This feature is part of a series focused exclusively on cybersecurity. To view other posts in the series, check out the spotlight page.
Did you think 2016 was a whopper when it came to cybersecurity and lurking threats? We may be just getting warmed up.
From BEC attacks to shadow IT, the following are seven cybersecurity trends and potential solutions experts predict will take the spotlight in 2017.
1. Accountability for device security
Accountability for the security of technology devices came into the spotlight late last year after it was revealed that thousands of low security Internet of Things devices were used to launch large-scale DDoS attacks, impacting DNS provider Dyn as well as several other organizations.
In response, the FTC began targeting IoT device manufacturers whose devices lack adequate security.
In January, the FTC filed a complaint against D-Link Corporation and its U.S. subsidiary, claiming that "D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras," according to an FTC announcement. The FTC also recently brought cases against other IoT device makers ASUS and TRENDnet.
Clearly, now more than ever, IoT device makers and other tech suppliers must ensure they are taking adequate security precautions or face potential legal backlash.
2. Business Email Compromise (BEC) schemes
Exploits driven by stolen or invented identities, also known as BEC attacks, grew in sophistication and effectiveness in 2016. BEC attacks compromised businesses in every market last year, including leading healthcare organizations, an NBA team, financial institutions, the World Anti-Doping Association, John Podesta and the Democratic National Committee, according to BrandProtect.
While only a small fraction of BEC attacks work, when the fraudsters win, they win big. Million dollar losses are not uncommon, and that’s prompting attackers to double down on their efforts.
Greg Mancusi-Ungaro, CMO at BrandProtect, said BEC attacks will continue to grow in 2017 because they work.
"For a medium-sized investment of social engineering and email and web infrastructure creation, fraudsters put themselves in position for huge gains," said Mancusi-Ungaro. "Ironically, every time a successful BEC attack is reported, the news accounts often contain a blueprint for how the attack worked — essentially a primer for other fraudsters. Essentially, every successful BEC attack spawns other BEC attacks."
3. Mobile device security
The ubiquity of mobile phones make them an attractive target for hackers. Because mobile phones operate outside of the range of a virtual corporate network and are fully controlled by employees, they are much more difficult to protect than computers used within a traditional office.
More than 70% of IT leaders admit they are at risk from an inability to control employees’ apps and devices, according to a Citrix/Ponemon Institute survey released in January.
"Employees expect to be able to access their information from anywhere, and work from anywhere," said Stan Black, CSO at Citrix. "Allowing that access can make data more vulnerable. What’s most important when looking at mobile security is to ensure that the right identity and access management policies are in place and that those policies are strictly enforced. By controlling access, businesses can better control their sensitive business information."
At the same time, the growing use of mobile phones is creating demand in the mobile threat defense market. Mobile threat defense companies can provide employees a security app to install on their mobile phone, which, according to Gartner, can do things like scan for dangerous apps or risky WiFi networks while workers are on the go.
In the enterprise, the issue of how to pay for mobile defense solutions can be a sticking point. IT departments are generally not given extra resources for mobile device management, but that could soon change. As hackers become more adept at breaking into mobile devices, companies are looking for ways to better protect themselves, and it's likely mobile device management funding will become more commonplace this year.
The real question that needs to be asked in 2017 related to mobile security is,how can companies ensure information is protected no matter where it is, or on what device it is accessed?
"The answer to that goes back to access management, having the right policies in place, making sure your business has the right solutions in place to tackle security business challenges and minimize emerging threats," said Black.
4. Contextual access to safeguard digital assets
New technologies focusing on contextual access to connect to online databases and other authoritative sources are poised to grow in 2017, according to Ethan Ayer, CEO of Resilient Network Systems. Such technologies answer sophisticated questions so organizations can be more confident that they are granting access to the correct parties.
"Many organizations today use traditional Identity and Access Management systems to secure resources by attempting to establish the identity of someone requesting access," said Ayer. "But, as we all know too well, identity by itself in the online world is no longer sufficient."
Ayer said better security means understanding the complete context of any access request.
"New technologies that focus on contextual access can connect to online databases and other authoritative sources to answer sophisticated questions like 'Is this person a doctor?' or 'Is this a trusted device? These additional attributes augment identity so that organizations can be more confident that they are granting access to the correct parties."
5. Cloud storage services and shadow IT putting businesses at risk
The average number of cloud services in use per enterprise rose to 1,031 in the last quarter of 2016, up from 977 the previous quarter, and shadow IT still presents a huge problem. For every instance of an employee correctly using an IT-approved app, there’s another employee using a personal, unsanctioned version, according to Netskope.
Even for popular apps like Box, Dropbox or Google Drive that IT has formally sanctioned, nearly half of users are accessing them from non-corporate email accounts and unintentionally exposing sensitive data to external threats. This, coupled with the overall steady increase in cloud storage adoption, is exacerbating insider threats.
"There’s a huge gray area with services like Evernote and Asana that are frequently used but often lack formal usage policies," said Jervis Hui, senior product marketing manager at Netskope. "In response to that gray area, often the biggest failing among organization leaders is the creation of binary policies — to only allow or block. That lack of oversight and specific usage policies means employees can turn to unsanctioned apps instead or accidentally share sensitive information with the wrong eyes — or worse, expose apps to malware or ransomware attacks."
6. Authentication and DMARC
Phishing attacks based on impersonating a brand are spiking. These attacks get through traditional defenses since there’s no malware or bad links in the email to filter. DMARC, an open standard that email service providers are increasingly adopting to protect email users from phish, shuts down same-domain impersonation attacks.
"Every time an employee signs up for a SaaS service, be it Salesforce, Workday or Mailchimp, there's a good chance it will need to send email on behalf of that company," said Alexander García-Tobar, CEO of ValiMail, a San Francisco-based email authentication company. "It used to be that IT staff had little oversight or control over this. But with DMARC, all of those services can be discovered and authorized (or denied) as soon as they attempt to send email. For CIOs, that’s worth its weight in gold."
DMARC also has a reporting benefit. Any emails that get rejected generate a report that's sent back to the domain owner. This gives IT a chance to see if phishing attacks are underway. It also gives IT a chance to identify "shadow" services that employees are using without IT's knowledge.
"DMARC in effect has allowed email service providers to build a global army of virtual bouncers that protect consumers' inboxes from impersonators," said García-Tobar. "All you have to do is provide those bouncers with a whitelist of approved senders. That's what a DMARC record does. With email authentication properly in place, phish are blocked before end users ever see them."
7. Device-specific credentials
With device-specific credentials, once you crypto-logically 'bind' a user account to a physical device, the world is your oyster in terms of balancing security, convenience and privacy.
"To the average person, this means your phone becomes your password, and this will be a big improvement to existing credentials," said Ayer.
While some set-up is required, being able to ask the device, and hence the user, to enter a pin, use a biometric or just 'be human' is a great extra factor.
"Try asking those questions to simple user name-based credential … crickets," said Ayer.