It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last December I made five predications for 2013. How well did I do? Let's examine them.
Attacks get nastier
I forecast that attacks would become more damaging. It didn't happen quite the way I imagined. Some data breaches were massive (e.g. Snowden) but most attacks were designed primarily to steal data than damage business operations. We await the latter. It's simply a matter of time.
Big challenges from Big Data
Big Data enables powerful user access and new opportunities for bigger data breaches. The potential was illustrated by the Snowden case which highlighted the massive power that is now in the hands of our administrators and power users. We are witnessing the slow death of the 'least privilege' principle. The worst is yet to come.
Final death of corporate perimeters
The users have left the building, the applications are progressively following, and the enemy is already inside. Everybody is aware of the challenge. The Jericho Forum has therefore disbanded their evangelic mission and declared success. All that remains is for enterprises to follow their mew instincts and implement security at the application and data levels.
Security speeds up
Security managers are speeding up their act, supported by a new generation of security tools that deliver real-time, continuous security. There are no excuses today for delay in detecting and mitigating vulnerabilities. Security managers should take full advantage of the new opportunities presented by Cloud security technology for speed and empowerment.
SMEs discover security
For decades SMEs have been the soft underbelly of big business and critical national infrastructure. They still are. I predicted that 2013 would see the beginning of a slow change in this sector. Certainly there is greater awareness and interest with governments and regulators. But we yet to see any significant change despite the fact that we (ISSA-UK) set out a practical blueprint nearly two years ago.
The events of 2013 demonstrated several home truths of cyber security. The Snowden case illustrated these well. Firstly, you can't keep anything secret in a hyper-connected society. Secondly, the short term damage of a massive breach can seem less than expected, though the longer term effects will be surprisingly broad and disruptive. Thirdly, existing security practices are inadequate for addressing the risks presented by today's infrastructure. And finally, it takes a painfully long time for stakeholders to address issues that have for many years been staring them in the face.