We’ve just left the “year of the data breach” behind us and cybersecurity has never been more top of mind. Highlights from the past year include the news that a Russian cybercriminal gang stole 1.2 billion usernames and passwords from 420,000 websites by exploiting SQL injection vulnerabilities in web applications; the intrusion into JP Morgan Chase’s network and the third-party website that manages its charity race; and now the unrelenting drama that has been the cyberattack on Sony Pictures Entertainment’s infrastructure.
There are some benefits to the recent activity, including an elevated awareness of the risk inherent with digital technologies and interconnected systems. The newly garnered attention will force changes to the security landscape, from the boardroom to the way your family chooses passwords and monitors its credit card activity.
Companies in all industries are now transforming into “digital businesses,” driven by technologies such as cloud, mobility, and the Internet of Things. At the same time, cyberattackers are becoming more sophisticated, as nation-states share their hacking tools with cybercriminal gangs and with each other. It turns out that the digital connections we are building to connect with customers, partners, and suppliers are also connecting criminals to our data. So it’s not surprising that Gartner predicts worldwide enterprise spending on IT security will grow to $97 billion in 2018 from $71 billion in 2014.
Consequently, we can anticipate the year ahead to be a time for adjustments, as companies adopt new approaches to securing their global IT infrastructures. Here are a few of things we can expect:
1. Board and C-Level Awareness
As companies increasingly rely on software for strategic differentiation and competitive advantage, boards and C-level executives are becoming more aware of the heightened risk to their businesses — if they weren’t aware after Target, they certainly are after Sony. With the increase of enterprise cybersecurity budgets, we expect them to allocate more resources to application-layer security versus network security to address pervasive threats such as SQL injection, as they focus on building more scalable approaches to reducing risk from all of their web, mobile, third-party, and open source applications.
2. Security and the IoT
The Internet of Things is slowly becoming the Internet of Threats. People are concerned about where their data is going and what’s connecting to what. And while there remains the sensationalized fear that your toy robot will be taken over, the more likely scenario is that your privacy will be violated for the sake of monetization. There is currently a lawsuit in progress where the evidence is data gathered by a wearable fitness device; and we’ve seen cases of a Russian site accessing personal webcams around the world and broadcasting them for all to see.
Additionally, consider a recent Internet of Things State of the Union Study, which revealed over 80 percent of IoT devices raise privacy concerns. It’s a growing market that Gartner estimates will support total services spending of $69.5 billion in 2015 and $263 billion by 2020. Everyone wants to be a part of it, and as a result, products are often being rushed to market with vulnerable software and inadequate protection.
3. Secure Agile Development
The vast majority of applications in use today were developed with an emphasis on functionality and time to market rather than on secure programming practices. Agile development only increases the pressure on developers to get products shipped faster, even if they contain exploitable vulnerabilities.
But it doesn’t have to be an “either/or.” New approaches enable agile development teams to seamlessly embed automated security assessments into their build processes via APIs. But we’ll probably see more breaches in 2015 from firms that haven’t chosen to prioritize application-layer security.
Overall, we see security becoming a major differentiator in 2015’s competitive software market. As the number and complexity of applications grow, and as even more devices become interconnected, we’ll see an exponential increase in the attack surface available to cyberattackers. This will require a dramatic change in the way we think about security. For example, we expect to see a higher focus on proactively reducing web application vulnerabilities — now the #1 attack vector for cyberattackers, according to the Verizon Data Breach Investigations Report — while at the same time implementing rapid response systems to quickly identify and isolate successful attacks when they inevitably occur.
Chris Wysopal is CTO and cofounder of Veracode.