The innovations in today’s digital world continue to advance at a tremendous pace, and 2016 didn’t fail to have its own impact on society. As a hobbyist in remote flight, the introduction of drones to deliver blood and medicines in Rwanda from a Silicon Valley startup was an amazing example of how the Internet of Things can have a hugely positive impact on society. I can’t wait for the completion of the $10 million Tricorder XPRIZE to be announced in early 2017, when fiction is expected to become fact, as a portable wireless device that is anticipated to be able to monitor and diagnose health conditions.
What can we expect in 2017 from a cybersecurity perspective? Personally, I believe 2017 and early 2018 will be the most exciting years in terms of evolving our cybersecurity capabilities as businesses prepare for the May 2018 deadlines imposed by upcoming EU legislation changes. This is a rare opportunity to step back and take stock of our capabilities and validate if they are still fit for their purpose, both for the approaching deadline and thereafter. This is a welcome driver to look to the future as security professionals are often so caught up in enabling the ongoing technology innovations and managing evolving cyber risks.
So here are my predictions for the next 12 months:
1. 2017 is the year businesses need to get prepared for the May 2018 deadline for upcoming EU legislation in the form of the GDPR and NIS Directive.
- This will mean that businesses finally have to gain control of the mountains of data they have gathered and generated, as well as to understand both the value and risks they create for the business.
- We can expect some early examples to be made, as the EU looks to ensure that businesses take their digital societal responsibilities
- Cybersecurity leaders will need to validate that their cybersecurity capabilities are relevant to the risk they face and that they leverage current best practices, referred to as “state of the art,” with clearly documented processes and measures. Too often security experts continue to hold on to legacy practices, perceiving that continuing to do the same things as before is enough; as such, 2017 will be the year for change.
2. Businesses will be vulnerable as they are immobilized by the confusion of what a good next-generation endpoint strategy looks like.
- With the growing volume of unique attacks, organizations have, for a long time, been looking for new solutions to either complement or replace signature-based approaches. However, with many different, new approaches to choose from, businesses are hesitating for too long while they look for validation to define their future next-generation endpoint strategies. With the growth of ransomware, one instance has become one too many, and now is the time when next-generation capabilities are needed.
3. We will see the cybersecurity landscape continue to change.
- Ransomware will continue to have business impact. Expect ransomware to target a broader range of platforms and further leverage historical cyberattack techniques, such as APT-style attacks, as those behind them look to increase their profits. While this threat remains lucrative, it will continue to be a focus for attackers, which could distract them from developing threats leveraging other areas of technology.
- DDoS will refocus on the retail space as retailers become increasingly dependent on online revenue streams.
- Targeted credential theft will allow attackers to move the attack out of the business network. As more businesses in Europe embrace cloud, credential theft – whether through social engineering or attack – will mean that adversaries have to spend little or no time in the business’s network to achieve many of their cyberattack goals.
4. While senior cybersecurity skills are in reasonable shape, practitioners are in demand, and outsourcing capabilities are not scaled for evolving demands (volume of work, hybrid cloud/on-premise services, incident response, next-generation SOC requirements, training and running AI/big data systems).
- With the continuing growth of information to draw on in order to prevent and protect against cyberthreats, we can only expect more security events that need to be managed. The scale of security experts has not and will not keep pace; therefore, businesses must rethink how and where human skills should be leveraged in cybersecurity. Today there are too many siloed human-dependent cybersecurity processes that, with evolving best practices, can and should be consolidated and automated. In a market with limited skills, usability and automation should be treated as equally important as capability.
5. Most companies will confirm whether cyber insurance will become a part of their investment strategy and realize that insurers are a valuable point for CISOs wishing to translate and validate risk to senior executives to help better understand their business’s cyber risks.
6. Cross-domain incidents will stop organizations siloing IoT/OT, and business/home systems, and help them start to realize it is actually one, big cyber mesh.
- It’s likely that essential services will suffer more outages, following the early examples in Ukraine, the recent Mirai bot DDoS attack, and others.
- In recent years, we have seen more attacks on automotive systems, so attackers inevitably will start to look at moving laterally into other autonomous systems, as they grow in popularity. These may vary from driverless city centers to the Amazon button to the increasing use of drones for commercial businesses.
It will be interesting to see how many of these predictions come true over the next 12 months. If experience has taught me anything, some will have been realized in half that time, while others may take a little longer – and, as always, I’m sure we’ll be thrown a few curveballs. The only near guarantee I can give is that the digital world will continue to have an amazing and positive impact on our lives, and I’m proud to be part of the global cybersecurity community that supports its enablement.
What are your cybersecurity predictions for 2017? Share your thoughts in the comments.
[Palo Alto Networks Research Center]