Sergey Nivens - Fotolia
In the world of IT security, the failings of businesses and other organisations to understand and address the real cyber threats they are facing has been a dominant theme throughout 2016.
In the light of this continued struggle, the opening of the UK’s National Cyber Security Centre in October could not have come at better time to improve government’s engagement with and support of UK business to improve overall cyber security resilience.
Cyber resilience has been a key theme of 2016, with some security industry leaders advocating a more proactive approach to defence through actively hunting down attackers, while others have suggested IT security defences should no longer be product-driven, but business-driven instead.
One area of potential security technology investment that has really come to the fore in 2016 is systems incorporating some form of artificial intelligence (AI), which is being touted by some as an essential cyber security defence technology of the future that will enable truly automated responses to attacks.
But while IT departments, and security teams in particular, have to consider the most appropriate defence technologies, they also have to be aware of new and emerging technologies in the corporate environment that can present new opportunities for attackers to exploit.
Throughout 2016, there has been growing concern about the risks that are being introduced by internet-connected devices that make up what has been described as an internet of things (IoT). As these devices become increasingly common in business environments, many fear attackers are bound to take advantage.
Social engineering, however, remains an ever-increasingly popular attack method, which IT security teams need to be aware of and plan for, particularly in terms of preparation detecting insider threats which are often the direct result of social engineering.
While the costs of failure are higher than ever, particularly in the light of new regulations and fines, a security veteran advises that IT security professionals should never lose sight of the fact they should be focused on securing data, and not on compliance.
Here are Computer Weekly’s top 10 IT security stories of 2016:
Fairly early on in 2016, an IBM survey in February revealed that business leaders were confused about their true cyber security adversaries and how to combat them, kicking off a theme that was to continue throughout the year.
In May, an NTT Com Security threat report revealed only 23% of organisations were capable of responding effectively to critical security incidents, which was followed by similar reports showing that UK firms are neglecting cyber security, that businesses are still failing to learn lessons of past cyber attacks and that the world’s biggest companies lack maturity in security, leading to warnings for companies not to be complacent about cyber security as the number of cyber security breaches reported to ICO doubled in a year. Rounding off the theme in December, a report by Tenable Network security shows that global confidence in ability to accurately assess cyber risk has fallen in 2016.
Some reports pointed to specific problems such as the fact enterprises are dangerously complacent about mobile threats, that most businesses vulnerable to cyber attacks through firmware, that most cyber security strategies ignore the way attackers really work and that half of IT professionals struggle with enterprise patching, which continues to be one of the biggest challenges to basic IT security.
To help UK business improve its ability to improve cyber resilience, the UK government has rationalised all the departments dealing with cyber security in to a single organisation, the National Cyber Security Centre (NCSC), which is to be the UK's one-stop authority on infosec, based in London and led by GCHQ’s Ciaran Martin.
Since its official opening on 1 October 2016, the NCSC has announced plans to trial cyber defence initiatives on government departments before pushing them out the wider business community so that the NCSC can prove that they work and provide support where necessary.
One of the first of these trials is being led by HMRC, which is geared up to block 500 million phishing emails a year through deploying the Dmarc protocol in combination with security intelligence systems.
The cost of failing to improve cyber security resilience was highlighted by a study that said UK businesses expect recovery from a cyber attack to cost at least £1.2m.
The industrialisation and professionalisation of cyber attackers has led to increased emphasis in 2016 on proactive security, particularly with the emergence of a new, rare breed of information security analyst who sniff out traces of cyber attackers and pursue them, commonly known as “hunters” who think like attackers and blocking avenues of attack before they can be used.
Just as security leaders are beginning to realise that defenders need to be less reliant on systems based on known attacks and be more proactive, experts in the field such as Corvid CTO Andrew Nanson believe information security should also be business-driven, not product-driven, and that investments should be assessed on their effectiveness and business value.
Along with different approaches to security, 2016 has seen increased emphasis on the potential of AI. It has taken centre stage in cyber security in the past year, with Intel Security forging ahead with a hybrid approach of human-machine teaming, but UK AI security pioneers, Darktrace, warn that AI is not only available to defenders, further underlining the need to use AI to defend against AI attacks.
Similarly, warnings have been issued in the past year that encryption too can be a double-edged sword with encryption hiding malware in half of cyber attacks
Industry players need to address the security of internet of things (IoT) devices urgently before it is too late, according to Lorie Wigle, general manager, IoT security at Intel. And while many believe this is something that needs to be addressed at an industry level, the fact is that there are already enough IoT devices for attackers to use, and for this reason IT security teams need to be aware and to be prepared.
There have been several warnings around IoT security in 2016. Some security researchers have emphasised that the IoT security threat is real, while others have gone as far as saying that poor IoT security could take down the power grid, but many have pointed to the Dyn IoT botnet attack as being an important “wake up call” for IT security.
The Mirai IoT botnet code release raised fears of surge in DDoS attacks and the Dyn attack was followed by discoveries that more IoT botnets were connected to DDoS attacks, but studies showed that less than a third of organisations prepared for IoT security risks amid more calls for IoT security risks to be addressed before it is too late.
Organisations need to take insider threats more seriously, said security experts after Sage warned that a data breach using an internal log-in may have compromised employee data at nearly 300 UK firms.
This story was one of several in 2016 that highlighted why it is important for IT security teams not to overlook the insider threat, and the closely allied social engineering attacks, which were confirmed as a top information security threat.
Two of the most valuable lessons in cyber security are to know your enemy and not to rely on users to be secure, according to industry veteran Mikko Hypponen. He suggested part of the solution may lie in taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place.
Security budgets are often cited as one of the biggest challenges faced by IT security managers, but if the direct costs of cyber attacks of more than £1bn in the past year do not inspire business leaders to allocate more money to information security, the Payment Card Industry Security Standards Council (PCI SSC) warned in 2016 that UK businesses could face up to £122bn in penalties for data breaches when new EU legislation comes into effect in 2018, further underlined by the view that UK businesses are unlikely to dodge EU cyber security rules post-Brexit.
But a focus on the board, governance and compliance is distracting many infosec leaders from the real objective of securing data, according to John Walker, who believes data breaches should now be declining, not still increasing. Walker said the security breach at Yahoo in 2014 affected 500 million user accounts, but was only confirmed in 2016, showed that many companies, even large ones, were not taking the necessary steps to keep data safe.