In 2017, expect to see a civilian casualty from the nation-state cyber cold war, Nachreiner said. “We expect to see at least one private business or citizen become a victim of a zero-day flaw that a nation-state held secret in their arsenal,” he said.
In an effort to combat terrorism and expand surveillance at least one Western government will follow Russia’s lead and mandate access to encryption keys and certificates, foresees Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Widespread government access to encrypted communications has the potential to demolish internet privacy and devastate security. Encryption is the backbone of secure and private communications on the internet — it protects online banking, shopping, all manner of consumer services that our economy and critical infrastructure rely on. Once we allow governments universal access to encryption the likelihood of abuse and misuse skyrockets. It’s time to stand up against governments' efforts to hijack privacy and trust online,” he said.
Scott Millis, CTO of mobile security company Cyber adAPT, believes that by next year every adult in the U.S. will know a relative who has had their identity stolen. The Internal Revenue Service reported that 2.7 million people had their identities stolen in 2014, and according to TransUnion 19 people fall victim to identity theft every minute.
George Ng, co-founder and CTO of Cyence, believes many companies don’t realize even the smallest things can expose personal information and make them more likely to be targeted. For example, a job listing for a CSO or CISO indicates a lack of senior leadership for cybersecurity. “[Personal identifiable information] continues to be a target for hackers and criminals and is very tangible information that can be sold easily on the dark web, just as easy as credit cards. PII records will continue to be specifically targeted because they fetch a higher price and are more versatile in their usage for hackers.”
With privacy in mind, Forrester said surveillance marketing will blur the line between online and offline customer behavior. “The online ad world has been chipping away at people’s ability to keep their online and offline habits separate for years.”
New rules for U.S. internet service providers will unleash a flurry of lawsuits. Earlier this year, the U.S. Federal Communications Commission (FCC) determined that ISPs like AT&T, Comcast, and Verizon would be classified as “common carriers” — the same designation as landline telephony providers. On Oct. 27, the FCC voted on a set of rules that place limits on how these providers are allowed to monetize customer data. The carriers say that the FCC is restricting fair competition, since companies like Facebook and Google have no such rules.
“2017 will be a year of legal battles — between the internet giants and against federal regulators — while the promised consumer protections will fall short on enforcement,” Forrester writes.
More data breaches
Of course predicting more data breaches is not a real shocker. Forrester estimated that a Fortune 1000 company will succumb to a cyberbreach and ultimately close down.
There will be no improvement in the time companies take to react to a breach, Millis said. Ponemon Institute found that when a breach was identified within 100 days, average costs were $5.83 million per breach. However, if a breach went undetected for more than 100 days, costs rose nearly 40 percent.
Healthcare breaches will become as large and common as retail breaches, Forrester believes. The 2015 breach of Anthem that affected as many as 80 million patients will become commonplace. As a result of mergers, acquisitions, and other partnership arrangements, large healthcare insurer and provider conglomerates are only increasing in size — as is the critical patient information they store. The consolidation of providers leaves security fragmented with varying security levels.
Second, patient data carries unique, permanent information, such as genetic markers, and biometric data, such as fingerprints. For malicious attackers interested in ransom, blackmail, and espionage, this data will be too tempting not to grab. Given the critical nature of the services and the sensitivity of the data at risk, healthcare firms should spend on par with other critical infrastructure industries.
Mike Patterson, vice president of strategy at Rook Security, said there will be a billion-dollar breach. Costs for Anthem's breach reached hundreds of millions of dollars within a few months of its early 2015 disclosure that affected nearly 80 million accounts. Yahoo's acquisition by Verizon could see a devaluation or termination of the $4.8 billion deal value as a result of Yahoo's recent breach disclosure.
“If we are at the point where a big breach at a large enterprise can quickly generate hundreds of millions of dollars in costs or cost shareholders hundreds of millions of dollars in share purchases, we aren't far from a new breach in 2017 taking us over the $1 billion mark,” he said.
By contrast, Justin Giardina, CTO at iland, believes the “little guys” will be the next targets. “While historically, it was the biggest organizations with the most attractive data that got hacked, increasing numbers of malicious attacks targets smaller, often weaker, targets. So, we’ll see medium-sized enterprises raising their security and business continuity efforts.”
There will be a shift in focus from broad-based attacks to more targeted attacks against specific firms or individuals, says Scott Petry, CEO at Authentic8. The best evidence of this is the intellectual property theft against law firms, insider spoofed spear phishing to finance and HR people, ransomware targeting healthcare after Methodist paid out.
Speaking of paying out, Rick Tracy, CSO and senior vice president at Telos Corporation, said cyber insurance needs to mature. “Cyber attacks have increased over the past few years and will only get worse. Because cyber is so new, relatively speaking, there isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk,” he said.