Cyber security insurers will create a more definitive model of risk measurement and management, changing how security is defined and implemented, according to the 2016 Websense Cybersecurity Predictions report by Raytheon-Websense.
“Businesses will need to better understand what is expected of them if they were to consider a cyber insurance policy,” said Carl Leonard, principal security analyst at Raytheon-Websense.
“Many businesses may find they are not in a strong position to prove they have done all they are required to do by their insurers to mitigate an attack,” he told Computer Weekly.
Raytheon-Websense predicts that the requirements for taking out a cyber insurance policy could become as much a driver of business behaviour as regulatory requirements.
To maintain the profitability of issuing cyber insurance policies, the report said the insurance market will attempt to gain as much real-world threat and protection intelligence as possible, and should develop minimum-level requirements for issuing policies.
Cyber insurance policy costs
Cyber insurance for companies is expected to be based on the value of the company, how prepared it is to defend against attacks, how often it is likely to be attacked and how quickly it can respond to breaches, regain control and eject attackers.
A recent report from market intelligence and ratings services provider Standard & Poor’s notes that as successful and financially damaging attacks grow, the cost of cyber insurance could rise or see restrictions.
The report’s authors expect to see an increasing level of sophistication in the way the risks associated with a cyber breach are factored into policy cost, just as a driver’s safety record and driving habits are factored into the cost of motor insurance.
According to the report, savvy defenders should factor in policy costs with defensive posture buying decisions and consider the effect of verifiable security risk exposure, including the third-party continuous monitoring of corporate networks for risky user behaviour.
Regularly training employees to be smart with email attachments and browsing behaviour will increasingly be reflected in lower insurance premiums due to reducing the risk of breach, the report said.
Over time, the report predicts that cyber insurance will drive improvements in company security posture to better handle threats.
“In the light of this need for better risk mitigation, the next consideration is likely to be how to prevent data theft if attackers manage to breach your cyber defences and get inside your organisation,” said Leonard.
“We predict security professionals will welcome data theft prevention products (DTP) for their return on investment in mitigating the risk of data theft and reducing the period of compromise, and that DTP adoption will increase in more mainstream companies in 2016,” he said.
As a result of these very public breaches, predicted changes in cyber insurance, increased visibility in the boardroom for all things cyber and continued worries about data loss, the report said there will be a more aggressive adoption of data theft prevention technologies outside of its traditional installation base.
Cyber criminals dealing information
A top prediction for 2015 was that cyber criminals were set to become information dealers, using the sale of credit card numbers to fund the collection of a broader range of data from several breaches to compile comprehensive records on individuals.
“We have seen data sometimes reach a value of £30 for a set of fullz – the term used for a complete set of personal information – which is being driven by demand in the underground market for use in identity theft and fraud or for sale to others for these purposes,” said Leonard.
As data continues to grow in value, he predicts that data theft prevention is likely to become the leading way for information security professionals to engage with company boards, and businesses that have not discussed this topic will be seen to be lagging behind the times.
Views on privacy will evolve
According to the report, companies should assume they are the target for data-stealing attacks and respond by adopting a risk-based approach to defence and start planning for DTP to become a mainstay of a state-of-the-art cyber defence package.
However, the report said companies should evaluate the effectiveness of any DTP system carefully because the prevalence of DTP systems will cause sophisticated insiders to conceal, obfuscate and encrypt stolen data, which would render simple “integrated” DTP ineffective.
“In 2016, companies should also start thinking about how their employees can necessitate a different approach to how they deploy security because of greater concerns around privacy,” said Leonard.
“Increasing frequency of data breaches, such as the many seen in 2015, are changing the way we think about personally identifiable information (PII), and we are moving to a post-privacy society, where it is not uncommon for an attacker to have access to information we have previously considered as personal,” he said.
Raytheon-Websense predicts that societal view of privacy will evolve, with great impact to defenders.
“To protect their privacy, employees are likely to use encrypted web services, virtual private networks and privacy tools, making it more difficult for security systems to understand what sorts of transactions are occurring. This means businesses may have to rethink their security strategies to ensure they understand what employees are doing,” said Leonard.
According to the report, DTP and post-breach activities will become increasingly important and society’s shifting privacy conceptions may help or hinder security monitoring, with PII areas needing to be watched with extraordinary care.
“While it is hard to be fully prepared for such an unknown, at a minimum defenders must take careful stock of their data handling practices, adopt a nimble footing in this changing landscape and also make it clear where security practices actually enhance personal privacy, rather than erode it,” the report said.
Identify the use of privacy tools
To regain control and visibility, Leonard said businesses should consider deploying inspection technologies designed to analyse encrypted traffic and scan the content for security risk and have the capability to identify the use of privacy tools.
“Again, this underlines the need for DTP tools to ensure that employees are not sharing business data with unauthorised outsiders,” he said.
In 2016, Leonard said businesses will have to pay more attention to the behaviour of attackers and the behaviour of the business.
“Attackers are adopting technologies and infrastructure at a great speed, specifically generic top level domains (gTLDs). It might come as a surprise to many businesses the extent to which malware authors have adopted gTLDs for malicious purposes,” he said.
The report predicts that the gTLD system that allows people to register TLDs such as .car, .wine and .computer will provide opportunities for attackers to confuse users and to ensnare and entrap their computers with malware.
Consumers shopping for a computer could easily be tricked into visiting shop.apple, apple.macintosh or apple.computer, when none of these may represent legitimate businesses.
This potential confusion is a golden opportunity for criminals and nation-state attackers to create highly effective social engineering lures to steer unsuspecting users toward malware and data loss, the report said.
Savvy defenders, the report added, should carefully consider each major change before waiting for the wave of attacks.
Outdated infrastructure a risk to businesses
Regarding malicious use of gTLds, Leonard said businesses should ensure they have some capability to identify malicious content and identify gTLDs associated with malicious activity when employees visit these areas of the web by deploying technologies for deep content and context inspection.
When it comes to the behaviour of business, Leonard said Raytheon-Websense expects 2016 to be a turning point in that the infrastructure and technologies they rolled out five-to-ten years ago will start to be an inhibitor for businesses. This is because they need to allocate time and resources to maintain that creaking infrastructure, he added.
“This will take time away from them that they need to move forward and defend against new attacks,” he said.
Attackers continually search for forgotten or abandoned systems to worm their way into the heart of the enterprise, the report said, but at some point, the cost of older systems that must be maintained will reach a tipping point and become prohibitive.
The report recommends that defenders should first carefully plan for ongoing security maintenance costs in every development effort and recognise the figures could rise as the system ages.
Second, defenders should make every effort to migrate to current versions of infrastructure products to avoid being taken by surprise when upgrade costs snowball and support dwindles. Third, the security risks by ageing systems should be evaluated on an ongoing business to make sure no loose ends are missed and that the drag caused by older systems is minimised.
Mobile open to vulnerabilities
Mobile payments is another key area researchers expect to open up security vulnerabilities in 2016. The report predicts that mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud.
“If malware authors are going after money through apps on the phone, that can then be used as a stepping stone into the corporate network,” said Leonard.
The enterprise must acknowledge that the technological push by attackers against the mobile platform to commit fraud will also enable others who wish to breach the enterprise, the report said.
Understanding that the mobile device can create risk and exposure for a business, the report said that organisations should look to prioritise the protection of data by monitoring industry best practice and implementing security protections.
IoT-devices could be exploited
Similarly, businesses need to understand the risks and exposure introduced by the growing number of internet-enabled devices making up the internet of things (IoT).
The report predicts that in 2016, companies will not only start to see how IoT devices can help, but also how they can be exploited by attackers to cause harm.
Digital and connected diagnostic and screening systems in the healthcare field are expected to reach more than 40% global penetration by 2020, but the report said that while these connected medical devices are invaluable to medical facilities, staff and patients, they also contain the potential to adversely affect information systems protecting patient safety and data.
The report recommends that organisations should aim to rationalise policies between devices for security consistency, that companies should be sure to take into account the number and types of devices connecting to their network and adjust security parameters accordingly, and that organisations should ensure they have employee training programmes around cyber security best practices as well acceptable use policies to mitigate risk.
Elections could attract attacks
Attackers frequently see large events as an opportunity to launch cyber attacks on a curious population. Political campaigns, platforms and candidates present a huge opportunity to tailor highly effective lures. For this reason, the report predicts that the US presidential elections will drive significant themed attacks.
Leonard said UK business should observe what happens in the US in the coming months and ensure that they apply the lessons learned when the UK next faces a general election.
The report recommends that businesses should educate employees on the potential for politically targeted and tailored lures in email and via the web, that organisations tasked with hosting a political candidate’s website should build a website that is secure by design, that organisations tasked with administrating the social media accounts of political candidates should follow security best practices, and that those involved in campaigns or election activity should elevate the importance of online security in all of their efforts.