As we beging to analyze the cybersecurity events of 2015, some may see compromises, system failures and data breaches, where the cybersecurity cadres were seemingly outgunned and outmaneuvered by both cybercriminals and nation-states. But those engaged in cybersecurity will continue to be challenged (and fully employed) in 2016. In fact, the wise will look at 2016 as a welcome challenge and an opportunity to excel as they engage with consumers and businesses.
Consumers in 2015
Looking back at 2015, there is no denying consumers were inundated with media headlines of near-apocalyptic proportions, all of which seemed to be centered on the message that being online means being in the danger zone. Yet amidst the cacophony of negativity, we see consumers engaging in self-education and asking the right questions. They are exercising more caution and taking steps to secure their personal infrastructure.
“The big trend change for 2015 is that cybersecurity awareness is having an impact,” said Tom Currie, president of RiskAnalytics. “2015 is the year that public awareness about phishing is getting regular coverage on the mainstream (nontech) press. The general population clearly understands that personal defense against cybersecurity fraud is now a part of everyday life.”
He even pointed to some real-life examples of people getting more curious about and involved with security. “The receptionist at the dental office wanted to chat and make sure she understood strong passwords. Evening news on TV is regularly coaching the populace about personal cyber defense. The produce manager at the grocery store wanted to discuss how concerned he was about opening email attachments. This is good — the message is getting through.”
More Secure Measures
Technological advances designed to patch identified vulnerabilities have arrived and are being implemented. Many of these solutions were spurred by cybersecurity lapses in 2015. For instance, the Target point-of-sale data breach was the first of many leaks that demonstrated the need for the U.S. credit card industry to adopt new best practices.
I reached out to a security evangelist at G-Data, Andy Hyter, who noted that “the implementation of EMV smart chip-and-signature cards in the U.S. will cut down on credit card fraud.” He also emphasized how “the takedown of botnets such as the Dridex banking Trojan have helped reduce the methods cybercriminals used to scour bank accounts, stealing funds at will.” This bodes well for the individual consumer.
Similarly, Barry Hurd, managing director of Epiphany Metrics, noted how “real-world attacks such as Charlie Hebdo and in Paris have brought public support to ‘hacking for good’ groups like Anonymous and Ghost Security. While the Robin Hood effect of enabling vigilante groups to go unchecked has many questionable areas of concern looking into the future, the awareness such groups bring to the conversation is critical to overcoming the most common social pitfalls of the cybersecurity landscape.”
What Are Consumer Cybersecurity Expectations for 2016?
In 2016, consumers expect more robust public-private partnerships. They expect their goods and services to be readily available without sacrificing security. Furthermore, the organizations that fall short will see customers voting with their wallets as they engage companies who do invest in privacy and security in 2016.
The Year in Review for Businesses
Enterprises faced their own challenges and growth opportunities in 2015.
The cybersecurity education and awareness of individual employees, decision-makers and boards can be counted among the most positive outcomes of 2015. Nowhere is this more positively evidenced than within public-private partnerships.
According to Fidelis Cybersecurity President and CEO Peter George, the breaches of 2015 helped set in motion a trend at several respected colleges and universities to bolster their cybersecurity programs. DePaul University, George Mason University, Northeastern University, Nova Southeastern University, University of Buffalo, University of Houston, University of Maryland and the University of Texas at San Antonio all strengthened their cybersecurity curricula in 2015, just to name a few.
“This is a very important step to alleviate one of the biggest challenges in the cybersecurity world: the shortage of trained cyber warriors,” George said. “This will help strengthen the security posture of U.S.-based companies and [the] government going forward.”
Businesses that thought of cybersecurity as an option were forced to rethink their stance this year. They can no longer place cybersecurity on the to-do list and then forget about it. In 2015, we saw multiple advances in machine analytics, which not only reduced the noise, but also enabled focused responses. I reached out to JP Bourget, CEO of Syncurity, who noted how “there now exists software that streamlines incident response and/or SOC operations.”
Meanwhile, Hurd added that enterprises are also seeking ways to streamline existing practices. “Slumbering industry giants are being awakened from decades of ignorance and avoidance,” he said. “Case examples … [have] served as a rallying cry for trusted industry leaders to awaken and take action, activating both the wrath of the corporate executive boards and the outrage of the end customer — a potent mix leading to regulatory action, civil liability and community education.”
With such education, the legislative arms of the government have engaged on privacy and cybersecurity. Their efforts are intended to protect both the consumer and business from the malevolent actors who traverse the Internet. With an eye toward such legislature, I asked Daniel Garrie, editor-in-chief of the Journal of Law and Cyber Warfare, about whether current legislative frameworks are sufficient to address international cybersecurity threats.
“Cyberattacks by state actors are now a reality that are becoming a norm for not just nations, but also corporations, forcing them to constantly monitor and address this threat,” Garrie commented. “It is very likely that we will see a rapid evolution of domestic and international law to address the new reality.”
This also advanced the discussion on the need for robust authentication to be integrated into our cybersecurity infrastructure. Noted authentication industry thought leader John Haggard, CEO of Nymi, told me as much in an interview.
“Coming together in 2015 are three events that are, in my opinion, changing the game,” he explained. “First, the FIDO Alliance established a foundation with the U2F protocol but acknowledged the next big step: wireless engagement of secure elements that a user has, which could be a wearable. Second, the best-kept secret is token ID binding, which late in 2014 Microsoft threw their support behind … to harden our Internet connections (more about that in a second) and, finally, FIDO announcing the unification of the various FIDO standards.
“Taken together, what is emerging are standards for users carrying extremely secure wireless devices that are powerful enough to authenticate users locally and that can eliminate man-in-the-middle attacks by storing the anchor keys for token ID binding,” Haggard continued. “Without the secure device, all cookies and other artifacts stored by modern browsers for sophisticated applications are useless. It is not just about who you are, but what happens afterward.”
HIPAA Has Teeth
The health care sector was shellacked in 2015. The good news is that later in the year, a few attorneys general of U.S. states began exercising their authority.
Privacy thought leader and SIMBUS360 CEO Rebecca Herold noted how she has worked with hundreds of covered entities (CEs) and business associates (BAs), and a common statement that she encounters is: “If the HHS is not going to schedule an audit for us, why invest the time and money in doing HIPAA compliance?”
Herold lamented how she would always explain that in addition to needing to mitigate risks by implementing HIPAA requirements, they also had more than just scheduled audits to consider. Organizations could also face a HIPAA compliance audit following a breach or after complaints.
Additionally, all 50 state attorney general offices now have HIPAA enforcement authority, not to mention CEs often require audits of their BAs in order to do business. But when asked how many state offices had exercised that authority, she had no examples to share.
That changed on Nov. 6, 2015. The Connecticut attorney general applied HIPAA fines and penalties against a local hospital and its business associate vendor for a breach that occurred in 2012 when an unencrypted laptop was stolen from a vendor employee’s home. The hospital shared in the liability because it did not have appropriate contracts or oversight of its vendor.
“This will serve as a bellwether event for not only state attorney general offices starting to apply HIPAA fines and penalties against health care CEs and their BAs, but [it] should also accelerate and increase the oversight that CEs have for their BAs,” Herold said. “This action will have a positive effect on cybersecurity by raising awareness of the need for safeguards in BAs and for more oversight of BAs by CEs going forward.”
Last but certainly not least are the positive aspects of information sharing and collaboration that cybersecurity experiences have fostered. Paul Kurtz, CEO of TruStar Technology, observed how the various breaches, while never good news, did offer at least one positive outcome: “An increased understanding of the limitations inherent in our more traditional, sector-based security model.
“This realization, alongside emerging incident sharing technologies and promising developments on the legal front, has created an environment where companies across sectors can collaborate around security events in real-time, creating a potentially powerful system of connective defense that has been just out of reach for far too long,” he added.
Hurd appeared to agree with Kurtz’s perspective. He noted how we now have active, 24/7 examples of why knowledge sharing and information syndication serves as one of the most vital components of a strong cybersecurity framework. “While technical experts can patch niche vulnerabilities and implement critical safeguards, the ability to communicate tactical vulnerabilities in a rapid response framework is beginning to replace old breach response strategies from the ’80s and ’90s,” he said.
Business Expectations for the Future
We can expect to see advances in the removal of barriers to entry for more robust technological solutions to keep businesses safe and secure. Privacy will remain front and center. Specifically, the ramifications of the EU implementation of data privacy regulations in 2016 will be on every CISO’s scope.
In 2016, cybersecurity will remain top of mind for all companies and most consumers. Businesses must resist the temptation to counterattack against intrusion directly and instead participate in the public-private information sharing so that the government entities may engage when necessary.
As Garrie pointed out, “Failure to address these issues may lead to a company possibly starting the next major global conflict for the United States.”
2016: The Year of Opportunity
2015 had its share of train wrecks and digital disasters. The lessons learned in 2015, however, have provided us with tremendous opportunities to adjust our behavior. Every board should be pushing its respective CEOs to put in place processes, technologies and resources for people to address the cybersecurity maelstrom that we collectively experience.
In addition, these same boards must ensure the C-suite is not allowed to engage in event amnesia. The year of opportunity is upon us; let’s not squander the many opportunities it presents.