At the risk of repeating myself (and contradicting the late Yogi Berra), making predictions about the future is easy. At the time they are made, one is as good as another. It is only later that the wheat can be separated from the chaff.
With 2016 drawing to a close, it’s time to sift through my predictions for 2016 to see how I did. Admittedly I lobbed myself a few softballs, but the wheat-to-chaff ration looks pretty good. Okay, I’m mixing metaphors now. Let’s just go straight to the fact-check.
Cyber insurance: An opportunity
I predicted that the cyber insurance market would begin to mature, which could result in “a more professional, risk-based approach to cybersecurity.” I was close on this one, but no cigar—yet.
The market for cyber risk insurance has certainly grown. According to the Insurance Information Institute, more than 60 carriers now offer cyber policies, with estimated premiums of $3.25 billion in 2016. There are estimates that this market could more than double. But there appears to be more growth than maturity and there is little evidence that the insurance industry is reshaping cybersecurity. According to the institute, some observers fear the industry cannot adequately underwrite the potentially massive risk.
I still am optimistic that the insurance industry can have a positive impact on cybersecurity. But how it will play out remains to be seen.
The Internet of Things: A challenge
This was a no-brainer.
I wrote that the rapid expansion of the IoT would present an expanding attack surface and that “this largely unsecured and unmonitored expansion will provide a playground for hackers, hacktivists, criminals and nations.” That came true with a vengeance in October, when the IoT was used as a platform for distributed denial-of-service attacks targeting the IP address lookup service Dyn, blacking out more than 1,000 sites, including popular destinations such as Amazon, Twitter and the New York Times.
The Mirai worm responsible for this attack is still spreading, and given the huge installed base of unsecured devices and the tendency of designers to focus on function at the expense of security, this is likely to get worse before it gets better.
Continuous monitoring: Looking for a definition
The term “continuous monitoring” can be interpreted many ways, and I said that organizations would have to come up with appropriate definitions in 2016 for their networks. Once again, this was an easy prediction to get right.
With their customers facing government requirements and private sector best practices, security vendors are responding with products and services to help them create monitoring programs. The buzzwords of the year have been “visibility,” “awareness” and “automation.” Not everyone is monitoring their networks continuously, but there is a real move to replace static defenses with platforms that can gather, collate, analyze and quickly respond to large amounts of security data.
Passwords: They’re not dead yet
I predicted that “2016 will not be the year that passwords disappear.” And I was right. They still are with us.
I also predicted there would be an increase in the use of two-factor authentication, with the username and password remaining one factor. Biometrics and out-of-band confirmation have become more common factors. Although the password will not go away soon, the area in which they are disappearing most quickly is mobile devices. Passwords are even less convenient without full keyboards and as more devices come equipped with biometric readers, service providers and users are beginning to eschew passwords completely.
Eventually this trend will make its way to stodgy laptop and desktop users. But it is likely to take a while.