A new dawn of data breach awareness in 2016

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2016/01/08/a-new-dawn-of-data-breach-awareness-in-2016/

This year, we will likely see a shift in the way we respond to cyber
attacks, as both the business community and consumers finally accept that
data breaches are a part of life. After a series of high profile data
breaches in 2015 – including TalkTalk, Ashley Madison and Hacking Team –
consumers are becoming increasingly aware of the seriousness of security
breaches and their potential impact on data theft victims. As a result, we
anticipate that these highly-publicised incidents will help lead to a shift
in the way that businesses respond to attacks, with security teams looking
to strengthen their incident response methodologies and collaborating to
find new ways to protect themselves from emerging threats.

In the wake of these major breaches, there is a greater need for companies
to respond quickly and effectively. This is not just from a technology
perspective, to get their systems back up and running again; companies also
need to make sure they have the right communication strategies in place to
reassure both stakeholders and customers. There have been several examples
throughout the year where the public relations part of a breach was not
handled optimally. So in 2016, we expect the boardrooms of many companies
to increase their focus on all aspects of incident response as they look to
acquire or further develop the skills required to respond effectively.

As high-profile breaches become more commonplace, better collaboration will
be needed among IT security teams in order to share information on emerging
threats. Next year, we expect to see more formal processes in place for
sharing information on potential security threats. This will not only be
among organisations and industry verticals, but perhaps more importantly,
among individual security practitioners as well. With the creation of more
trust networks for the sharing of threat data and best practices, companies
will be in a better position to defend themselves against threats.

To help consumers understand the potential dangers involved, we expect to
see an increased push around security awareness training in the coming
year. User awareness training has been the bane of many a security
professional’s existence in recent years. However, such training has begun
to expand out of the corporate world, with government educational
initiatives and programs aimed at teaching children to be safe online. This
awareness training trend will likely continue and expand in 2016.

Next year we are also likely to see criminals start to combine personal
data stolen from different breaches to cause maximum damage to affected
individuals. Traditionally, it’s taken a while for people to notice the
impact of a data breach. Identities get stolen, as does money from bank
accounts. However, the Ashley Madison breach changed the dynamic because it
brought to light the fact that, given the right context, both personal and
professional lives could be much more severely impacted by data breaches
than previously thought. Unfortunately, the rising frequency of breaches
doesn’t look to be slowing down any time soon, and so, going forward, the
cumulative impact of data correlated from multiple breaches may pose a
significant threat to victims.

Privacy will also continue to be a key issue next year – both for companies
and individuals alike. The continuing evolution of attempts to regulate
privacy in different countries across Europe will pull information security
issues to the forefront of many debates. Most prominent will be the case of
Safe Harbour and how such European rulings will affect the global transfer
of personal data going forwards.

Responsible disclosure

The proliferation of the ‘Internet of Things,’ and the security threats
that come with it, have been in the news repeatedly in 2015, as researchers
discovered and made public potential vulnerabilities around the plethora of
Internet-connected consumer devices. Researchers found serious
vulnerabilities in things like aeroplanes, medical devices, guns and cars,
where hacks could have potentially devastating consequences. The discovery
of new security vulnerabilities in the expanding number of
Internet-connected things is likely to continue in 2016.

However, as more security vulnerabilities come to light, we can also expect
to see further delays in the time taken by companies to respond to security
researchers who contact them about potential problems. Earlier this year,
an AlienVault survey revealed that the majority of IT professionals (64 per
cent) believe that if security researchers get no response from
manufacturers when disclosing vulnerabilities with life-threatening
implications, then such information should be made available to the public.

Security researchers are positioned at a pivotal time in breach history,
and 2016 could bring about radical changes in how vulnerabilities are
discovered, confirmed, reported and addressed. The emergence of tech
companies adopting bug bounty programs has helped facilitate
company/researcher relationships; however, there are still large segments
of manufacturing and industry that would rather utilise lawyers to block
research than address discovered vulnerabilities. Researcher
self-regulation has been touted as another option for security researchers
to consider. It is unlikely that we will see the conclusion to this debate,
but we will likely see some major moves being made in 2016.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.