2016, the Year of Connection, Attacks and Regulations

2136

In 2016 we will continue to see the line between personal and work blur, with an increasing amount of devices being used for both. The drive for internet attached devices in the home will see a rise in increasingly complex home networks – which risk providing an easier route for attackers that can then be used against individuals and as a portal to corporate networks.

Network tools have been available to organisations since networks began, but in the home it is a new phenomenon. Friends and visitors also connect to the home wifi, and of course there is still the possibility for wardriving, where complete strangers can connect to networks as they pass by. Increasing numbers of devices connect to WiFi and directly to the Internet, in the home which opens up the possibility of attack through those devices, especially those which update themselves automatically. Vigilance will be needed in both the home and the workplace to keep up with the changes in technology and working practices.

Advances in technology will continue, but these will often be in response to attacks rather than preventing them before they happen. Business’ priorities will continue to be keeping their critical information safe, despite all the changes that are occurring, with greater emphasis on that which is used for collaboration, such as cloud or with third party data processors and partners. The importance of information has never been greater, with recent cyber-attacks not just being about financial gain, but using reputational damage as leverage. This will lead to the increasing need to protect information, which falls outside the usual legislation and regulatory data, the businesses’ critical information.

Unfortunately, as each year goes there continues to be many high-profile cyber-attacks reported on in the media; however, what stood out with the TalkTalk attack last year was that it showed how a ‘simple’ breach can have big consequences. This will continue to be an issue in 2016 as old applications prove to be a risk for organisations.

Then we also had the Bank of England breach, while there was no financial damage, it was another example of the hit a business’s reputation can take if they are hacked. As well as this, one of the most significant attacks of 2015 was on Ashley Madison, which was not only damaging to the reputation of the company, but also to user’s data. The knock-on impact on individuals was devastating – and resulted in personal blackmail, which then had a knock-on effect to their employers. The leak of clinical information regarding HIV status could also have resulted in personal blackmail, this was human error which caused the problem – however the result is the same as with Ashley Madison; critical information in unauthorised hands. Ransomware remains a challenge, now targeting businesses as well as individuals, so organisations need to be prepared to tackle this.

It appears that businesses also don’t think there will be any let-up in attacks, Clearswift’s annual insider threat index (CITI) revealed that 40% of firms expect a data breach in the next 12 months. Organisations believe this will be mainly due to employee behaviour, while employees believe it is because of a widespread lack of awareness of good cyber security practice. This shows that there seems to be some headlock in how to resolve these issues, which needs to be sorted by both firms and employees.

This year will also, see the implementation of the changes in EU data protection laws. Organisations will be facing heavy fines if they are not prepared for data breaches and protect the information they are entrusted with, and after the events of 2015 we can see that businesses are not all prepared when this comes into place. Companies need to start implementing a multi-year risk reduction plan – as there is much to be done, and not enough time or budget to do it more quickly – this will mean doing the basics as quickly as possible and then building out. With an emphasis on being able to protect against some of the newer information borne threats.

There is no doubt 2016 will throw up challenges for organisations, whether that comes from hackers or it comes from legislation. Preparation is key, businesses may not be able to deal with all attacks, but making sure they have the best capabilities possible to limit the damage will at least do something to limit the effects to their data and reputation.

About Guy Bunker
Guy BunkerGuy has over 20 years’ experience in information security and IT management. Before joining Clearswift in 2012, Guy was a Global Security Architect for HP. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security. Previously, Guy was Chief Scientist for Symantec and CTO of the Application and Service Management Division at Veritas.

Guy is a frequently invited speaker at conferences, including RSA, EuroCloud and InfoSec. He is a spokesperson for The Open Group’s Jericho Forum and an expert for the European Network and Information Security Agency (ENISA).

Guy is a board advisor for several small technology businesses and has published books on utility computing, backup and data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.

In this article