2015 was the year the tipping point was reached with regard to public awareness of hacking, data breaches and cybercrime. Hardly a week seemed to go by without another high-profile breach hitting our TV screens. At times it felt like a coming of age: CEO Dido Harding confessed on camera to not knowing whether or not stolen customer data was encrypted, and the Ashley Madison hack taught us that our ‘digital exhaust’ just got dirtier.
Whether it’s as a consumer, end-user, or potential ‘insider-threat’, the human factor moved centre stage in 2015, with seven out of the top ten vulnerabilities being identified at end-user level. We predict that every security professional will be dealing with security culture and behavioural change in one form or another throughout the coming twelve months, so here are our thoughts on the top trends to look out for:
1. The role of the Security Chief will include risk and culture – No longer just a tech lead, the security professional is now both a business risk leader and security culture advocate. What we have discovered in all the organisations that we have worked with over the past year, is that the key to the success of a positive security culture comes down to knowing who the people are, in your business, who share your passion for positive security. Very often these ‘unsung heroes’ of security are fulfilling job roles unconnected with the official security structure but they are, for example, informally educating people in their department about security, or talking about the breaches in the news, or passing on good practice tips. Finding these allies is a key strategic aim which every security professional needs to have high on his/her to do list, because they can help to start the conversations that grow security culture across the organisation.
2. Process, process, process will become a fundamental aspect of your security strategy – Bruce Schneier said it back in 2000 and now it’s more of an issue than ever. Technology has been demonstrated to be, at best, a partial defence against data breaches, but processes that recognise the instability of any product are critical to effective protection. The 2015 Global Threat Intelligence Report (NTT Com Security) discovered that 76% of vulnerabilities identified had been known of for more than two years and 9% of vulnerabilities were over ten years old. Constant housekeeping requires more than a yearly audit; it needs an engaged security culture committed to an ongoing processual evolution in the service of protecting valuable data. You need people who care about security across the business to do that.
3. Phishing/Data Harvesting will grow in sophistication and catch out even more people – We can all agree on this one: phishing ain’t going away! What’s different about the phishing threat in 2016 is that the personal data available for harvesting is going to grow (thanks to the IoT market) and the nature of that data will become more intrusive, and therefore more valuable. The black market rate for data is soaring, thanks to the ever-more inventive uses it’s being put to in the construction of social engineering or spear phishing attacks, and that means that attacks on end-users will become increasingly sophisticated. It’s time to recognise that the development of good security behaviours is as important to productivity as speed and efficiency – and that means ditching the ‘carrot and stick’ approach in favour of collaboration across the organisation in pursuit of long-term goals.
4. The ‘Insider Threat’ continues to haunt businesses – There’s been some confusion about this term over the past year; what was once the term used to define a rogue, grudge-bearing employee has grown incrementally to include anyone with access to potentially valuable data. Whilst not being a particularly helpful shift, this redefinition of the ‘insider threat’ demonstrates awareness that the more valuable data becomes, the more of a temptation it becomes for low-paid workers to ‘sell’ access to it. Rather than shooting the starting pistol on a witch-hunt, however, we would urge businesses to invest in the development of a cohesive security culture, built on conversation, and nurtured by security advocates across the organisation. A security culture is built on values such as trust, pride in one’s work, defence of the common good; it encourages the very best instincts in employees and provides an organisation-wide surveillance team who are rather more user-friendly than the tech products currently being touted to do the job.
5. Internet of Things and Digital Exhaust will render the ‘one policy fits all’ approach defunct – As the market for IoT products grows, so will the need to regulate and manage the range of operating systems carrying our data. The McAfee Labs 2016 Threat Predictions report suggests that we are entering an era in which our personal digital data will include: frequently visited locations, what we eat, watch, listen to, our weight, blood pressure, prescriptions, sleeping habits, daily schedule, and exercise routine. The democratisation of mobile communications has been difficult enough to manage to date, but the most recent reports predict that the number of individual operating devices will grow incrementally, producing more and more ‘digital exhaust’. The ‘one policy fits all’ approach is no longer operable in this scenario and organisations will find it difficult to enforce the use of company devices. One possibility for its replacement is a cultural security working practices document which is developed collaboratively and recognises the values and responsibilities of employees across all their devices.
So – what are your security culture predictions for the new year? Let us know, we’d love to read them.
Layer 8 Ltd is committed to developing positive security cultures and instigating effective behavioural change. The Layer 8 Toolkit® provides organisations with a range of hands-on tools to raise security awareness, test security behaviours, start security conversations and identify the advocates who will grow change across the business.