In the waning days of 2016, we look back on another year of the data breach pandemic engulfing enterprises and governments worldwide.
Breach after breach hit organizations in all industries and sectors. Mammoth thefts of personal data, hacked financial systems, and compromised communications cost us billions and allegedly shaped the outcome of the US presidential election.
Will 2017 see more of the same?
Or will it be the year that finally changes our approach to cybersecurity?
Here are some predictions of what 2017 will have in store for us.
The Single User Steppingstone
This week the US Department of Homeland Security and the Federal Bureau of Investigation released a report outlining the attack vectors believed to be used by Russia-backed attackers to compromise a US political party.
While more evidence and details are to be released in coming weeks, the attack vector described in the report comes as no surprise to anyone in the security industry. A single user was compromised through a phishing attack. Then attackers moved laterally from system to system to harvest sensitive data.
This vector, with slight variations, has featured prominently in virtually every major data breach for the past five years.
This vulnerability is so widely exploited because most security architectures are based on a badly outmoded Trust Model. The broken Trust Model assumes implicit trust in certain networks or systems but not others based on whether you own or control the network or system.
We predict in 2017 security architects will launch major redesigns to implement modern approaches to access control that recognize no network or user can be implicitly trusted. This hopefully will go a long way toward blocking the single compromised user attack vector.
Cybersecurity in the C-Suite & Board Level
The need to rethink security designs will become even more urgent in 2017 as enterprises around the world grapple with increasingly stringent regulations around cybersecurity.
The most prominent of these is the European Union’s General Data Protection Regulation (GDPR). The GDPR is a mandate that companies handling an EU citizen’s personal data must take effective measures to protect it or face stiff fines. Going into effect in 2018, the GDPR will drive companies that want to do business in the EU to modernize their security controls in 2017.
The days of subpar investment in cybersecurity controls and protections are over. Strong regulatory mandates now mean that cybersecurity topics have increased visibility in the board room.
We expect cybersecurity reboot projects and these compliance mandates to become dominant features in the risk management plans in organizations across all sectors in 2017.
The Age of ‘Zero Trust’ Dawns
It has been talked about for many years, but the concept of a “Zero Trust” security strategy will finally hit the mainstream in 2017.
Increased risk, financial impact, penalties and awareness will lead enterprise security architects to abandon the obsolete notion that any network or system can be implicitly trusted.
Forrester Research has long advocated this approach, based on its analysis of the fundamental flaws in infrastructure-based Trust Models.
Google has likewise advised enterprises to adopt Zero Trust security. In the wake of devastating breaches in federal agencies, the US Federal Government is also going Zero Trust.
The challenge with any new approach to IT is how to get started. Many of our customers have embraced the new Zero Trust strategy using our solutions that allow you to adopt Zero Trust without affecting your current infrastructure or applications.
We expect 2017 will see many more examples of how Zero Trust is taking hold. For companies and governments that are serious about reducing data breach risk, it is a question of when – not if – they will adopt Zero Trust.