Why cybersecurity exposures are likely to intensify in 2016
Companies tighten networks in wake of massive breaches, but myriad ways to lose data control persist
By Rodika Tollefson, ThirdCertainty
With 2015 about to go down as the year of the massive data breach, 2016 could emerge as the year cyber criminals turn their attention to exploiting myriad alternative paths to steal sensitive data.
Meanwhile, companies and individuals must guard against becoming complacent. That’s the consensus of a group of security and privacy thought leaders interviewed by ThirdCertainty.
The year is not quite over yet, but some cybersecurity experts already are seeing it as the worst year yet for breaches.
The organizations affected by this year’s major attacks—Anthem, Office of Personnel Management, Ashley Madison—had one thing in common: massive amounts of information.
“The threat actors are really going after the big data aggregation—it has become the big target,” says Jeff Schilling, chief of security and operations at cybersecurity provider Armor.
And it’s not just any data they’re after, notes Adnan Amjad, leader of Vigilant Cyber Threat Management at Deloitte Cyber Risk Services—it’s personally identifiable information (PII).
This is especially prevalent in the health care industry as well as “the Web services industry that (contains) large amounts of transactional data on their clients,” Amjad says.
The most notable attack on a Web service was Ashley Madison, which Justin Harvey, chief security officer at Fidelis Cybersecurity, calls a landmark breach.
“To have the data stolen is bad, but to have it released to the public was the ultimate (offense),” says Harvey, whose team has responded to such high-profile attacks as the Sony PlayStation Network breach a few years ago.
In both the Sony and Ashley Madison breaches, the prime motivator was not greed or espionage. A hacktivist group, called LulzSec, hacked the PlayStation Network in early 2011 to embarrass Sony after the corporation sued a young man for hacking the programming in his PlayStation gaming console. And the Ashley Madison hackers sought simply to expose 32 million users of the social media website whose business model focused on promoting extramarital affairs.
“It was for embarrassment,” Harvey says of the Ashley Madison breach. “The embarrassment leak is particularly worrisome for consumers … because anyone can access the information with a little technology.”
Given the dominance of cybersecurity incidents in the headlines, it’s not surprising that consumers are concerned. A recently released Consumer Risk Index survey from Travelers Insurance found that loss of personal privacy and identity theft was the No. 2 concern among the risks they worried about in 2015—coming in very close to the top concern, financial.
Travelers also found that concerns about cyber risks grew from 36 percent last year to 57 percent in 2015, although only 25 percent of the 1,000 respondents said they’ve been victims of a breach or cyber attack.
Harvey thinks the 25 percent statistic sounds low and should be closer to 75 percent.
“Everyone should have been affected at one point,” he says. “It’s the new normal.”
Michelle Dennedy, chief privacy officer at Cisco, says one upshot of widespread news coverage of big data breaches—as well as of Europe’s Safe Harbor court ruling, which tightens controls over how companies can keep personal data and transfer it between the European Union and United States —has been to increase public awareness of privacy.
“People are recognizing that information is important across the continuum. … It’s the data that must be protected across the board, from a security, privacy, respect and trust perspective,” she says.
Morey Haber believes that awareness, however, creates an unintended consequence,: Consumers are slowly becoming desensitized. He calls it the “Chicken Little” problem.
“There are only so many times you can say the sky is falling before people become numb,” says Haber, who is vice president of technology at BeyondTrust, which offers privileged account management. “We haven’t hit that point yet where people are numb, but we’re getting there.”
Increased awareness also is compelling large organizations to boost their cybersecurity spending and outsource certain security functions to managed-service providers, according to Amjad.
“Small and medium-size businesses, on the other hand, are increasingly relying on various ‘as-a-service’ models to meet their security needs,” he says.
Third Certainty asked the experts what they expect for 2016. Below are some of their top predictions:
Armor’s Schilling: More enterprises will shift to the approach of assuming they’re automatically compromised and, as a result, will get better and faster at detecting and responding to breaches. But that will create a new problem.
“As companies get better and better at security, we’ll see threat actors starting to escalate to the next step, which is physical penetration,” he says.
He believes big retailers are especially vulnerable because they’ve strengthened their cyber defenses and at the same time have a large surface area through multiple locations.
Fidelis’ Harvey: Data brokers will become a new target and embarrassment-motivated breaches will become more prevalent—involving sensitive information like company payrolls, for example.
“I cannot describe the absolute pandemonium that would happen in companies in America if everyone’s salary, from the CEO on down to the lowest-level worker, was released for public consumption,” he says.
BeyondTrust’s Haber: User account privileges and the idea of “securing the person” will be a top bullet point.
On a less positive note, there will be a lockdown of websites that “provide lateral movement from one type of account to another” and contain a lot of basic PII. These are databases like driver and vehicle licenses, property appraisals and IRS transcript requests.
“I think you’re going to see more closure of public records (online) and the ease of access will be modified in some way,” he says.
Cisco’s Dennedy: There will be a continued trajectory of consumers losing control over their data. Organizations will provide better tools for consumers to have transparency and control—but this will be an evolution rather than revolution.
“The question is, how do we regain trust and control (as consumers) so we are telling the stories we want … and companies can make ethical business decisions with that data,” she says.
Deloitte’s Amjad: A near-future trend will be organizations’ use of collective intelligence, which refers to the “ability of a group to leverage competing ideas, consensus and informed peer review in order to come up with the best solutions.”
“I think we are seeing a shift toward the general notion of competitive idea exchange with the intent of creating more resilient cybersecurity programs,” he says.
More on cybersecurity:
Managed security services help SMBs take aim at security threats
Health care sector not doing enough to protect patient data
Hackers dig deeper, use network tools to do their dirty work