David Ferbrache, technical director in KPMG’s cyber security practice, highlights ten cyber security trends expected in 2017.
David suggests that privacy will dominate the corporate agenda next year. He explained: “The European Union General Data Protection Regulation (GDPR) is less than 18 months away – and privacy has suddenly made it to the top of the corporate agenda – not just in Europe. The GDPR tilts the scales in the direction of the European citizen, requiring explicit consent to process, store and transfer their personal information. Data breaches suddenly become more transparent with strict notification requirements, and potential for punitive fines of up to 4% of global turnover for the most serious events.”
Balkanisation of the internet will gather pace, says David. “More and more countries are regulating cyberspace – often with conflicting and contrary approaches. Firms are struggling to keep up with restrictions on how data can be handled, what nations expect in the way of compliance, and the limitations on cross border transfers. Suddenly big data seems less attractive – without the metadata to ensure that legal and policy obligations around data handling can be respected. Data centric security has never mattered more.”
Countries find themselves cyber targets – and become more aggressive in defending their cyberspace. “The Mirai botnet has shown just how damaging distributed denial of service attacks can become, as we saw the largest ever attacks in autumn. Attacks of this scale risk destabilising the internet and the infrastructure which supports it. Active defence has moved up government agendas as countries work with telecommunication firms to provide more robust national defences against alleged State attacks and organised cybercrime, heralding a new relationship between government agencies and commerce. Takedowns and blocking operations aimed at cyber criminals will become more frequent, and more rapid,” said David
Cybercrime becoming industrialised. He said: “Cybercrime has been big business for many years, but 2017 will see an industrialisation of cybercrime exploiting cheap labour and increasingly sophisticated tools for bespoking attacks. CEO frauds and business email compromises will continue to dominate the landscape but with increasingly sophisticated targeting of firms and their employees by criminals who scour social media for intelligence. Ransomware continues to make criminals money, and will become smarter and more targeted as the year progresses supported by a crime as a service underground economy.”
Attackers look for the weak points in our international financial system. David added: “The well-publicised Bank of Bangladesh attack has come and gone. Attackers are looking for weak points in our interconnected financial system exploiting the trust between institutions to find ways to transfer funds and cash out. International financial institutions will try to raise the bar on bank security worldwide, but attackers will look for new targets shifting their focus to e-retail and to new payment channels using APT style tactics. Cyber criminals are getting savvier about how to make money.”
Cloud security comes of age: “Cloud services have finally grown up and have recognised the need to provide clients with the functionality they need to implement effective security and compliance solutions. A well-managed cloud environment can offer levels of security and resilience which many organisations would struggle to replicate internally, and even in regulated industries ‘cloud as the first choice’ has become the mantra,” said David.
Executives demand certainty – sometimes where there is none: “Cyber security programmes have been well established in big corporates. Executives are now holding their CISOs to account to explain what has been achieved by their investments, occasionally demanding unreasonable certainty. Suddenly, the challenge has become just what does money buy you in reducing the impact and ideally the likelihood of a cyber breach – and just where does cyber insurance figure in that decision calculus. Boards are getting the fact that getting the basics right matters, but so does being ready to respond to an increasingly inevitable cyber breach,” said David.
Breaking down the barriers: “More and more firms will realise that their internal stovepipes aren’t helping to tackle cybercrime – fraud control and cyber security still seem poles apart. One deals with criminals, customers and money; the other with attackers, computers and data. But they are the same in our digital world. Realisation arrives that ultimately it is all about protecting the business, and cyber criminals are just another competitor – ruthless and rational entrepreneurs in their own right,” said David.
On internet of insecure things, David said: “And of course, we carry on networking our world and being surprised about just how basic the security around some of devices really is. Expect 2017 to bring more and more examples of misconfigured devices, default passwords, obsolescent operating systems and out of sight devices that people just don’t think of as computers. While some of these attacks will be amusing and quirky, 2017 will bring a few examples which make us realise just how dependent our modern world has become on hidden computers.”
Passwords will be a thing of the past. “This year will hopefully be the year that blind reliance on passwords ends. The security community and the business community are starting to realise that they need a more sophisticated approach to authenticating people and their actions. One which uses multi-factor authentication (including biometrics), behavioural analysis and contextual information to make judgements on whether the user really is who they say they are; and just how risky their attempted transaction really is,” David concluded.
