2017 will be a year of additional security compliance mandates… What’s the old saying – ‘government creates regulation when the free market is not working’ …well governments are concluding that many companies are not protecting their customers/employee’s data effectively so they are getting involved. You can see it in the EU with the new Network and Information Security Directive (NISD) and you can see it in the US with new DFARS 252.204-7012 for Defense Contractors, the Federal Reserve’s (+FDIC/OCC) Advanced Notice of Proposed Rulemaking (ANPR) and even New York State’s proposed 23 NYCRR 500. In the past regulators were only pushing on healthcare and financial services (HIPAA Security Rule, Gramm Leach Bliley Act Safeguards Rule and PCI-DSS) but 2017 may be the year when many more industries feel a blunt government hammer.
In 2017 companies will begin to understand that it’s not the sexy “zero day” exploit they need to worry about… They need to be concerned with the common criminal, using old exploits that they can download, update and easily deploy. Bad actors find an organization’s vulnerabilities on https://shodan.io, find default passwords on http://defaultpassword.com, download payloads from ransomware-as-a-service dark-web sites, and use tools like execrypt.com to get around anti-virus software—it’s not hard, in fact it’s quite trivial.
In 2017 companies will also begin to realize that their true vulnerability is what they enable users to do on their networks—the unintentional insider threat (or Cyber-Promiscuity™). The overwhelming majority of insider threat events are not the result of a malicious employee’s actions, rather they are caused by the unintentional insider – someone clicks on a spear phishing email, they send information over the internet in clear text, they run risky or vulnerable software, they visit a nefarious website and then become victims of an attack—more importantly, the company becomes victims of an attack! A CERT Software Engineering Institute (SEI) study highlights that non-remarkable risks are far more common than the over-exaggerated zero-day risks.
In 2017 we will also hear a lot more about supply chain risk–Especially in the legal and accounting verticals who have a lot of customer confidential data and in many cases invest in cyber security much like a typical Small to Medium Business (SMB).
“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” — NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks
If you have customer data, or if vendors touch your data you need to ask yourself – ‘are you as secure as your customer’ and ‘are your vendors as secure as you’… it needs to be in your contracts and it needs to be auditable… It will be 4 years now that an HVAC vendor caused the Target breach and the problem has sunk into the broader market given the demands of the Fortune 500 on their broad supply chains.
2017 will be the year of Managed Detection & Response (MDR). With all the attention on cyber the SMB market will look for ways to protect their infrastructure but they will realize they can’t hire security analysts (not many available and they are expensive), they can’t afford on premise solutions from companies like IBM or FireEye, and the current Managed Security Services Providers (MSSPs) like Optiv and SecureWorks want to charge them 5k per month. Hence new cloud centric MDR companies, such as http://netwatcher3.wpengine.com, will emerge that relay on both automation and efficient management of security manpower that will be much more scalable and most importantly affordable.