Technologies are evolving at a faster pace than ever before. They’re becoming smarter, quicker, wiser. The evolution of the Internet of Things (IoT) and Bring Your Own Device (BYOD) over the past couple of years is a clear sign that we’re becoming more connected with each other, with our homes and offices. And that connectivity becomes seamless, uninterrupted, as more sophisticated wearable devices enable us to stay connected while out and about. But greater connectivity comes with greater security risks. Cybercriminals have shown time and time again how skilled they are at exploiting a variety of interconnected systems and networks. So what about security – how will it evolve with all these welcome-but-risky developments?
With the New Year kicking off, we’ve tried to get a glimpse into the (near) future of security technologies and practices. But not by looking into a crystal ball! We base our following predictions on recent facts, technology trends observed in the past year, and Bitdefender researchers’ expertise and valuable insights.
Without further ado, here are our Top 5 security predictions in terms of technology developments and practices in 2015:
1. Security made smarter with machine learning
Machine learning algorithms are gaining ground in tech developments. In a nutshell, machine learning focuses on the development of computer programs that can detect patterns and adjust their actions accordingly. Thus, they can teach themselves to “evolve” whenever they’re exposed to new data. As you have probably guessed it, this technology finds applicability in internet security. Bitdefender research estimates that 99.97% of the time, such algorithms can identify threats that were missed by traditional security mechanisms. How do they work exactly? By feeding them information about known malware samples and security vulnerabilities, they can observe patterns and facts, and drive statistical inferences leading to positive identification of new and unknown threats. It is important to note, however, that a single machine-learning algorithm is not enough when dealing with internet security threats. Having multiple systems that constantly crunch specific types of data on various timespans is key to identifying the more “exotic” or newer threats, including 0-day attacks and advanced persistent threats.
When it comes to identifying new and advanced threats, security needs to evolve from being reactive to becoming proactive. And machine learning is emerging as the method that will help drive that evolution. We’ve already seen such complex machine learning algorithms employed in security environments, constantly learning how, where and when new threats are born. Most likely, in 2015, we’ll hear more about this technology and its outcomes.
2. Stronger BYOD policies with broader scope
A recent Bitdefender study showed that 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ networks. But oftentimes, these employees trade security for convenience:
39.7% of users who connect personal mobile devices to corporate networks have no lock-screen settings.
29.7% of BYOD users would share their personal mobile devices with friends or family members even if they hold critical company data.
Only 9.1% of BYOD users rely on biometric features as the preferred method for unlocking their mobile devices.
And even if more employees applied basic security practices, a bigger threat would come from the mobile applications they would download. According to Gartner, 75% of mobile apps will fail the most basic of security tests this year. If employees download mobile applications having little security assurances, their devices will become vulnerable to breaches, but so will the company data on that device, and the company network.
Another 2014 industry survey showed that 72% of IT professionals thought BYOD increased the risk of sensitive data leakage. So the concern for data security exists. But it needs to translate into better controls on employee device-employer network connections, and greater security awareness among employees.
In 2015, we’ll most likely see organizations revising their BYOD policies (where these exist) to focus on data security. From the IT department’s perspective, the direction will be towards mobile security solutions employed company-wide, or more comprehensive EMM solutions, depending on the company size. From the employee’s perspective, we’ll most likely see a culture change driven by security education and increased responsibility.
3. More embedded security in IoT devices
A recent study by HP revealed that 70% of interconnected devices are vulnerable to attacks. At the 2014 Black Hat conference, one researcher showed how security flaws in home automation systems – which are also showing signs of increasing adoption – can be easily exploited by hackers. Another showed how the firmware in a simple USB stick can be reprogrammed to allow for malicious activity.
With all these security flaws out in the open, we should expect to see manufacturers starting to integrate security at every connectivity level, from early product design stages. However, what’s most likely we’ll see in 2015 is manufacturers attempting to fix the vulnerabilities discovered, and doing proper security testing at every internet connectivity level on a regular basis. Ideally, this means that the relationship between manufacturers and security vendors will tighten, in the hopes of improving the security of the devices they produce. This will not only plug security risks, but will also lead to new models of building security directly into systems, appliances, devices and applications.
4. Stronger security policies & industry collaboration
Last year wrapped up with a bang – the Sony breach – one of the many that called into question the security practices of large corporations in different industries. The many breaches taking place over the past year showed that some companies such as Target still run traditional flat networks that leave them exposed via their third-party suppliers. Others (Home Depot) showed lack of credit card data encryption in their in-store payment systems. While others (Sony) came across as plain ignorant of basic security rules for storing login information in a folder named “Passwords.”
What lessons should corporations learn from these examples? Aside from the obvious ones, they should look at next generation firewalls to boost network security, use point-to-point encryption to protect data as it is transmitted from one system to another, employ physical network controls for greater vigilance, and share responsibility between them and the parties whose systems are interconnected with theirs.
From the looks of it, institutions and organizations have already started to take steps in establishing better security standards and practices. Following these steps, in 2015, we expect organizations to become smarter about their security.
5. The security threat landscape as threatening as ever
Since the evolving threat landscape is the whole reason why we’re developing security technologies and practices, we can’t wrap up without pinpointing some of the most likely 2015 threat developments.
Mobile spear-phishing attacks targeting employees move mainstream.
Botnet anonymization will further help cybercriminals to make huge profits.
Mobile payment technologies will bring new security challenges.
Mobile ransomware and malvertising may start to be distributed via social networks as well.
The use of personal smart devices connected to enterprise networks will be exploited to access enterprise systems.
End users and IT professionals, take note and beware!
To sum up our security predictions: 2015 is all about smarter security integrated at every connectivity level. It is also about enhanced security awareness. If you haven’t figured out the New Year’s resolutions for your business yet, hopefully these predictions will help you define them.