From Our CEO: 5 Security Predictions for 2015
What to expect from the security landscape in 2015
As we are starting on the new year I would like to give you my view on what key IT Security events we see relevant for 2015 and what we guess you, as a CEO, CIO, CISO or private user, can expect for the coming year. Are these events connected? Yes, most certainly.
Leaving 2014, we look back on a year, which has set records for data breaches, financial losses and the Internet of Things, which is actually the Internet of vulnerabilities. Internet is no longer a place where you can use your private data and expect it to be safe. Personal information is becoming widely available because it gets so frequently hacked from large corporations where you use it.
Hospitals get hacked and hackers obtain your social security number, Sony Pictures gets hacked and they reach your e-mail address and maybe your credit card details, The Home Depot and Staples suffer data breaches and they access your leaked e-mail address and credit card information – and a lot of other services are compromised as well. Every time a major data breach occurs, online criminals steal confidential information about you and this trend of hacking is only accelerating.
For private users this is a trend which indicates a direct connection between the private consumer space and the space where you consume your data, your personal data is simply being used and sent in more and more online locations.
For corporations the key problem is bi-lateral. Corporations need to protect consumer data, but they also need to protect corporate classified information, such as product information, key technologies or similar sensitive data.
I have decided to go into detail about 5 topics, which I will now take you through.
5 Security Predictions for 2015
1.Which companies can we expect to see targeted in 2015 and why?
Looking at the current world map, with political tensions between many countries, a few obvious areas spring to mind. Across Europe, US, China and North Korea – large companies residing in those areas will have to be extra mindful about their security in 2015.
Narrowing that further in and looking at industries, some obvious picks are the usual private or public infrastructure companies such as hospitals, public tax services and power supply systems , but the new trend will most likely be a very clear downshift in the size of companies targeted.
Naturally major hacks such as Sony Pictures or Home Depot will gain hackers more user credentials, credit cards data or personal information than smaller hacks of companies such as Quicken Loans or Zappos.com, but I personally see the trends shifting towards smaller, more targeted hacks than large scale ones.
Large scale companies are likely to tighten security faster than smaller companies. Naturally the rule of “low hanging fruits” will continue to apply. Any large scale corporation with mass customer data or specialized knowledge access will naturally continue to be a target.
Even larger corporations with high investments in Information Security should also consider heavily increasing their employees’ security. This especially applies in the multinational corporation space, where employees may have access to data within many business units and therefore may be very subjective to outside bribes. Data is never safer than the employees that use it – or than the endpoint on which it is being accessed.
2.What key security trends will 2015 bring?
The present Internet Security market is currently trending towards accepting the fact that you will at some point get hacked and what to do when that happens. However, accepting the fact that you will at some point get hacked is in my view totally unacceptable, but naturally planning for it is a good idea.
Looking at the trend for 2015, I think it is a safe bet to assume that consumers will get tired of companies that are unable to secure their customers’ privacy due to IT Security flaws. Just recently, Xbox Live and Sony PlayStation had problems operating their online services due to hackers, which in the long term will be unacceptable for any user.
In my view, a clear number 1 security trend is therefore going to be that companies must be able to maintain operational and safe services for their customers. Thinking that you can stick to preparing for what to do when you get hacked is just like saying “the boat is going to sink at some point, so we just need to prepare for when that happens”.
This trend also puts a clear pressure on the fact that the CEO needs to prioritize and get into details about IT Security more than ever before. Hacked or loss of service will impact company market value and profitability. As a CEO you might find this other article from us a relevant read.
Looking more into trends seen from a hacker’s point of view, I think again it is a safe bet that not only will hacks be more widespread, but as mentioned they will also go down in company size. The target will still be chosen according to its financial performance, such as sensitive personal information (credit cards, credentials or social security numbers) or valuable corporate data, such as technological info, facts and figures.
As today the rare attack will be of the “sportive” kind, hitting amusement services similar to PlayStation network or Xbox Live, but this year spreading out to Steam, battle.net or similar services.
3.What penetration method will hackers employ in 2015?
Hackers are humans just like the rest of us. Using the lowest hanging fruits is just as natural for them, as it is for everybody else. If you see a hole in the fence, why not use that, rather than battering the main gate.
The larger the corporation the more employees are liable to be angry at your company, susceptible to bribes or are liable to have their passwords compromised, at airports, by spying or similar threats.
Also the company top management at C-level will remain an obvious target for hackers, especially since they often see themselves excused from following the company’s password rules or laptop policies.
As stakes increase in the hacking game, we can also expect the complexity of hacks to increase. The natural head-on hack will continue, but the use of more complex spear phishing and targeted malware attacks will certainly increase as well. By targeted malware I mean that hackers will develop and deploy malware targeted to be used towards companies, rather than running large botnets.
4.What can companies do to prevent these new attacks in 2015?
Although a troublesome task, companies must increase their checks on employed personnel and increase password rotation frequencies. Also, tightening your company’s security policies relating to use of corporate e-mails and passwords outside the corporate environment is a very good idea.
Furthermore, subscribing to a password leakage service will be a new key trend for 2015, just as companies subscribe to traffic filtering, attack monitoring or similar. Monitoring whether company e-mails or passwords are flowing through the Internet of vulnerabilities, will be a new key preemptive trend. Although it won’t stop any targeted attacks, it will be able to alert you of whether your employees’ passwords or credentials have been leaked in another hack, which wasn’t necessarily targeted at your company.
If you never heard about this type of service, then don’t despair. It is a new trend, which Heimdal is currently offering free of charge at a 1-to-1 basis. You can try it on our website – under Data leakage, in the top right corner.
Heimdal is currently developing this service as a corporate offering, which will be available in Heimdal Corporate in 2015.
Finally, companies in general need to increase their security levels. We are not only talking about strengthening password policies or intensifying checks on personnel, but for some companies there is a fundamental need to take security serious. For larger corporations you need to invest in a quality traffic scanning tool, a patching software, a quality grade firewall and a good antivirus service. For smaller companies, maybe just start with patching, a quality grade firewall and an antivirus software.
5.What can private people do to keep their data safe?
Well, increasingly as a private user you need to consider where you use your personal information. You need to limit your use of sensitive financial data, such as credit cards, social security numbers or login credentials to secure websites that you know to have a high IT Security level.
In some cases you can get around the credit card information problem, by setting up a Bitcoin account and paying with Bitcoins instead. Unfortunately Bitcoins are not currently widely accepted, so that is only a partial solution for now.
But Bitcoin accounts are not directly connected to your personal information and therefore, they work as “pseudo” accounts. Additionally Bitcoin accounts have the benefit of only being “rippable” for their contents. There are no overdraft limits and additional credits, which can be ripped up as well.
As for your social security number, address and login credentials, there is no way around it. You simply have to be careful where you use them.