A Few Cybersecurity Predictions for 2016

I’m a bit reluctant to blog about 2016 cybersecurity predictions, as it seems like everyone is getting into this act. Alas, this end-of-year tradition used to be the exclusive domain of the analyst community and a few industry beacons, but now it seems like every security tools vendor in the world is reaching out to me to tell me what they see in their crystal ball. 

So, with some hesitance, here are a few of the things I expect to see after the proverbial ball drops (in no particular order):

1. Greater focus on cyber supply chain security. Enterprise CISOs realize that strong cybersecurity extends beyond the corporate LAN and that cyberattacks and data breaches could easily start with third parties with access to the network. The OPM and Target breaches are two examples where cyber-adversaries simply compromised trusted business partners and used them as a beachhead to penetrate their targets. At the same time, we’ve seen an increase in malware hiding in firmware, system BIOS, device drivers, etc., so servers, routers, storage devices, and network appliances could all introduce malicious code into an otherwise pristine environment. I expect CISOs to extend efforts with IT and third-party risk management assessments and controls. Look for additional use of real-time intelligence in this area from vendors like BitSight and SecurityScorecard for keeping an eye on third-party partners.
2. The consumerization of authentication. Everyone knows that user name/password authentication is inadequate, but few organizations have the resources to deploy and operate multi-factor authentication technologies everywhere. This IT “rock and hard place” situation is finally changing, driven by mobile phone-based biometric technologies, social login, mobile payment, and industry standards like the Fast IDentity Online (FIDO) specification. ESG research indicates that 41% of enterprise organizations are already using mobile devices for multi-factor authentication, while 44% are using or would consider using social login/consumer-based credentials for authentication (disclosure: I am an ESG employee). Look for mobile and social login to gain a bigger foothold in 2016. On a more general note, I expect lots of IAM activity next year as identity morphs into a granular rules-based security perimeter.
3. Cyber insurance continues to boom. I recently blogged about cyber insurance, but this market is so hot that it’s worth repeating. The U.S. market for cyber insurance is around $2.5 billion serviced by around 50 companies. Year-over-year growth was estimated at 35% in 2015, and I believe it could grow at 40% next year as large organizations seek to transfer more of their IT risk to third parties. Look for more business relationships like AIG and K2 as insurance companies seek to get a better handle on IT risk and more hands-on participation in incident response. In fact, cybersecurity professionals will receive calls from head hunters with a new career opportunity – working side-by-side with actuaries and brokers at cyber insurance firms. Also on the risk management front, I expect insurance companies to incentivize customers to adopt the NIST Cybersecurity Framework (CSF), and penalize those that do not.
4. A rise in ransomware. In 2015, ransomware became a service offering available for a fee on cybercrime chat forums. At the same time, exploit kits like Angler were offered to more ambitious hackers, alongside Cryptowall and Cryptolocker. Ransomware was typically used for petty crime against small businesses and government agencies, but 2016 could include a frightening escalation, enterprise ransomware. We could see ransomware bundled with worm-like proliferation techniques to “brick” all the Windows endpoints and servers of a targeted organization. Rather than a few hundred bucks, cybercriminals will use this technique on a large scale, demanding millions in Bitcoins from their victims and may even offer payment terms – pay the entire extortion technique and the criminals will unlock all systems and declare a 12-month moratorium on another attack. Alternatively, an installment plan will unlock a majority of systems, but some will remain hostage as monthly payment demands increase over time.

I have a long list of other predictions, but I’ll save them for another day. Thanks to everyone who reads my blog and happy holidays!