Cybersecurity has fast morphed from a server room issue to a boardroom issue. With the increasing pace, frequency and sophistication of cyberattacks unlikely to abate anytime soon, cybersecurity will continue to evolve rapidly to cope with new attack methods and vectors. Consequently, predicting the future of the cybersecurity industry depends, to a large extent, on predicting the future actions of cybercriminals.
We know that the profile of a cybercriminal has changed markedly from the script kiddies and crackers of the 1990s to the sophisticated, almost corporatised organisations of today. Many cybercriminals are employed by highly sophisticated organisations and paid a living wage so they can spend all their time looking for ways to penetrate their targets.
Cybercrime is a huge growth industry and the opportunities for cybercriminals to successfully attack their chosen targets will only increase as the world pivots to digital technologies for everything. There are estimates that the number of connected devices will grow to 30 billion by 2020. That’s 30 billion opportunities to gain unauthorised access to a company network or to an individual’s private details.
In the face of such massive scale, businesses need to look at smarter ways to protect themselves. The future of cybersecurity will therefore need to include at least four key concepts:
Threat intelligence must be shared among organisations
Law enforcement organisations are woefully under-resourced when it comes to dealing with cybercrime, so the burden of protection falls on the organisations themselves. When businesses share information about the attacks they have experienced, it creates a kind of herd immunity. As more companies fall victim to significant attacks, they will continue to realise the benefits of sharing this information.
By sharing threat information, businesses can neutralise the cybercriminals’ approach and make it more difficult for them to successfully deploy the same attack more than once. As this continues, the economics of cybercrime may become less attractive to cybercriminals and the frequency and severity of attacks may eventually dwindle.
Cybersecurity will develop into DevSecOps
DevOps has shown businesses how to break down siloes and operate more effectively. Now, businesses need to take a similar approach to cybersecurity. Developers need a new approach that seamlessly integrates developers, the operational team, and the security team. It’s not just about building an app in the cloud, it’s about building security from the very beginning.
Security should natively work within the code. DevSecOps is the best approach to give organisations the five key requirements for success: visibility and control; segmented applications; threat prevention; process automation; and central management.
Automation must become the default option
Automated threat response overcomes the natural disadvantages companies have when they tackle security issues by allocating more human resources to them. The only way to effectively fight software-based attacks is with better software that can be deployed automatically, thus reducing the time and effort required to fend off the constant attacks.
The goal is to automate the process of detection, and implement an equally automated and closed-loop process of prevention. This not only reduces the burden on security teams but also shortens the response time.
Businesses must decide how to approach cyber risk
A business’s approach to security must be well understood by all employees from the top down. When a cyberattack hits, there’s not always time to call a board meeting to discuss how to respond, so security must be a continuous topic of conversation throughout the organisation.
The ideal approach finds the balance between the amount of risk an organisation is willing to embrace versus the budget the organisation has to spend on security tools and methodologies. For many organisations this conversation now encompasses cyberinsurance. This exploding market is still immature but demand is growing exponentially and, as the risks and returns of cyberinsurance become more predictable or understood, more Australian businesses will consider it an essential part of business risk management.
Businesses need to commit to an ongoing, constant and consistent program of security education for all employees and stakeholders. Cybersecurity success happens when the risk is acknowledged and managed.