IoT complexity to lead towards security vulnerability

As per Cisco’s Visual Networking Index (VNI), it is predicted that there will be around 26 billion IP network-connected devices by 2020. With Internet of Things (IoT) reaching the levels of enterprise networks, government systems and general user’s handsets at such a large scale, security vulnerability will continue to plague these connected devices. Due to complexity in protocols and standards, absence of skilled resources to manage IoT environment, low-quality products with vulnerable security measures, and intricate architectures, IoT devices have already been under attacks from hackers, which is predicted to get worse in 2017. In fact, organizations are still not equipped enough to review even their popular apps for malware, which is resulting into DDoS attacks, and even leading to providing an entry point into the networks of enterprises for APTs and ransomware.

The way forward: The battle will be won by those who will be able to secure their IoT devices with customized solutions.

Cloud-security to gain prominence

Cloud security breaches have kept many organizations from embracing cloud computing for long. However, this year may see a reverse pattern with cloud-security expected to gain prominence in the IT ecosystem. Cloud security certifications such as Certificate of Cloud Security Knowledge (CCSK), Cloud Security Alliance’s (CSA), and Certified Cloud Security Practitioner (CCSP) are providing a sense of refuge to organizations planning to join the cloud computing bandwagon. Further, the industry in general is being seen to share best practices and advices on how to embark on integrating cloud in a secure manner. With organizations gaining confidence in deploying cloud, just as their on-premises solutions, it is expected that cloud adoption may increase in the coming year. However, the rate of acceleration would depend entirely on strengthening the security practices in the cloud and curbing cloud security breaches.

The way forward: Investing in Cloud Security-as-a-Service would make sense for enterprises as it will help in minimizing security breaches, while cutting cost to buy and maintain firewalls.

Ransomware and malware everywhere

Malware attacks have become sophisticated over the years as they continue to transform, going beyond the defenses offered by most antivirus products and security vendors. As businesses are seen to adopt telecommuting, introduce wearables and connect dispersed workforce through IoT-enabled devices, attackers are also expected to use technology to gain access to the enterprise networks through employees’ devices and hack the system. Mobile malware could be one of the leading issues in 2017 that the enterprises would have to tackle in a proactive manner. In fact, mobile data breach may cost an enterprise around USD 26 million, as per a study by Lookout, a mobile security company, and Ponemon Institute, an independent research company focused on privacy, data protection, and information security. Also, with proliferation of 4G and 5G services and increase in Internet bandwidth, mobile devices may witness higher vulnerability to DDoS attacks.

Along with malware, ransomware will also continue to evolve in the coming year. Ransomware attacks on cloud and critical servers may witness an increase, as the hackers would hold the organizations on tenterhooks to part with the extortion amount or face the risk of shutting down of an entire operation. However, such payouts may not even guarantee enterprises the future safety of their data or even the recovery of their current data.

The way forward: Stop being held at ransom. Secure your devices and servers with customized security solutions.

Automation to circumvent skill gap

Finding skilled IT resources will continue to be a major issue for the industry, and with it, newer methods to bridge this gap are also expected to surface. One of the major trends predicted this year would be using automation to perform certain duties, especially those which are repetitive or redundant. This would help IT professionals in focusing on important tasks at hand and enterprises gain maximum utilization of their manpower.

The way forward: Implementation of the right automation solution will assist IT professionals to gain instant access to any malicious threats instead of manually scouting for breaches.

Secure SDLC, the way forward

Although testing is seen to be an important part of application security, it is often relegated at a later stage in code development. In the absence of regulations or industry standards, companies are often seen to adopt their own methods when it comes to coding, with focus on developing codes quickly rather than securely.

The current process for the Software Development Life Cycle (SDLC) with its five main phases – design, development (coding), testing, deployment and maintenance – has a major shortcoming of testing being done at a later stage. Security vulnerabilities are usually checked with the use of methods such as pen-testing at a time when the solution is almost ready to be released in the market. This could lead to the system being susceptible to attacks for any code that remains unchecked. In the coming year, it is expected that the industry may take a step further by adopting Secure-SDLC (sSDLC) to circumvent such issues. With sSDLC, changes in the code will be analyzed automatically and the developers will be notified on an immediate basis in case of any vulnerability. This will help in educating the developers about mistakes and making them security-conscious. Further, vendors will also be able to prevent vulnerabilities and minimize hacking incidents.

The way forward: Moving towards secure-SDLC will help enterprises to get the code right from the beginning, saving time and cost in the long-run.

MSP will still remain the need of the hour

Managed services provider (MSP) was adopted to assist enterprises manage their hosted applications and infrastructure, and many predicted that with the implementation of cloud, it could become redundant. However, over the course of time, it has been seen that MSP is still at a core of many business services. While most businesses have shifted to cloud, many enterprises with critical applications cannot take their infrastructure to the cloud ecosystem due to compliance or regulatory issues. These still need to be managed and maintained.

Further, implementation and management of mixed environments, cloud and on-premises, require mature skillsets. MSP not only help in providing the right guidance, but even help enterprises to choose appropriate hosting, taking into consideration the budget of the company, and compliances and security policies prevalent in the industry.

The way forward: MSP is expected to move beyond managing IT environment. Such providers may become business extension for enterprises to advise them on policy and process management.

Threat intelligence to become strategic and collaborative

As per EY’s Global Information Security Survey, although organizations are seen to be making progress in the way they sense and resist current cyber-attacks and threats, there is still need for considerable improvement to tackle sophisticated attacks. For instance, 86 per cent of the respondents of the survey stated that their cyber-security function did not fully meet their organization’s needs. It is expected that the growing threats, increase in cybercrime, geopolitical shocks, and terrorist attacks will continue to drive organizations to evolve their approach to being resilient towards cyber-attacks.

Incorporating cyber security strategy in business process may become a major component as well. Microsoft, for instance, has recently unveiled its USD 1 billion investment plans to implement a new integrated security strategy across its portfolio of products and services.

The way forward: Cyber security can no longer be tackled in silo by a company. Enterprises need to address the issue by working in a collaborative manner by sharing best practices and creating war-room programmes.

Leave a Reply