For the U.S. as a whole — individuals, enterprises and the government itself — security vulnerabilities loom large as the Achilles’ heel of our connected society. Let’s take a closer look at some of the top trends in modern cybersecurity and how they will affect us over the next couple of years.
BUTTONING UP THE BASICS. The single biggest gap in critical technology solutions — even in highly regulated industries — is lack of basic best practices when it comes to isolating personal and business information on shared mobile devices, laptops and PCs. Users regularly browse public websites and install applications on workplace-issued laptops, putting the security of their business data at risk. Businesses often grant access to critical enterprise resources from untrusted personal devices without requiring multifactor authentication, and password reuse continues to be a bane for IT security professionals and a boon for malicious hackers.
As more and more enterprises are forced, by nature of consumer expectations and distributed workforces, to allow personal use on corporate-owned devices and business use on personal-owned devices, this gap creates significant risk; one that can be easily mitigated with secure containerization technology. Secure containers isolate, encrypt and protect business data and offer employees separate personal spaces across smartphones, tablets, laptops and desktops — any device they use for work and play. I predict that these types of “BYO-PC” solutions will start to replace VDI and app virtualization experiences that don’t enable the kind of user experience that today’s generation of mobile users have come to expect.
WHERE SECURITY MEETS PRODUCTIVITY. In weighing investments in cybersecurity, perhaps the biggest oversight is understanding and measuring the impact of the new technology on business productivity. Too often IT departments make purchase decisions based on checklists of the most popular technologies — such as endpoint protection, firewalls and VPNs — by looking at costs and analyst surveys. While these factors are important, businesses need to have a comprehensive pulse on how these technologies affect user productivity, both the users who leverage the technology and the IT personnel that needs to manage all that technology. Finding the intersection of security and productivity is absolutely crucial.
While third-party physical tokens are popular for two-factor authentication, they are often difficult to use and can be easily lost or misplaced. New technologies are emerging that enable users to perform two-factor authentication using tokens that they already carry with them everywhere they go: their mobile devices. Another major challenge for IT is managing the risk of data leaks through file sharing across mobile and desktop platforms.
Historically, IT has been forced to choose between accepting the risks of unfettered file sharing or preventing file sharing and reducing worker productivity. But with advances in cross-platform encryption technologies, we’re seeing new file-sharing systems emerge that can reduce data loss and enhance data governance, while enabling users to more freely exchange information within the enterprise and with stakeholders beyond the enterprise. I predict that governments and businesses will continue to adopt these types of new technologies that enable them to be both more productive and more secure.
ENTER THE INSURERS. Insurance companies see tremendous opportunity to help businesses manage cybersecurity risk in much the same way that traditional insurance helps to manage risk of physical theft, natural disasters and fires. Businesses are realizing that no matter how much they spend on cybersecurity, they can never completely eliminate the risk of attack from sophisticated threat agents.
While insurance is by no means a panacea — in fact, one could argue it’s a crutch that fails to address the systemic inability to adequately protect ourselves — it does have the potential to help us manage risk. Insurance companies, however, require better security evaluation standards to help them measure cybersecurity risk in organizations, and businesses need more external help to assess their own risks and ensure that they can convince insurance companies to offer better rates due to their commitment and maturity with respect to cybersecurity practices.
WHAT’S AHEAD IN WASHINGTON. High-profile hacks on government systems continue to directly impact government organizations, citizens and the politicians themselves. It will be imperative for the incoming White House administration to drive cybersecurity initiatives, though government cannot solve the problem by itself. The most important cybersecurity initiative for government is to promote and fund cybersecurity assurance programs to protect both the public and private sectors. Those programs should be managed by nonprofits whose members include a multistakeholder community of independent cybersecurity experts, technology suppliers, consumer advocacy groups, and government regulatory and cybersecurity experts.
In the health-care industry attackers have found many soft targets. Consider the recent allegation by a cybersecurity research firm that security vulnerabilities in a connected cardiac medical device — a “smart” pacemaker and monitor combination — made by St. Jude Medical might put patients’ lives at risk. Just last year, my colleagues and I were able to hack a morphine infusion pump live on stage at a major conference, demonstrating that we could remotely overdose and potentially kill the patient. These types of issues should be a wakeup call to the industry that cybersecurity is no longer about just protecting electronic data; it’s about protecting against attacks with potentially devastating real-world consequences, reinforcing the urgent need for open security assessment programs for critical systems.
Protecting our personal, enterprise and national security against malicious hackers requires a high level of transparency into the security (or lack thereof) of the increasingly numerous set of electronic products and services that we all use every single day. If there’s one thing I’ve learned working on government-grade security technology for the past 25 years, it’s that most suppliers will not simply "do the right thing” on security; there must be strong economic incentives to promote the right behavior and effective standards, certification and assurance programs to measure the effectiveness of security technologies. After all, we can’t hope to raise the cybersecurity bar if we don’t know how to measure its height.
