From Ashley Madison to the Office of Personnel Management (OPM), hackers did not discriminate between organizations or industries when it came to unleashing cyber-attacks in 2015. This past year, data breaches affected millions of people with headlines of a new hack appearing almost daily. On an individual level, customers’ passwords were compromised, credit card information stolen, and private lives became public to name a few ill-fated scenarios.
On the other hand, the organizations that were hacked lost millions of dollars, trust from their customers, and brand credibility. Many will not recover from such serious blows to their reputations. Businesses can only withstand a cybersecurity hack if they invest the time, effort, and money into response, recovery, and the future protection of the organization and its customers.
With lessons learned from 2015 in mind, here are four predictions related to cybersecurity that will make news in 2016:
In 2016, organizations will come to realize that a cybersecurity breach is inevitable and stakeholders will point to the CEO as the responsible party when they occur. No one is immune to cyber threats and the sooner corporate boards and C-suite executives realize this, the better off their organizations will be.
Because cybersecurity is no longer an issue solely reserved for IT departments, the C-suite, particularly CEOs, will be held responsible for data breaches. The sophistication of cyber threats is unprecedented, requiring executives to evaluate the access of data from employees, customers, partners, regulators and vendors. As such, after a breach occurs, many CEOs will either be forced to step down or be fired.
Additionally, executives must be able to demonstrate they have taken all possible precautions to protect their customers’ data. Public expectations of transparency are likely to increase based on the increasing number of breaches. If CEOs cannot provide evidence of their organizations’ efforts, they will be swiftly replaced.
Corporate boards will scrutinize new CISO hires more than they had previously and more than any other C-suite position. A CISO will be expected to mitigate cyber risk, and ensure the organization maintains the philosophy and practice that compliance does not equate to security. Being compliant is important, but organizations must assume that measures must be taken above and beyond compliance and have strategies in place for identifying areas in need of security improvements.
Performing penetration tests – tests where third parties are paid to infiltrate an organization’s infrastructure in order to uncover holes in security – will be one way CISOs will help arm their organizations against unfriendly hackers. Having a data breach response and recovery plan will be another way CISOs mitigate risks for their businesses and their customers.
As 2015 demonstrated, data breaches are a very real and pervasive threat. Only by taking preemptive measures and proactively preparing a response and recovery strategy will organizations be able to bounce back when one occurs to them.
Part of this proactivity will come in the form of cyber insurance. Even with executives understanding the need for a cybersecurity strategy, it is difficult to calculate all potential costs involved in a breach. Financial considerations must include both direct and indirect costs. An example of direct costs is the financial reparations paid to affected customers after a breach. Indirect costs can include the legal fees incurred while an organization is sued for these reparations.
By purchasing an insurance plan, organizations will be able to minimalize the out-of-pocket costs of a breach.
Organizations will come to understand the threat that connected devices pose to their enterprises. Individuals are using unsecure mobile devices and cloud-based applications without realizing it, which is why MDM and its providers will play a vital role in maintaining organizational security.
Entry into an organization’s infrastructure via a mobile or connected (IoT) device can be relatively simple if the organization is not prepared. For example, if a person’s cell phone or an application on his or her cell phone is hacked and the device is connected to a company’s wireless internet system, a hacker can gain access to the company’s network.
2016 will inevitably be a year with many more data breaches, but hopefully 2015 has taught us that C-suite proactivity and strategy can minimize cyber risk. Learning from the missteps of 2015 will enable organizations to approach cybersecurity with a top-down approach, making it a priority for employees at every level.
By Larry Jones
