10 Cybersecurity Lessons Learned In 2015
Here's A Free Lesson
2015 was yet another exciting (and terrifying) year for the security industry. Growth for the market is astronomical, with worldwide information security spending expected to hit $75.4 billion in by the end of the year, according to Gartner. At the same time, the threats have become more serious than ever with a continued onslaught of breaches across every industry. As we advance into 2016 and prepare for what will likely be an even bigger and more impactful year for the security market, let’s reflect back during CRN’s annual Cybersecurity Week on some of the lessons we can take away from 2015.
10. Point Solutions Aren’t Enough
Amit Yoran (pictured), president of RSA, opened the RSA Conference with a bold proclamation: The security industry is losing the fight against attackers and will continue to lose unless a new approach is taken. Instead of building bigger walls with more and more point solutions, Yoran said the security industry needs to focus on visibility, identity and authentication, threat intelligence, integrated solutions and a stronger prioritization of resources around key areas. That move away from traditional perimeter-based technologies is a trend that has echoed throughout the year, with almost all security professionals CRN spoke with in the past year agreeing that more types of solutions are needed to win the security fight.
9. Security Problem Isn’t Going Away
What’s clear from 2015 is that the security problem isn’t going away and, if anything, it’s getting worse. In 2015, there were 184 breaches made public, according to the Privacy Rights Clearinghouse, with incidents spanning all industries. Notable breaches from the year included the Office of Personnel Management, Experian, Anthem, Premera, CareFirst, Planned Parenthood, and many more. The continued onslaught of breaches has helped push breach preparation and incident response to the forefront as executives recognize the likely inevitability of a breach, Bob Shaker, senior incident response manager at Symantec, said.
"More and more boards and executives are seeking out assistance to create incident response programs and plans, hold tabletop exercises and train their teams to proactively take steps to be ready to respond to compromises and, if they turn into breaches, reduce the overall impact," Shaker said.
8. Third Parties As Attack Vectors
It isn’t just your own environment that’s at risk -- third-party vendors can present a massive risk, as well. Big breaches that have become synonymous with the security threat, including Target and Home Depot, as well as some of the biggest breaches of 2015, including OPM, Experian and the Army National Guard, have been the result of third-party security breaches. Citing the 2015 Verizon Data Breach Report, which found that 70 percent of attacks have affected a secondary victim, BitSight CTO Stephen Boyer said the impact of third-party attacks is a trend that will continue from 2015 into the years to come.
"2015 has proven that attackers are targeting vulnerable third parties and are using those third parties as a springboard to broader ecosystem compromise," Boyer said. "In the years ahead, it will become increasingly important to not only monitor your company’s internal security posture, but also to manage the risk and security practices of third-party vendors."
7. Focus Needs To Be Inside As Well
While much of the security industry focuses on protection from outside threats, it is important to also protect against insider threats, Piero DePaoli, senior director of global product marketing for enterprise security at Symantec, said. According to the Verizon Data Breach Report, 20.6 percent of all attacks are due to insider misuse, with an additional 15.3 percent coming from device theft or loss.
"Employees can often be an organization's biggest threat both maliciously and accidentally. They might intentionally attempt to steal data and can also fall victim to realistic-looking phishing scams and unintentionally expose company information. That’s why it’s especially important to continually educate employees on cybersecurity and company policy," DePaoli said.
6. The Need For IoT Security Is Here
Internet of Things devices are starting to hit their stride in the mainstream market, making the security threat around IoT more real every day, said Lee Weiner, senior vice president of products and engineering at Rapid7. That understanding came to the forefront for many business and consumer users in 2015, with vulnerabilities revealed in connected cars, child gaming devices, baby monitors, Barbie dolls, rifles and more.
"I think in 2015 people started to realize that this is a real risk and a real issue," Weiner said. "I think we can make some progress in 2016, but we have a long way to go."
5. Boards Are On Board
In 2014, the conversation around security started to become a board of directors-level issue. That trend has accelerated in 2015, Rapid7’s Weiner said.
"The board is really asking the management teams about cybersecurity and cyber-risk. That’s something they didn’t do before," Weiner said.
In particular, Weiner said the boards of directors are looking to educate themselves and get smarter about security decisions. Driving that shift is a recognition that security challenges are here to stay, and prevailing industry examples of the direct impact a breach can have on a company’s reputation, finances and top executives, Weiner said. That’s a trend that Weiner said he expects will only accelerate in 2016.
4. Visibility Need At All-Time High
2015 showed a heightened need for visibility into a company’s environment and potential vulnerabilities, Mike Pittenger, vice president of product strategy at Black Duck, said.
"You need visibility into weaknesses in your defenses -- this is obvious, but often not practiced," Pittenger said.
That includes visibility into devices, software and more. That threat is complicated, experts said, as the Internet of Things and BYOD exponentially increase the amount of devices on the network and Software-as-a-Service applications make it easier than ever for more sanctioned and unsanctioned software to enter the environment.
3. Legislative Bumpy Road Ahead
The past year has demonstrated that the industry is in for a "bumpy" road for legislative action around cybersecurity and data privacy, Hugh Thompson, CTO at Blue Coat, said. 2015 has included the striking down of the US-UK Safe Harbor agreement, metadata retention rulings, data sovereignty decisions in Europe and other regions, the Cybersecurity Information Sharing Act and, most recently, a renewed debate over encryption after the Paris terrorist attacks. Those events and legislative actions have put increased awareness on compliance, woken up companies to the need to pay attention to how, and where, technologies are deployed, and emphasized the need for agility in deployment going forward, Thompson said.
2. What Do You Do With Data?
While replaceable credit cards have often been the breach targets in years past, 2015 delivered a new tone of data theft, turning to long-term impact, unchangeable information such as health records, Social Security numbers and even data that could impact a reputation, such as in the Ashley Madison breach.
"I think that what we’ve learned is we don’t yet know about how we deal with data that cannot be erased," Blue Coat’s Thompson said. "We will discover it in 2016." That includes an increased emphasis on data protection technologies, cloud access security brokers and vertical market spend, Thompson said.
1. Lots Of Money To Be Made For Solution Providers
One thing that has become more clear than ever for solution providers in 2015 is that security is presenting a huge opportunity for their business.
"It’s growing faster than any other [total addressable market] that I know of inside the tech space," Blue Coat’s Thompson said." If that’s the case and [solution providers are] planning their business, it’s a natural area of focus for them to explore to think about building up a team of expertise and relationships."
Solution providers in 2015 started to do just that. For example, Matt Johnson, CEO of Raven Data Technologies, realigned his entire managed services business around security (the business is now called Phalanx Secure). Now, Johnson said the business is growing more than 300 percent year over year.