Based on feedback received in 2015 – which once again was marked by attacks, whether publicized or not, and also by significant advances with respect to cybersecurity – here are a few predictions for 2016.
Security Risks for Connected Objects Will Exceed Simple Privacy Protection
2015 showed that numerous connected objects are not properly protected, be they children’s toys that were remotely hacked, baby monitors that were open to strangers’ eyes and ears… Several experiments even proved that it was possible to hack a car with a view to remotely stopping and starting it. To what extent can you remotely control a vehicle and how easy is it to do so? It’s no longer just a question of keeping our data confidential, but also a question of people’s physical safety.
And what about the connected “wearables” market? Watches, bracelets and T-shirts all measure their wearers’ vital data so as to adjust their physical exertion limits, to ensure close medical monitoring or to alert the emergency services if something goes seriously wrong. What would be the consequences if an attacker managed to modify or delete the information collected in this way?
Privacy protection and data confidentiality is only one aspect of the risks involved in using connected objects that are either poorly secured or not secured at all. Not wanting to consider the worst-case scenario, you can only imagine how the hacking of vulnerable objects would quickly lead to initial incidents that affect people’s physical safety. In 2016, it will become essential for manufacturers to take steps to strengthen the security of the objects they are developing.
Industrial Environments Will Become More Secure… But Remain Highly Exposed
The opening of industrial networks – which was previously done in a completely isolated and closed way – and the use of the IT world’s technologies in these environments is creating new challenges for cybersecurity. Since Stuxnet, numerous industrial installations have also been targeted by cyber attacks, some of which ended up causing equipment damage or service disruptions. It is unfortunately likely that, in the current climate, these infrastructures are a prime target and will be attacked again in 2016.
However, in 2015, we have seen a real awareness as to the security of industrial infrastructure – as was reflected in the establishment of dual competence Industrial Technologies (OT) / Digital Security teams or in the broadening of IT security teams’ responsibility toward industrial environments. A number of large-scale projects will be launched in 2016 with a view to ensuring logical segmentation as a primary objective, by means of controlling the flows between IT and OT networks and improving the visibility of any exchange between these two worlds.
Toward Generalization of Ransomware
2015 saw an explosion in the type of malware known as ransomware (such as CryptoLocker or CryptoWall). Indeed, it accounted for almost $20 million in total in ransoms and damages associated with data loss following improper encryption… This threat has affected both Internet users and companies of all sizes and operating in all industries.
The phenomenon could get even worse in 2016 as new programs targeting operating systems other than Windows emerge. Malicious codes of the ransomware type – particularly the Moose malware – already exist for the Mac OS X or Linux environments, and could develop rapidly over the coming months.
On the other hand, now that they’ve proven their agility when it comes to developing new variants, ransomware and other polymorphic malware, the developers of such malware will continue to get around protection systems based exclusively on signature strategies – such as antivirus – fairly easily.
Banking Data and Systems Will Remain a Prime Target for Cybercrime
Carbanak, Dridex and even Poseidon hit the headlines in 2015. These malware and attacks – which target payment terminals, the workstations of people who use online banking services and central financial systems – are still developing extensively. Point of sale (PoS) terminals’ chronic lack of security makes intercepting payment data easy. According to Verizon, the attacks on these terminals have even become the leading cause of banking data theft (28.5%).
Given the lucrative nature of this type of data theft and the ease with which data can be resold on the Darknet’s marketplaces, banking data will continue to be a prime target in 2016…
Better Security for Cloud Services
If the disparity between Europe and the United States remains considerable, the rate at which Cloud services are adopted will continue to increase. Spending on Cloud infrastructures and applications will grow by an annual average rate of 15% between 2015 and 2019. In addition to tenders maturing, this development will also go hand in hand with better service security.
To lift the constraints associated with data protection, suppliers of Cloud solutions (such as telecommunication operators) will improve the protection level of the services they provide by offering on-demand security services.
The implementation of such services will increasingly be based on virtualized network functions (network function virtualization, NFV). These virtualized environments will, indeed, ensure that security services are automatically deployed and configured on a large scale.
Strength in Numbers
We are currently facing an unprecedented level of cybercrime, which benefits from enormous resources that allow for the development of ever more sophisticated attacks that are increasingly difficult to detect. If an appropriate and continually effective response to this growing digital threat is to be offered, cybersecurity players must join forces. Collaboration between states, watch and warning centers (CERT), and security solution and service providers must, therefore, continue to organize and develop, all the while transcending the competition’s considerations…
A number of collaborative initiatives have already emerged: take the Phishing Initiative – which is establishing closer links with Lexsi, Microsoft and PayPal – or the ThreatExchange platform on Facebook, for example. Given the scale of the threat, directly competing suppliers can be expected to announce major collaborative relationships in 2016.
Protecting Personal Data: a Challenge for 2016
In October 2015, following the PRISM program scandal revealed by Edward Snowden, the Court of Justice of the European Union invalidated the Safe Harbor framework that enabled the transfer of personal data from Europe to companies in the United States, provided that such companies undertook to respect a certain number of European obligations.
Pending the implementation of a Safe Harbor 2, the use of Cloud services that are hosted in the US and that collect personal data risk coming under intense scrutiny in 2016 even if there are other more complex ways of guaranteeing this type of data transfer.
Furthermore, the General Data Protection Regulation (GDPR) – the reform of European legislation on data protection – should be approved in 2016 for implementation in 2017. With this new legislative framework, companies that have had personal data stolen (whether it concerns their employees or their customers) will be fined up to 5% of their turnover. To prevent this type of thing from happening, European companies will roll out on massive scale encryption solutions that will make such personal data illegible and inaccessible from 2016 onwards.