Get Ready: Four Critical Cybersecurity Trends for 2015

By Kent Schneider

Daily, we’re seeing major news stories about computer system attacks, fraud and crime. I’ll guarantee you that won’t stop in 2015.

Companies in the unpleasant cybersecurity spotlight in 2014 included Home Depot, Target, Staples, Michaels Stores, JP Morgan, American Express, Dairy Queen, Freddie Mac and the recent “big dog” of breaches — Sony. One outfit that tracks breaches is the Identity Theft Resource Center (ITRC). They’ve tracked 744 breaches in 2014, and 81 million records exposed.

It’s no wonder “60 Minutes” called 2014 the “year of the data breach.”

The headlines reveal the tip of the iceberg. Underneath the waterline are dozens of breaches tracked by ITRC that are downright frightening, such as 86 breaches in the government/military category, 56 in the educational field (including Johns Hopkins, Marquette University and San Diego State University) and 317 in the medical/health category, including major medical centers and health insurers. Every citizen’s private data is up for grabs in one or more of those categories.

What’s the outlook for 2015?

Let’s just say that vast improvement is not immediately available, but there’s help on the way. Here are four milestones for cybersecurity in 2015 that I see from my perch as someone who’s spent his entire military and civilian career looking after security issues:

1. More breaches. At an October cybersecurity event cohosted by the U.S. Secret Service, the FBI and the Financial Services Roundtable, officials reported that hackers have stolen more than 500 million financial records in the last year. But that was just the beginning. Joseph Demarest, Jr., assistant director of the FBI’s cyber division, made a blunt prediction to event attendees: “You’re going to be hacked.” Pretty much everyone in the security industry is saying: “It’s not a matter of whether, but when.”
2. The EMV chip credit card rollout. In an attempt to stem credit card fraud, U.S. issuers are replacing traditional cards with the EMV chip-enabled cards already in use in Europe and around the world. The majority will be shipped to consumers ahead of the October 2015 deadline when retailers and card issuers could become liable for credit card fraud losses if they don’t upgrade to the new system. While the EMV rollout may cut down on card counterfeiting, it only treats a symptom, not the disease itself. The EMV fix won’t solve the fundamental problem of fraudsters exploiting insecure rights management and access controls.
3. Working to remove human error and criminal intentions. Many of the notable breaches in 2014 happened because the wrong people had too much access to private data. In most enterprises, effective rights management and access controls are lacking and not integrated with existing systems, which is a major issue since up to a third of cyber-crimes are committed by insiders. In 2015 you’ll hear more about one of the most effective methods of fixing the system — locking the human element out of security systems, at least the parts where human error or malicious behavior can cause problems.
4. Diminishing the role of the password. Professional cybercriminals will continue to get smarter, but thankfully, so will security technology and processes. I’m a believer in creating an unbroken chain of trust between the user and the enterprise in order to remove any holes for a cybercriminal to exploit. An essential way to close the gaps is to remove our over-reliance on passwords. To that end, enterprise security is moving toward biometrically enabled credentials for each user – a retinal scan, fingerprint, facial recognition or voiceprint for every access session. Most data breaches occur through impersonation of a valid user, and in most enterprises the current ID verification – often simple user IDs and passwords – is woefully inadequate. That’s why you’ll see progress on this front in 2015.

A new approach is needed

As a person who has been in the trenches on security issues for several decades, I predict that while 2014 was a landmark year for data breaches, 2015 could be even more significant in a couple of ways. While we can expect to see hundreds of incidents, we’ll also see movement toward building a new infrastructure designed to fix the system.

I predict that industry and government agencies who have responsibility for securing computer systems will be looking for more than the patchwork and plug-the-dike approaches we’ve seen over the past few years. Consumers are demanding better security for their data, and industry must respond.

I’ll be sharing more about the solutions in future posts.

Kent R. Schneider is former international president and CEO of the Armed Forces Communications and Electronics Association (AFCEA) and a former Northrop Grumman executive. He is now Executive Vice President and Chief Operating Officer of SolPass, a company working to develop the next generation of identity validation and assured access control in government and private computer systems. More at www.sol-pass.com.