Tech writers at this time of year often quote the late Yogi Berra to the effect that making predictions, especially about the future, is hard. Then they go on to make predictions. I disagree. Making predictions is easy. Because they are about the future, for the time being mine are as valid as anyone else’s. So here is my forecast for 2016.
Cyber insurance: An opportunity
Liability for data breaches and other security mishaps is being defined. Public disclosure not only is costing companies lots of money but also damaging brand reputation, and that makes cybersecurity important. Chief executives, both in government and business, are losing their jobs over security lapses. In Europe, the EU General Data Protection Regulation will hold businesses—including third parties—responsible for the data they hold or process. Closer to home, the Payment Card Industry’s chip card reader requirements are redrawing the lines of liability for payment processors.
All of this is making cybersecurity a business issue rather than an IT problem, which should help mature the market for cyber insurance in the coming year.
This should be good news. The insurance industry has a way of reducing risk to dollars and cents, a metric that has been missing in cybersecurity. If cyber insurance becomes a business best practice, carriers will be able to make requirements (and provide financial incentives for them) in a way government has been unable or unwilling to do. The end result should be a more professional, risk-based approach to cybersecurity.
The Internet of Things: A challenge
The Internet of Things is not new; it is a continuation of the Internet’s constant expansion in form and functionality. But the expected addition of billions of new devices in the coming year obviously will present challenges. Throughout its history, expansions and additions to the Internet have been made with an eye toward the functional rather than security.
Not every connected device will be a suitable target or host for malware, of course, and there are some encouraging signs. At the Consumer Electronics Show in Las Vegas next week, for instance, Green Hills Software will be touting a portfolio of secure IoT devices and automotive technology. But this rapid expansion will present an expanded attack surface. The recent hack of children’s customer accounts at VTech is an example. The hack apparently did not come through the Internet of Things, but it compromised data delivered through it and for it.
The bottom line is, this largely unsecured and unmonitored expansion will provide a playground for hackers, hacktivists, criminals and nations. And speaking of monitoring . . . .
Continuous monitoring: Looking for a definition
Continuous monitoring is becoming the de facto standard for cybersecurity, replacing static defenses and periodic assessments. It requires the ability to effectively gather, collate, analyze and quickly respond to large amounts of security data. There are a growing number of products and services to help with this, but organizations still are trying to decide just what “continuous monitoring” means. Many will have to come up with a definition that suits them this year.
The literal meaning is that you are monitoring all of the IT enterprise all of the time. It is obvious that this is impractical if not impossible. Probably it should mean a continuous, rolling assessment of the components of the enterprise, the frequency based on risk analysis.
Each organization will have to determine for itself the schedule and pattern of this monitoring, based on its own abilities and needs. They also will have to decide how much of the process can and should be automated, how much to entrust to humans, and whether to keep the job in-house or outsource it as a service.
Passwords: They’re not dead yet
2016 will not be the year that passwords disappear. It will be the year that multifactor authentication gains momentum, with passwords remaining one of those factors.
We are familiar with the shortcomings of passwords: They do not scale well either for users or enterprises, and even strong passwords are subject to cracking, theft or social engineering. But their strengths are that they work and there is a ubiquitous infrastructure in place to support them. There are some experiments with eliminating passwords completely (Google, for instance), but on the whole these do not seem any more convenient or secure by themselves than passwords.
The answer, at least for the foreseeable future, is adding additional authentication factors to the current user-name-and-password scheme. Biometrics and out-of-band confirmation via phone are two popular choices at the moment. None of these is perfect, but combined they can provide access control that is much stronger than the sum of the parts.