What Does 2014 Have In Store For IT Security?

by Sohini Bagchi    Dec 23, 2013

threats

As cyber security threats intensify and workers bring more devices to work, IT departments need to revisit their security tools and strategies like every year. In 2013, we saw a number of high-profile attacks, including banks, media houses, government websites and numerous firms across the world. Even Microsoft, Facebook and Apple weren’t immune. Experts believe with a steady rise in the commercial activities happening online, hacktivists and fraudsters are always working on new and smarter ways to exploit vulnerabilities. What to Expect from IT Security in 2014? CXO Today throws some light on the changing IT security landscape in 2014 based on expert views and reports from the industry.

More of Insiders threats – companies beware!

The Edward Snowden incident continues to reverberate across industries.  Hence there will be a much greater emphasis on the person aspect of insider threat prevention in 2014. According to a Forrester study, over 63% of the breaches are caused by internal sources, whether intentional or inadvertent. In the next one year, companies will spend more money and time on employee screening and monitoring, with a stronger focus on outsourced and contracted positions. “Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss,” says Anil Pochiraju, MD India & SAARC F5 Network.  

Dealing with the BYOD realities

In the past years, experts were predicting whether BYOD may or may not become a key priority. However, the time has come in 2014 to step up investment in this area. Experts from security company Symantec recommends companies to deploy solutions that offer a holistic security policy, where the controls can be applied securely to a device and location agnostic network. This can be addressed by adopting an integrated, adaptive, and collaborative security approach. For example, the CIO should also focus on designing a next generation security architecture built on top of a multi function platform with greater network integration in order to deal with BYOD realities.

Read: Boardrooms still lack security awareness

         Employees often disregard corporate BYOD policies

Tryst with the Cloud

IDC predicted that 70% of CIOs will increase their dependency on the cloud in the next one year. While cloud-based solutions will lower costs and increase companies’ flexibility, they also increase security vulnerability. Eric Chiu, president and co-founder of HyTrust, predicts that organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to experts. As securing cloud environments will be different from securing traditional physical environments, cloud security will drive greater consolidation in the market.

Encryption to be revisited

Today more and more companies are realizing that encryption many be the only thing that is protecting their data. What’s more, if hackers are led to believe there is a weakness in a particular system - either accidental or intentional - they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption going forward. According to analysts, companies will focus particularly on cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. “The strongest interest will be in encryption products from cloud security brokers, which are relatively easy to deploy and have options for on-premises encryption management,” says Ruggero Contu, research director at Gartner.

More pressure on CISOs

As the notion of a security perimeter will move beyond the sprawl of traditional IT assets (data centers, endpoints, networks), as well as BYOD and cloud infrastructure, CISOs will be held responsible for anything that goes wrong with an IT operation whether or not they could have prevented it. Consequently, in 2014 CISOs will feel more pressure than ever in balancing unlimited responsibility for consequences with limited ability to control circumstances, believe experts. Security expert Lawrence Orans, Research believes that in the coming months, CISOs and CIOs will demand more transparency and assurances from cloud service providers to maintain trust in externally sourced IT operations and services, but they will also need to analyze and correlate security data and unstructured business data to apply it in the real time setting and environment.

Read: CIOs, CSOs suffering due to outdated security strategies

DDoS attacks get trickier

Distributed Denial of Service (DDoS) attacks will be on the rise, with attackers going from simple volumetric attacks to take advantage of a site’s specific performance characteristics. Experts believe politically motivated attacks on Internet properties and brands will continue to become one of the most common forms of cyber attack. This means that hackers may be conjuring DDoS attacks to create diversions, and also come up with a kind of distributed-denial-of-service-as-a-service (DDOSaaS) approach to political fundraising. Jeff Wilson, principal analyst for security at Infonetics Research also states that with the number, size and coverage of DDoS attacks on the rise, we expect revenue for DDoS prevention solutions to grow in the healthy double digits through 2014.”

Social Engineering on Steroids

Social engineering will be one of the most sought-after assets cyber-attackers to breach perimeter security. From spoof emails to fake websites, attackers will use this technique to bypass perimeter security and deliver their malware payload directly into a network. CyberArk predicts that there will be more attacks like the ‘damsel in distress,’ a targeted attack aimed at male IT workers that used fake social profiles of attractive females who were posing as new hires and requesting ‘help,’ or fake job proposals and phone calls from ‘head hunters’ to solicit information – all to get one employee to unknowingly open the doors for an attack. As online identity increasingly becomes tied to social networking sites, the sophistication of social engineering attacks will grow.

Rise of “Internet of Vulnerabilities

With millions of devices connected to the Internet—and in many cases running an embedded operating system—in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart TVs, medical equipment and security cameras. Users often don’t even realize they have an oncoming security problem. A Trend Micro report predicts that the Internet of Everything (IoE), will be the proverbial game changer in IT in the years to come. With augmented reality delivered through wearable technology including watches and eye-wear, the possibility of large-scale cyber crime from identity theft is a very real possibility as the technology continues to proliferate from 2014 and beyond.”

Read: Rethinking security in the era of Internet of Things

Expect the unexpected

Finally, “Expect the Unexpected in 2014,” states Jagdish Mahapatra, Managing Director, McAfee India and SAARC who points out in the coming year anything unforeseen and unlikely will take place in IT security. Mahapatra recommends that IT security experts can start by cultivating the basics—keeping browsers patched, firewalls robust, being serious about business resiliency, staying on top of vulnerabilities and attack trends, and watching the news for evidence of politically exposed brands or web properties. Since one cannot predict the future or the actions of criminals and spies in a real-time world, our best bet is to follow the data, build trusting relationships for reliable information sharing, and hope for the best, he says. 

Also read: CIOs should adopt a progressive approach to security risk management