David Ferbrache, technical director in KPMG’s cyber security practice, highlights the cyber security trends that he expects to develop during 2017.
Privacy will dominate the corporate agenda
The European Union General Data Protection Regulation (GDPR) is less than 18 months away – and privacy has suddenly made it to the top of the corporate agenda – not just in Europe. The GDPR tilts the scales in the direction of the European citizen, requiring explicit consent to process, store and transfer their personal information. Data breaches suddenly become more transparent with strict notification requirements, and potential for punitive fines of up to 4 percent of global turnover for the most serious events.
Balkanisation of the Internet will gather pace
Balkanization is a geopolitical term, originally used to describe the process of fragmentation or division of a region or state into smaller regions or states that are often hostile or uncooperative with one another [Wikipedia]. More and more countries are regulating cyberspace – often with conflicting and contrary approaches. Firms are struggling to keep up with restrictions on how data can be handled, what nations expect in the way of compliance, and the limitations on cross border transfers. Suddenly big data seems less attractive – without the metadata to ensure that legal and policy obligations around data handling can be respected. Data centric security has never mattered more.
Countries find themselves cyber targets – and become more aggressive in defending their cyberspace
The Mirai botnet has shown just how damaging distributed denial of service attacks can become, as we saw the largest ever attacks in autumn. Attacks of this scale risk destabilising the Internet and the infrastructure which supports it. Active defence has moved up government agendas as countries work with telecommunication firms to provide more robust national defences against alleged State attacks and organized cyber crime, heralding a new relationship between government agencies and commerce. Takedowns and blocking operations aimed at cyber criminals will become more frequent, and more rapid.
Cyber crime becoming industrialized
Cyber crime has been big business for many years, but 2017 will see an industrialization of cyber crime exploiting cheap labour and increasingly sophisticated tools for bespoking attacks. CEO frauds and business email compromises will continue to dominate the landscape but with increasingly sophisticated targeting of firms and their employees by criminals who scour social media for intelligence. Ransomware continues to make criminals money, and will become smarter and more targeted as the year progresses supported by a crime as a service underground economy.
Attackers look for the weak points in our international financial system
The well-publicised Bank of Bangladesh attack has come and gone. Attackers are looking for weak points in our interconnected financial system exploiting the trust between institutions to find ways to transfer funds and cash out. International financial institutions will try to raise the bar on bank security worldwide, but attackers will look for new targets shifting their focus to e-retail and to new payment channels using APT style tactics. Cyber criminals are getting savvier about how to make money.
Cloud security comes of age
Cloud services have finally grown up and have recognized the need to provide clients with the functionality they need to implement effective security and compliance solutions. A well-managed cloud environment can offer levels of security and resilience which many organizations would struggle to replicate internally, and even in regulated industries ‘cloud as the first choice’ has become the mantra.
Executives demand certainty – sometimes where there is none
Cyber security programmes have been well established in big corporates. Executives are now holding their CISOs to account to explain what has been achieved by their investments, occasionally demanding unreasonable certainty. Suddenly, the challenge has become just what does money buy you in reducing the impact and ideally the likelihood of a cyber breach – and just where does cyber insurance figure in that decision calculus. Boards are getting the fact that getting the basics right matters, but so does being ready to respond to an increasingly inevitable cyber breach.
Breaking down the barriers
More and more firms will realize that their internal stovepipes aren’t helping to tackle cyber crime – fraud control and cyber security still seem poles apart. One deals with criminals, customers and money; the other with attackers, computers and data. But they are the same in our digital world. Realization arrives that ultimately it is all about protecting the business, and cyber criminals are just another competitor – ruthless and rational entrepreneurs in their own right.
The Internet of Insecure Things
We carry on networking our world and being surprised about just how basic the security around some of devices really is. Expect 2017 to bring more and more examples of misconfigured devices, default passwords, obsolescent operating systems and out of sight devices that people just don’t think of as computers. While some of these attacks will be amusing and quirky, 2017 will bring a few examples which make us realise just how dependent our modern world has become on hidden computers.
Passwords will be a thing of the past
This year will hopefully be the year that blind reliance on passwords ends. The security community and the business community are starting to realise that they need a more sophisticated approach to authenticating people and their actions. One which uses multi-factor authentication (including biometrics), behavioural analysis and contextual information to make judgements on whether the user really is who they say they are; and just how risky their attempted transaction really is.
The author
David Ferbrache is technical director in KPMG’s cyber security practice. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. It operates in 155 countries and has 189,000 professionals working in member firms around the world.
