Just days before Christmas, Australia’s popular press was awash with reports of how a security flaw in Hello Barbie, the Wi-Fi connected doll, could be used to spy on the nation’s children.
As the era of the internet of things (IoT) dawns, computer security has taken on a whole new dimension.
Security is no longer just about a virus in your spreadsheet or ransomware closing down a small business, it’s about hackers taking over autonomous vehicles or drones, or shutting down critical infrastructure – or about your children being manipulated without your knowledge.
If there is one safe prediction for 2016, it’s that security challenges will arise on a scale never seen before.
Audrey William, head of ICT research for Frost & Sullivan in Australia and New Zealand, said the growth of smart homes where smartphones and tablets are used to control power, cooling, heating and security is introducing new computer security challenges.
Gartner, meanwhile, has predicted that by 2018, one-fifth of all smart buildings will have experienced some form of cyber vandalism.
CheckPoint Software also warns that the rise of IoT devices, wearables, mobile platforms and autonomous vehicles broadens the range of endpoints that can be attacked.
In 2015, security headlines were dominated by more conventional hacks – of the Bureau of Meteorology, Kmart and Ashley Madison. Frost & Sullivan’s Williams said the Ashley Madison hack – which leaked customers’ personal information, causing great embarrassment – had served to heighten awareness of cyber security threats among people who had previously never given it a second thought.
Seven Australian security predictions for 2016
- It will be a lot more costly and complex to protect yourself.
- Security skills will prove scarce and expensive.
- Perimeters will be more porous because of mobiles, the IoT and wearables.
- There is no silver bullet – a mix of technology and protocols is needed.
- Privileged accounts will be a key target.
- Employees remain a security weak spot.
- Critical infrastructure will be a prime target.
But she also warned: “Targeted attacks on computer industrial control systems are the biggest threat to a nation’s critical infrastructure. Such attacks have the potential to bring down critical systems, which can lead to damaging a customer’s brand and reputation.”
This is likely to be a focus of the Australian federal government’s Cyber Security Strategy, which is scheduled for release in early 2016.
For enterprise, the security challenge will be exacerbated by the introduction of mandatory data breach legislation under that strategy. A draft bill was circulated before Christmas, and public consultation is being sought until March, after which the government is expected to introduce legislation that will mandate any organisation covered by the Australian privacy rules to disclose a serious data breach within 30 days or risk stiff penalties.
This is likely to prompt fresh security investment by the country’s enterprises.
Gartner has predicted that spending on information security in Australia will reach almost AUD3.2bn in 2016, a rise of 8% from 2015. It has also warned that the rapidly appreciating US dollar could lead to security product costs rising as much as 20%, suggesting that Australian enterprises may get less bang for their buck.
And that buck will be under pressure because, according to Williams, there will also be rising demand for cyber insurance that will extend beyond offering compensation and protection from liability in the event of a cyber attack.
Regional and global issues
For Australian companies operating in more than one country, it is also important to understand regional and global issues.
Communications and data specialist CenturyLink says some nations face more cyber crime than others. It recommends a careful risk assessment coupled with comprehensive threat detection strategies that go well beyond perimeter protections such as firewalls and anti-virus software.
Performing that assessment will require access to sophisticated (and scarce) security skills, the ability to determine business risk and identify technology solutions while communicating the challenge to executive management who will have to sign the cheques.
Besides educating the top echelons about security risks, companies will have to continue to educate employees because, according to CenturyLink, whether intentionally or accidentally, staff often remain the weakest link in an organisation’s security strategy.
Samantha Madrid, head of network security product marketing for Palo Alto Networks, was in Australia late last year to speak to enterprise customers about the changing threat landscape.
She said security was a “transforming topic” as organisations realised they needed to take a prevention-focused approach that integrated firewalls, threat intelligence platforms and endpoint protection.
“The idea of prevention is to prevent data leaving the network when you have been targeted,” she said. “Most legacy technologies are unable to understand how users communicate. They are all about ports and protocols.”
More considered approach
Instead, enterprise security specialists need to take a more considered approach and understand how applications are used, then deploy technologies and policies to create a more holistic security mesh, she said.
The days of companies feeling smug because they have implemented password protection are well and truly over.
Lasse Andresen, chief technology officer at ForgeRock, said: “The security approach where you only evaluate risk when someone is at your door is becoming less workable. When you can continuously analyse someone’s authenticity while already in the system, then you can provide a high security environment while still offering ease of use to the end-user.
“Especially with the IoT bringing billions of new devices, services and apps online, the ability to continuously monitor and authenticate users while they are in your house will become a real business advantage.”
But while Andresen says passwords are on their last legs as an effective protection mechanism, Michael McKinnon, security awareness director at AVG, says passwords are not going anywhere.
“The vast majority of us use the humble password to access resources across our private and work lives, and it will be with us for many years to come,” he said. “It is important to understand that passwords are a free-to-use concept, not a technology. Any alternative solution will come at a cost in technology or complexity, and that is why passwords are here to stay.
“Weaknesses associated with passwords, such as reusing them or not storing them safely, will no doubt continue. To minimise risks, we all need to keep security awareness rising across consumer, business and enterprise, and, where possible, deploy two-factor authentication.”
But for some organisations, that’s just the start of the security story in 2016. As US bank robber Willie Sutton famously responded, when asked why he robbed banks, “because that’s where the money is”.
That is also the reason why banks are a prime target for modern-day crooks.
In Australia, the major banks are investing money and resources to get a better understanding of how both blockchain technologies and quantum computing can be leveraged to boost security.
The cyber security war is about to get a whole lot more interesting.