Why cybersecurity exposures are likely to intensify in 2016

Companies tighten networks in wake of massive breaches, but myriad ways to lose data control persist

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

With 2015 about to go down as the year of the mas­sive data breach, 2016 could emerge as the year cyber crim­i­nals turn their atten­tion to exploit­ing myr­i­ad alter­na­tive paths to steal sen­si­tive data.

Mean­while, com­pa­nies and indi­vid­u­als must guard against becom­ing com­pla­cent. That’s the con­sen­sus of a group of secu­ri­ty and pri­va­cy thought lead­ers inter­viewed by ThirdCertainty.

The year is not quite over yet, but some cyber­se­cu­ri­ty experts already are see­ing it as the worst year yet for breaches.

More: Thriv­ing in a Post-Breach World: Pro­tect­ing Your Orga­ni­za­tion, Cus­tomers and Members

The orga­ni­za­tions affect­ed by this year’s major attacks—Anthem, Office of Per­son­nel Man­age­ment, Ash­ley Madison—had one thing in com­mon: mas­sive amounts of information.

The threat actors are real­ly going after the big data aggregation—it has become the big tar­get,” says Jeff Schilling, chief of secu­ri­ty and oper­a­tions at cyber­se­cu­ri­ty provider Armor.

And it’s not just any data they’re after, notes Adnan Amjad, leader of Vig­i­lant Cyber Threat Man­age­ment at Deloitte Cyber Risk Ser­vices—it’s per­son­al­ly iden­ti­fi­able infor­ma­tion (PII).

This is espe­cial­ly preva­lent in the health care indus­try as well as “the Web ser­vices indus­try that (con­tains) large amounts of trans­ac­tion­al data on their clients,” Amjad says.

The most notable attack on a Web ser­vice was Ash­ley Madi­son, which Justin Har­vey, chief secu­ri­ty offi­cer at Fidelis Cyber­se­cu­ri­ty, calls a land­mark breach.

To have the data stolen is bad, but to have it released to the pub­lic was the ulti­mate (offense),” says Har­vey, whose team has respond­ed to such high-pro­file attacks as the Sony PlaySta­tion Net­work breach a few years ago.

 Relat­ed: Ash­ley Madi­son, ‘data kid­nap­ping,’ and a new era of hacking

In both the Sony and Ash­ley Madi­son breach­es, the prime moti­va­tor was not greed or espi­onage. A hack­tivist group, called LulzSec, hacked the PlaySta­tion Net­work in ear­ly 2011 to embar­rass Sony after the cor­po­ra­tion sued a young man for hack­ing the pro­gram­ming in his PlaySta­tion gam­ing con­sole. And the Ash­ley Madi­son hack­ers sought sim­ply to expose 32 mil­lion users of the social media web­site whose busi­ness mod­el focused on pro­mot­ing extra­mar­i­tal affairs.

It was for embar­rass­ment,” Har­vey says of the Ash­ley Madi­son breach.  “The embar­rass­ment leak is par­tic­u­lar­ly wor­ri­some for con­sumers … because any­one can access the infor­ma­tion with a lit­tle technology.”

Giv­en the dom­i­nance of cyber­se­cu­ri­ty inci­dents in the head­lines, it’s not sur­pris­ing that con­sumers are con­cerned. A recent­ly released Con­sumer Risk Index sur­vey from Trav­el­ers Insur­ance found that loss of per­son­al pri­va­cy and iden­ti­ty theft was the No. 2 con­cern among the risks they wor­ried about in 2015—coming in very close to the top con­cern, financial.

Trav­el­ers also found that con­cerns about cyber risks grew from 36 per­cent last year to 57 per­cent in 2015, although only 25 per­cent of the 1,000 respon­dents said they’ve been vic­tims of a breach or cyber attack.

Har­vey thinks the 25 per­cent sta­tis­tic sounds low and should be clos­er to 75 percent.

Every­one should have been affect­ed at one point,” he says. “It’s the new normal.”

Michelle Dennedy, chief pri­va­cy offi­cer at Cis­co, says one upshot of wide­spread news cov­er­age of big data breaches—as well as of Europe’s Safe Har­bor court rul­ing, which tight­ens con­trols over how com­pa­nies can keep per­son­al data and trans­fer it between the Euro­pean Union and Unit­ed States —has been to increase pub­lic aware­ness of privacy.

Relat­ed: Europe’s ‘Safe Har­bor’ rul­ing bad news for U.S. companies

Peo­ple are rec­og­niz­ing that infor­ma­tion is impor­tant across the con­tin­u­um. … It’s the data that must be pro­tect­ed across the board, from a secu­ri­ty, pri­va­cy, respect and trust per­spec­tive,” she says.

Morey Haber believes that aware­ness, how­ev­er, cre­ates an unin­tend­ed con­se­quence,: Con­sumers are slow­ly becom­ing desen­si­tized. He calls it the “Chick­en Lit­tle” problem.

There are only so many times you can say the sky is falling before peo­ple become numb,” says Haber, who is vice pres­i­dent of tech­nol­o­gy at BeyondTrust, which offers priv­i­leged account man­age­ment. “We haven’t hit that point yet where peo­ple are numb, but we’re get­ting there.”

Increased aware­ness also is com­pelling large orga­ni­za­tions to boost their cyber­se­cu­ri­ty spend­ing and out­source cer­tain secu­ri­ty func­tions to man­aged-ser­vice providers, accord­ing to Amjad.

Small and medi­um-size busi­ness­es, on the oth­er hand, are increas­ing­ly rely­ing on var­i­ous ‘as-a-ser­vice’ mod­els to meet their secu­ri­ty needs,” he says.

Third Cer­tain­ty asked the experts what they expect for 2016. Below are some of their top predictions:

Armor’s Schilling: More enter­pris­es will shift to the approach of assum­ing they’re auto­mat­i­cal­ly com­pro­mised and, as a result, will get bet­ter and faster at detect­ing and respond­ing to breach­es. But that will cre­ate a new problem.

As com­pa­nies get bet­ter and bet­ter at secu­ri­ty, we’ll see threat actors start­ing to esca­late to the next step, which is phys­i­cal pen­e­tra­tion,” he says.

He believes big retail­ers are espe­cial­ly vul­ner­a­ble because they’ve strength­ened their cyber defens­es and at the same time have a large sur­face area through mul­ti­ple locations.

Fidelis’ Har­vey: Data bro­kers will become a new tar­get and embar­rass­ment-moti­vat­ed breach­es will become more prevalent—involving sen­si­tive infor­ma­tion like com­pa­ny pay­rolls, for example.

I can­not describe the absolute pan­de­mo­ni­um that would hap­pen in com­pa­nies in Amer­i­ca if everyone’s salary, from the CEO on down to the low­est-lev­el work­er, was released for pub­lic con­sump­tion,” he says.

BeyondTrust’s Haber: User account priv­i­leges and the idea of “secur­ing the per­son” will be a top bul­let point.

On a less pos­i­tive note, there will be a lock­down of web­sites that “pro­vide lat­er­al move­ment from one type of account to anoth­er” and con­tain a lot of basic PII. These are data­bas­es like dri­ver and vehi­cle licens­es, prop­er­ty appraisals and IRS tran­script requests.

I think you’re going to see more clo­sure of pub­lic records (online) and the ease of access will be mod­i­fied in some way,” he says.

Cisco’s Dennedy: There will be a con­tin­ued tra­jec­to­ry of con­sumers los­ing con­trol over their data. Orga­ni­za­tions will pro­vide bet­ter tools for con­sumers to have trans­paren­cy and control—but this will be an evo­lu­tion rather than revolution.

The ques­tion is, how do we regain trust and con­trol (as con­sumers) so we are telling the sto­ries we want … and com­pa­nies can make eth­i­cal busi­ness deci­sions with that data,” she says.

Deloitte’s Amjad: A near-future trend will be orga­ni­za­tions’ use of col­lec­tive intel­li­gence, which refers to the “abil­i­ty of a group to lever­age com­pet­ing ideas, con­sen­sus and informed peer review in order to come up with the best solutions.”

I think we are see­ing a shift toward the gen­er­al notion of com­pet­i­tive idea exchange with the intent of cre­at­ing more resilient cyber­se­cu­ri­ty pro­grams,” he says.

More on cybersecurity:
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats
Health care sec­tor not doing enough to pro­tect patient data
Hack­ers dig deep­er, use net­work tools to do their dirty work