In the world of corporate information technology, 2011 was all about security. We saw that hackers have become increasingly sophisticated and persistent in their efforts to exploit the end-user as the weakest link. To some, 2011 probably seemed like a long series of headline-grabbing security breaches - think RSA, Epsilon, IMF, Lockheed Martin, FBI, Sony Play Station Network and Citigroup breaches, to name just a few. And this was just the tip of the iceberg, as many breaches continue to go unreported. So what's coming in 2012?
Unfortunately, we expect the trends will become even more intense. Hackers launched more sophisticated attacks in 2011 and in 2012 the trend will get worse. Organizations of all sizes and across all sectors are being targeted. Companies both large and small will find it difficult to keep pace with the coordinated efforts of the bad guys, making it easier for a motivated group of criminals to find a way in. However, if businesses prepare for the latest threats by deploying advanced security technologies and turning to effective solutions to train and test their workforce, they can significantly reduce their risks while raising the bar for the cybercriminals.
Here are the top 5 IT security related trends we believe will impact 2012:
A variety of popular mobile devices will flood the enterprise, forcing IT departments to make users more accountable for their devices.
The increase and diversity of consumer devices such as smart phones, tablets and other mobile devices in the enterprise will absolutely cause a plethora of security woes for IT departments and security professionals. According to a 2011 study by the Nielsen Company, 40 percent of U.S. mobile users now own Smartphones. It's pretty clear that in the age of convenience, IT departments cannot stop employees from using these devices so they will need ways to better secure the devices as well as ensure their employees are properly trained to handle them safely. Unfortunately, mobile devices are often the gateway for the latest cyber attacks including smishing, social networking attacks, and app malware. So IT departments will need to get tough and start to introduce policies, technology and training to control these risks.
The explosion of new software applications will introduce dangerous malware sold on the black market
Closely tied to the trend of more smart phones and tablets in the enterprise is the influx of new applications of all shapes and sizes. In 2012 you'll be able to do almost anything by downloading an application - and many times it's the mobile device that is the preferred method of download. Location-based mobile apps, leisure apps (like the Starbucks Cup Magic App) and games all pose an added threat to corporate environments as the number of downloads increases exponentially. The problem includes both apps accessing info like location or contacts lists as well as apps downloading malware such as keylogger programs or programs that eavesdrop on your phone calls, SMS, etc. Hackers are quickly learning how to harvest 'good' applications and repackage them with malicious code before selling them on various channels to the unsuspecting looking for the best deal.
Social networking will open the door for new breeds of phishing and malicious attacks
Another major trend and issue related to IT security in 2012 will be the increase in hacks and malware due to the popularity of social networks and the fact that people now trust these messages more than e-mail. Oddly enough, with email-borne attacks there is some awareness that people can fake the identity of the sender of an email, yet there's much more trust of the source of the social network message and less awareness that it is being used to install malware. Bad news for companies, good news for hackers.
So is banning social media the answer? Interesting enough, a November 2011 report on IT security co- sponsored by the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones that allow free use of sites like Facebook and Twitter. How could this be? Everyone knows that when end users start using technologies and channels not monitored by the company, it's like punching a hole in the security wall. But here's the deal, so many people are addicted to social media you just won't win the battle by taking the banning approach. Instead of simply placing social media off limits, companies should make clear to employees that software that helps skirt the ban also causes costly compromises to network security. The right strategy isn't to block all access. The right strategy is to allow access, but to bring in awareness training with it so people fully understand what they're doing.
It's the small percentage of highly targeted attacks, known as spear phishing, which will be most damaging and costly
Coming in at number #4 on the 2012 IT security trend list is that the smallest percentage of attacks will still be the most effective, dangerous and least likely to get caught by technology. Therefore, spear phishing attacks will become a main focus for hackers and protecting against them should be for organizations as well. Technology solutions have their place and do a good job at blocking a high percentage of the garden variety of hacks that can be blocked with signatures and simple heuristics.
The real problem is that the smallest percentages of spear phishing attacks that are not addressed by technology solutions often represent the majority of losses reported. According to the above mentioned study, each breach in network security costs publicly traded companies $195,588, compared with $70,833 for privately held firms and $58,929 for government agencies. No filter will catch everything and realistically speaking, the best attacks are going to get through to the end user.
Which leads to the last major security trend for 2012 on our top 5 list.
Organizations will increasingly realize that they can't blame their users, but rather they need provide the tools to educate and arm them.
In the past there's been a kind of 'shrug my shoulders' attitude when it comes to taking responsibility for the end user at a company or government agency. Interesting enough, there have been several high profile articles that show generation Y is more likely to fall for a targeted phishing attack than us 'older' folks. It seems because the younger generation has grown up living their lives online they are much more trusting of the channel. Yet as this generation hits the work force, it's just one more reason they are likely to click on a phishing link that puts your company at risk. We already know that organizations are extremely vulnerable and based upon this research it is only going to get worse.
Now companies need to do a better job at training their employees on the most recent attack vectors which means investing in products that have been shown to have a measurable impact on people's behaviors. They will also need to realize that user training is not just a 'check box' but an ongoing process that requires frequent reinforcement. In 2012 more savvy users can actually become the IT department's best defense because they can be the gatekeepers to the most insidious attacks.
Bottom line, 2012 looks to be another banner year of hacks and high profile breaches. Organizations large and small will need to adjust their security strategies to protect their revenue streams and reputations. By adapting to the latest trends, adopting the right IT security strategies and technologies, and implementing effective training solutions, companies can better prepare their organizations, improve their overall security posture and ultimately stay one step ahead of the cybercriminals.
About the author: Joe Ferrara is President and CEO of Wombat Security Technologies
The Tech Herald welcomes 2012 related threat predictions from vendors, as long as they do not reference the end of the world and remain product neutral. All submissions are subject to editing and are due by December 20, 2011. Submissions can be delivered to [email protected] with the email subject of 2012 Predictions.