2017 Cyber Security for Businesses Predictions
1. Resilience and recovery will become commercial differentiators
Cyber-attacks are now so powerful that only a fool will claim to be invulnerable. Even the smartest organization can be hit by an attack, so in 2017 the differentiating factor is how they deal with it. A quick, slick and full recovery will attract sympathy and respect from the markets, while an incompetent recovery will attract criticism and lawsuits. Think TalkTalk.
Next year, we will see which companies are serious about the challenge of whether they take a coordinated approach combining protection, detection, and response.
2. Curation of data will become a key focus for all organizations, not just the data-rich
Investors, shareholders, customers and regulators will increasingly demand to see prudent stewardship of sensitive data (not least because of the impending General Data Protection Regulation). Specialist data loss prevention (DLP) tools are valuable if used properly, but many businesses either approach DLP piecemeal or assume that using a DLP tool is enough.
In 2017, organizations will need to assess the risks, identify the key data to protect, monitor their networks diligently, update policies, train staff and maintain a healthy security culture. Organisations also usually hold the sensitive data of third parties and must protect it as well as they protect their own.
3. Global clients will demand to inspect their supply chains’ data security
Most organizations already realize that their sensitive data is held in their supply chain as well as internally. There is often a stark gulf between what organizations expect of their suppliers and the contractual obligations they impose on them. As awareness of cybersecurity risks grows, we are starting to see global businesses seek demonstrable proof of data security competence from key professional advisers such as law firms, accountancy practices, and business consultancies. The biggest clients are well placed to insist on good data security as a condition of placing their business with such advisers, and it is a trend which we believe will only grow long into 2017 and beyond.
4. Board meetings will routinely discuss IT security, as they try to meet the challenges of a developing digital enterprise
There are now so many disruptive cyber-attacks against major organizations that even the most technophobe senior executives are sitting up and taking notice. CxOs may not care about IT as such, but they certainly care about the business goals it helps to deliver. No longer can they ignore the problem of cybersecurity or dismiss it as ‘something for the IT guys’.
2017 will be the year that Boards will finally come to see IT security as a critical business risk, will review it regularly and will want to discuss it in a language they understand. Organisations will need to equip senior IT staff to bridge the communication gap, by understanding the needs of the Board and striving to talk their language. This is a major shift in mindset and is likely to require a deliberate and well-structured programme of training.
5. Poor routine IT practices will still cause the most avoidable harm
Most of the cyber-security problems which affect organizations don’t happen because of ingenious new cyber-attack techniques or sneaky malicious insiders. We continue to be amazed at how many businesses fail to do the vital housekeeping tasks which reduce their risks. Whether it is effective vulnerability patching, appropriate threat intelligence, an access management system which truly reflects only current users, implementation of ‘least privilege’ access, or taking action on the recommendations of penetration tests, many organizations fall short.
This will, unfortunately, continue into 2017. Too many data-rich organizations which do not take reasonable steps to do the housekeeping basics are needlessly vulnerable to data loss, data theft or external disruption of their systems. This means the majority of headlining breaches of 2017 will be avoidable.
Mark Stollery, Managing Consultant, Enterprise & Cyber Security, Fujitsu