies to respond proac­tive­ly. Mean­while, cyber­se­cu­ri­ty and pri­va­cy issues will con­tin­ue to rever­ber­ate glob­al­ly. Here are a few pre­dic­tions for the com­ing year:

Ed note_Edward StrozCyber threats and elec­tions. Threat actors tar­get­ed the web­sites and emails of both pres­i­den­tial can­di­dates in 2008 and 2012. Cam­paign web­sites con­tin­ue to be used to raise mon­ey, mak­ing them tar­gets for hack­tivists and cyber crim­i­nals alike. Expect to see U.S. pri­ma­ry fron­trun­ners and even­tu­al nominees—from both parties—successfully tar­get­ed, and at least one cam­paign under­mined by a data breach.

Free resource: Thriv­ing in a Post-Breach World: Pro­tect­ing Your Orga­ni­za­tion, Cus­tomers and Mem­bers

IoT spurs new rules. This will be the year con­sumers awak­en to secu­ri­ty and pri­va­cy con­cerns atten­dant to the Inter­net of Things. A major phys­i­cal disruption—through the breach of a con­nect­ed car, med­ical device or weak secu­ri­ty in a con­nect­ed toy—will spur reg­u­la­tors and con­sumers to demand action. Expect com­pa­nies to spend untold amounts on test­ing and retro­fitting IoT devices to meet hasti­ly approved “pri­va­cy and secu­ri­ty by design” rules.

Insid­er threats get addressed. Insid­er threats—current or ex-employ­ees with knowl­edge of, and access to, the cor­po­rate network—will take cen­ter stage in 2016. This will push human resources lead­ers onto cross-func­tion­al cyber­se­cu­ri­ty teams in many orga­ni­za­tions. Expect lead­ing-edge com­pa­nies to invest in tech­nolo­gies that iden­ti­fy and, in some cas­es pre­vent, insid­er threats before they cause mate­r­i­al dam­age.

Inter­na­tion­al data flows nar­row. Uncer­tain­ty aris­ing from the demise of the EU-U.S. Safe Har­bor pact will dis­rupt inter­na­tion­al data flows. Expand­ing Euro­pean nation­al­ism, dis­trust of U.S. sur­veil­lance and sub­poe­na pow­er, the prospect of trig­ger­ing huge fines for trans­bor­der trans­fers, and polit­i­cal dis­putes over alter­na­tives will dri­ve some U.S. com­pa­nies to avoid doing busi­ness with Europe alto­geth­er. Mean­while oth­er multi­na­tion­als will opt to seg­re­gate busi­ness func­tions geo­graph­i­cal­ly by build­ing local cloud ser­vices and data cen­ters that pro­tect them from penal­ties.

Board­room shuf­fle. With con­cern mount­ing over cyber risks, orga­ni­za­tions will eval­u­ate fresh approach­es to ensur­ing boards are well-informed and com­fort­able mak­ing strate­gic deci­sions. Expect the appoint­ment of spe­cial­ist, nonex­ec­u­tive cyber direc­tors and the for­ma­tion of ded­i­cat­ed cyber-risk com­mit­tees, sim­i­lar to audit com­mit­tees, with inde­pen­dent advis­ers. Reg­u­la­tors also may pur­sue the con­cept of “cyber com­pe­tent” peo­ple as a require­ment for boards.

Cyber insur­ance spike. Demand for cyber lia­bil­i­ty cov­er­age will con­tin­ue ris­ing. Expect pre­mi­ums to also rise due to con­stant­ly evolv­ing threats, imma­ture risk mod­els, and an under­de­vel­oped rein­sur­ance mar­ket. This will impact retail­ers, health care providers, banks and oth­ers con­sid­ered high risk. Uncer­tain­ty about con­cen­tra­tion of expo­sure will lead reg­u­la­tors to impose cyber inci­dent “stress test­ing.” This is a way to mod­el the impact of mul­ti­ple, simul­ta­ne­ous inci­dents on cyber insur­ance carriers—and poten­tial­ly stop­ping those that fail these tests from writ­ing new poli­cies.

More on cyber­se­cu­ri­ty:
Poll: Amer­i­cans have lit­tle trust in data pri­va­cy and secu­ri­ty
SMBs should start with sim­ple solu­tions to man­age secu­ri­ty risks
The fed­er­al gov­ern­ment needs a cyber­se­cu­ri­ty marathon, not a sprint