As we predicted around this time last year, 2014 has seen more high-profile targeted attacks with motivations of stealing information, making a statement and permanently destroying sensitive/valuable data. As predicted we also saw an increase in large cloud-based attacks, such as the iCloud breach. The following are some areas of trends we expect to see in 2015.
Retailers still at risk
Retail-oriented attacks will continue to increase in size and number despite the calls for adoption of EMV technology as well as new technologies such as Google Wallet and Apple Pay. The fact remains that despite mandates to implement EMV by the second half of 2015, we will continue to see both older and newer credit card processing technologies in use. A large number of credit cards based on older technologies will continue in circulation and in use for some time to come where merchants will continue to store credit card data on their systems. As a result, we will see additional large-scale breaches in 2015. We will also see a large number of smaller breaches where IT security may not be the strongest and therefore provide low-hanging fruit for hackers to steal data.
2015 is the year board members become engaged in cyber security
We predict that in 2015, senior executives and board members will finally engage in serious discussion about shoring up IT security. They will increase resources/budget to protect themselves.
A heated topic for 2015 will be what exposure the board has in cybersecurity breaches. There will be discussions around how Board of Directors and senior management, including the CEO, may be held responsible in the event of a breach. It’s possible that board members and the CEO as well as the company could face class-action lawsuits from shareholders, customers and partners whose data has been compromised in a security breach, as demonstrated in the Target breach. Furthermore, the employment of the CEO as well as other senior management will be in jeopardy for the lack of comprehensive security oversight.
It is our belief that we will see more of these Target-style scenarios where the CEO and senior management will be held accountable for their organization’s lax security posture. There will be calls from shareholders and investors to replace the board or management team in high-profile breaches. From the boardroom perspective, it will be interesting to see how board members will be implementing new policies and procedures to protect themselves from responsibility in the event of a data breach. It is likely, given the types of attacks that have happened that a regular security review will become a common practice for senior executives and board members across small and large companies.
Supply chain changes will arise
We also predict that large companies will require and demand that small vendors and suppliers they do business with attest to implementing security best practices as well as engage in regular review of their supplier and vendor’s security posture. Cyber insurance providers will not only audit large companies buying cyber insurance but will also go downstream to audit their suppliers/vendors.
Government will become more involved in cyber attacks
We expect state attorneys general and the federal government along with Congress to become more active advocates of consumer protection. They will take steps to hold companies, executives, and board members accountable. Companies will no longer be able to get away with lax security practices just by providing 12 months of free credit monitoring services. Consumers will become more vocal and initiate class-action lawsuits holding companies accountable for damage to consumers’ credit history traced to a breach. As a result, companies of all sizes, small and large, will begin to look for help in addressing security around the clock. Since no companies can state they are secure with 100 percent confidence, companies will begin to change their approach to security and start implementing both proactive and reactive security strategies.
2015 will yield more ‘copy cats’
Now that we’ve seen that the Sony breach has proven to be a very successful endeavor for the hackers, we predict that we will see additional copycat Sony-like breaches in 2015. We will see significant business disruptions. This will be the result of intruders erasing highly sensitive data, making networks and systems inaccessible, as well as creating fear in employees by threatening to leak personal data.
Companies that do not have well thought out security plans as well as disaster recovery strategies will become headline news in 2015. These companies will suffer debilitating business interruptions, intellectual property losses, loss of employee morale and will pay a significant price to recover from attacks.
Security professional shortage leads to partnering with security service providers
Finally, 2015 will continue to see a shortage of trained security staff to meet the changing threat landscape. As a result, organizations of all sizes will seek outside help and partner with security service providers.