What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what specifically can we expect? Will it be more of same? Or could we see the dawn of a new era? The answer is likely to be a little of both. Here are my top five forecasts for 2013.
Attacks get nastier
Data breaches are bad enough, but at least they don't disrupt business operations. Long term data damage is much worse. I've been forecasting this as a future risk for the last decade. It will begin to hit home during 2013, with rapid growth in cyber extortion and vandalism, perhaps coupled with the emergence of real cyber terrorism. Expect much nastier attacks and watch out for the beginnings of organised protection rackets.
Big challenges from Big Data
Big Data is the latest technology in a long term trend of increasingly powerful user access, enabling new dimensions in data mining, fusion and navigation, as well as new opportunities for big data breaches. Only compliance and expensive licence fees stand in the way of a user free-for-all in data access. But it spells the end of the 'least privilege' principle.
Final death of corporate perimeters
Many enterprises, including big banks, still cling to the fig-leaf protection provided by private infrastructure. It's an illusion of course because Internet and email access provides a massive back door for attackers. BYOD is the final nail in the coffin for traditional corporate perimeter protection. The users have left the building, the applications are following and the enemy is already inside.
Security speeds up
Growth in the frequency and impact of attacks will at least persuade security managers to forget the achingly slow Deming cycle and respond to vulnerability alerts and incidents in real time. Patching will get faster, vulnerability scanning will become more frequent, and security staff will become more empowered.
SMEs discover security
In recent years I've researched and written extensively about the lack of interest and awareness in security in the small and medium enterprise sectors. The reality is that SMEs aren't concerned and nobody has bothered to educate them. They remain the soft underbelly of big business and critical national infrastructure. 2013 will see the start of a slow change in this sector, starting with small retailers, as compliance requirements gradually cascade down supply chains. It won't happen overnight but it will open up new markets for security vendors.