Monday 4 January 2016

Review of 2015 & Predictions for 2016 #ITSecurity

Guest Blogger: Nick Prescot 
Senior Information Security Manager
A new year beckons and there's been a lot in regards to what happened in 2015 and what will happen in 2016.  Well what has been a occurence and a prediction is that cyber data breaches are becoming more commonplace in the minds of the C-level suite, news headlines and conversation at dinner parties.

Like many people over the festive period, there was the catch up with relations and friends along with the inevitable phrase of, 'what are you now doing these days?' - given that most of my respondents are used to the lawyer/accountant/banker/doctor/army officer type response, the reply of 'cyber security' always raises a slight eyebrow.  Their next thoughts are that I'm a hacker and/or work for the government. And then there are lots of questions about emails and credit cards and how they use various ways to thwart the hackers.

My response has been that I'm not a hacker, neither do I work for the govt. and then the general security awareness training.  People I think are interested for the first 10 mins and I can then see them gently nodding off whilst I get into the swing of it.  That's good news because they won't ask me again what I do and there is discussion of normal things.

So big breaches will happen (there was even a DDoS attack on the BBC on 31st December 2015) and the rise of awareness and investment in these areas will continue.  Companies will be buying cyber insurance and at the same time be putting in preventive controls as well. Whilst cyber insurance can help you in the event of a data breach, they can't help you prevent a data breach and that's where preventive and detective controls are so important.  This is where there will be an emerging difference in the market in that the insurers will be hedging on which of their insured will be the news story that will ignite the market and the companies not 'letting in a goal' when they didn't employ best practices in terms of defending their cyber assets.

Reputation is a big thing now too.  'Talk Talk' has a whole new meaning now and whilst many people felt that brave appearances on news channels was a good thing, little did it hide that it was the third time in a year that their systems had been breached and that it was allegedly taken down by some bedroom script kiddies using a DDoS attack and some SQL much for state sponsored cyber terrorists/hackitivists doing the dirty work.

Oh, and there's the EU GDPR (yes, it's a new acronym) and it's one that will be pressing on the minds of all.  Whilst it won't come into effect until next year, it will mean a lot of changes to any company processing personal data as a 3rd party.  Also the EU NIS (Network and Information Security Directive) will mean that countries within the EU will need to have a maintainable level of network and information security in place...this means CERT's...lot's of CERT's, co-operation and resilience reporting from large institutions and public bodies to ensure continuity of these services in the event of a data breach.

So before I rabbit on in a dinner party style conversation and my audience nods off over the glass of port, the trend is clear; the legislation is getting tighter in terms of ensuring that you don't lose the data or be in a position where the data can be lost.  Also, reputation of the cyber assets is now firmly in the scope of dealing with good and bad PR.  Being secure is a positive attribute and if there is a data breach, having a track record of not being continuously hacked and a lack of controls won't be a bad thing!

Whatever happens in the next year, what's clear is that more data than ever will be processed, there will be a new iphone/ipad; Microsoft will sell their holographic glasses and Google will have a new version of the google glass.  Apart from that, I will most probably be saying the same thing in 12 months time.

Blog on LinkedIn
More about me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment