Remember Anna Kournikova? Come with us on a tour of bug-squishing history

No target too small

In this chaotic landscape, almost any business is a target. “I see the current environments of threats as more full on than before,” says Paul Dorey, director at security consultancy CSO Confidential and visiting professor at Royal Holloway, University of London.

“We have always seen attacks on the big targets like governments and banks, but now the whole supply chain is attacked to find the weakest link into corporate and personal data, no matter where it is held.

“Nobody is too small to be below the radar if they hold data worth stealing or manipulating.”

And more is to come. “It is not going to get any better soon – especially as there is much more money in selling security products than there is in training people in common sense,” says Schifreen.

The malware of the future is likely to be more destructive, while mobile threats will become more pernicious than the premium-rate SMS Trojans that make up most of the problem so far, says Jason Steer, director of technology strategy at security company FireEye.

“The Dark Seoul attack [which wiped systems at South Korean banks and TV stations] last year has really opened people’s eyes to more destructive attacks coming along. We did see a recent Zeus kit that had a wipe feature, so even crimeware that is prolific is getting this destructive capability now,” Steer says.

“Destructive is going to happen more as legislation comes in to report events. Hackers don't want to get caught so they will burn more to avoid prison,” Steer says.

“Mobile is going to become more sophisticated. It is still immature and will only improve. The bad stuff is focused on monetising but expect to see more in the espionage and surveillance field to get bigger.”

The biggest test of security chiefs’ abilities, however, will come with the rise of the Internet of Things (IoT). As embedded devices spread, operating on an automated basis and with limited security functionality, previously unconnected machines will become targets, whether they are printers or TVs.

IoT will not only expand businesses’ attack surface, they will also lead to greater complexity, meaning various controls will need to be applied to ensure trust is embedded in the machines, says Dave Raggett from the World Wide Web Consortium.

“Trust has to be earned. Services will need to provide clear privacy policies and to underpin that with strong security, both proactive and retroactive,” he says.

“Proactive security involves encryption, authentication, access control and approaches for handling privacy and provenance. Retroactive measures include monitoring for abnormal behaviour, defence in depth and mechanisms for limiting the effects of attacks.”

Dark cloud in view

IoT is also expected to change the nature of corporate security teams. Analyst firm Gartner has gone so far as to claim IoT security requirements “will reshape and expand over half of all global enterprise IT security programmes by 2020”.

It will bring about increased use of contractors and cloud providers, while businesses will seek to foster different skillsets, according to Earl Perkins, research vice-president at Gartner.

“During the early years of the IoT, skills for securing this environment will be scarce and will force many security officers to use contractor services while building expertise internally,” he says.

“Traditional security will go to hosted and cloud-based services to make way for the security teams to focus on this initial IoT security surge. Most IoT services will be heavily data-centric, so expect a surge in cloud-based data analytics to augment security-staff capabilities.

“Security teams will become more proficient in embedded software and systems, machine-to-machine communications and key management, to name a few new skills. Threat detection and response, vulnerability management, identity management and data protection – all will expand to include these new platforms and networks at scale.”

Call the experts

Many are already looking to outside help to assist with the growing pressures. Managed security services providers (MSSPs) are becoming increasingly attractive, as are pentesters helping to uncover holes in infrastructure.

In a survey of 833 security professionals, vendor Trustwave found 36 per cent already use MSSPs and 46 per cent plan to do so in the future.

Not that services providers can always be trusted, however. “There is a lack of maturity in that market as well,” says Dorey.

“Better standards of certification of security services and individuals, such as Institute of Information Security Professionals accreditation, is essential to help the less sophisticated buyer. Most companies will aim for a blended capability of internal and external security expertise.”

With the number of threats becoming unmanageable and traditional perimeter defences failing to repel new ones, the shift to increased use of MSSPs and cloud-based security is already in full swing, according to Honan.

Even the likes of the NHS have lumped money into the cloud, as seen in the health service’s deal with Zscaler to detect threats.

But providers are being trusted only with the most boring parts of security, as security officers look to involve themselves in strategy rather than getting bogged down in rudimentary technical tasks, according to Honan.

“I see companies looking to outsource a lot of their mundane and time-consuming tasks to third parties to enable their own experts to focus on the threats to their business,” he says.

“Risk management and other strategic tasks should remain in-house. It is too vital to the business to outsource such functions to a third party.”

Some are reluctant to give up any control whatsoever, especially since Edward Snowden’s revelations regarding NSA and GCHQ access to companies’ information.

“Anything security-related is best kept in house. Period,” says Schifreen. “Ask Snowden if you don't believe me.” ®