Originally posted by ID Experts Blog. Reposted with permission.
2015 was a challenging year for defenders of privacy and security. For the first time, cyber-attacks became the leading cause of data breaches, as indicated by several annual data breach studies, including the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. At the beginning of the year, multiple experts (including ID Experts) also predicted that 2015 would be “the year of the healthcare data hack,” and so it has been, with Anthem, Premera, and other big breaches in the news. Gemalto’s Breach Level Index reported 187 healthcare breaches in the first half of the year alone, with 84.4 million healthcare records breached, accounting for 34 percent of all records breached at that time.
With no obvious end in sight, these trends are likely to continue, but 2016 will present some new challenges. To help you prepare, we asked a number of experts in information privacy and security what they think will be the most significant threats and trends in the coming year.
1. Cyber-crime Will Continue to Grow
Karen Barney, program director at the Identity Theft Resource Center (ITRC), predicts that the threat of cyber-attacks and cyber-crime will continue to grow: “We track data breaches daily, and we’re seeing from our data breach report that hacking and skimming has definitely increased significantly over last year. In 2014, hacking, skimming, phishing and other cyber-threats accounted for 29 percent of breaches. So far this year, they account for 38 percent, and I expect that trend to continue into 2016.” But she is also seeing a positive, though unexplained trend: “There is a decrease in breaches caused by sub-contractor and third parties: in 2014, third-party breaches were at 15 percent, whereas in 2015 so far, they’re only at 9%. We don’t know what’s behind that trend, but it’s a point of interest.”
2. Beware the IoT
Experts are watching the “Internet of things” closely for signs that cyber-thieves are turning their sights to the billions of devices that are fast becoming part of our everyday computing environment.
Rick Kam, president and co-founder of ID Experts, points out that hacking of connected devices is fast moving from a theoretical vulnerability to a significant threat. “Right now, it makes the news when researchers are able to change the operation of a heart pump or take control of a Jeep via its Internet-connected entertainment system. These reports are great news bytes, but these researchers are showing us the next step in a problem that’s already happening. Our power, water, and manufacturing plants are being attacked every day, and hostile or activist hackers have been able to take over everything from a ship at sea to centrifuges at nuclear plants, steel mills, and even smart appliances. Not only are all these devices vulnerable endpoints that can let hackers into our business systems, it is only a matter of time before we see successful large-scale attacks on our infrastructure. If hackers will use ransomware to get a few hundred or thousand dollars by holding a home computer or small business computer hostage, how long can it be before they are ransoming a power plant, a water supply, or critical medical devices?”
Dr. Larry Ponemon, chairman and founder, Ponemon Institute, concurs. “All of this disruptive technology will create all sorts of new potential security issues. We may soon be looking at insertables —implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists. And this is not science fiction. It’s already been demonstrated.”
Doug Pollack, ID Experts chief strategy officer, worries about the privacy risks of personal devices:
“I see the explosion of wearable devices as a likely new area for potential privacy concerns. Just as with mobile devices, wearables are likely to expose new security threats, while getting real-time access to new types of data about individuals that has not been captured before. Especially as new applications are deployed on these devices, there will be unintended consequences when it comes to the protection and privacy of the user’s personal data.”
Liz Fraumann, executive director of the Securing Our eCity Foundation, sees data collection as a one of those unanticipated privacy risks for the IoT. She points out that, “Cisco says there will be 50 billion ‘things’ online in just 5 years. For example, I was in a discussion recently about biofeedback mechanisms such as the FitBit. They broadcast personal information, GPS coordinate, and more. Healthcare providers say they want that data, but who else will have that data? To take the hypothetical from the worrisome to the slightly ridiculous, look at Internet-ready toilets and refrigerators. Say I am diabetic, and my toilet and other monitors send my blood sugar information to my doctor throughout the day, and all that ties to my refrigerator. Now I ate something I shouldn’t, so my toilet tells on me and my refrigerator locks. And who else has access to this information? Do you want your insurance denied because you had an ice cream bar or forgot to take your meds one day? We want choices as individuals, but with all the monitoring, you could have less and less.”
3. Security vs. Privacy Face-Off
Dr. Larry Ponemon expects that 2016 will see a growing tension between security and privacy. “I think we’re already seeing the beginnings of this struggle in the disagreements between Apple and the federal government and EU Safe Harbor ruling. With all the international tensions, we are going to see more cyber-terrorism and general terrorism, at the same time individuals are looking for greater privacy protection. For example, people might want phone encryption to protect their personal privacy but bad guys could use that to hide, so it’s a tension. If you’re worried about going to a restaurant without getting shot, that’s more important than encryption on your phone. With worries about physical security, there may be a backlash that could prevent companies from implementing stronger digital security.”
4. Threat Intelligence Will Increase
Dr. Ponemon also predicts that threat intelligence and tracking will evolve in 2016: “We will continue to improve our ability to use advanced analytics to identify anomalies. Threat intelligence, network intelligence, and intelligence feeds will continue to grow at a good clip. The caution on any kind of surveillance is that many of the surveillance tools being used by hackers today start with government, but they get out the back door and backfire when they get in hands of bad guys.”
Meeting 2016 with New Resolve
The Securing our eCity Foundation works with individuals and businesses to help prepare for privacy and security threats. Based on the experiences of businesses she works with, Liz Fraumann has some recommended New Year’s resolutions for businesses of all kinds and sizes:
- Educate your staff. Especially with the pace at which everyone is working, we are set up to make mistakes that can cause data breaches. For example, the Anthem breach started because an admin didn’t catch a typo in the company name in a phishing attack and clicked on a link that let hackers invade their systems.
- Put a social media policy in place. Make it clear what people are allowed to access on work equipment and networks and when, and what should they never do.
- Have a response plan in place before you are breached.
- Segment your networks to make it harder for attackers to get to sensitive information. Don’t have the accounting department on the same network as research or human resources. Subnets also make it easier to set different access privileges for different employees, so, for example, stolen credentials from a marketing intern don’t lead to a breach of all your employees’ or customers’ personal information.
Threats will continue to evolve, but all of these basic measures will help you to be more successful in meeting whatever privacy and security challenges come your way. Meantime, watch for our next installment, “Top Privacy Compliance Predictions for 2016.”