Our other trends are here:
On December 14th, Imperva's CTO Amichai Shulman will be hosting a webinar, talking you through the ADC's predictions. To register, click here.
Trend #1: Security (Finally) Trumps Compliance
In 2012 we expect to see security decisions driven not by compliance but for the simple reason of… security.
It sounds simple enough, but in previous years we have seen the influx of laws and regulations which drove the budget and security solutions. PCI, SOx and world-wide Data Privacy Acts were all used as the reasons to feed the security budget. But this approach often backfired. Anecdotally, when one CIO was asked about the key lesson from a major breach his firm experienced answered, “Security is not about surviving the audit.”
Smart companies used these regulations as springboards to enforce the case of security. In fact, both a 2011 Ponemon survey and the 2010 Verizon Data Breach Report showed that PCI did improve the organization’s security stance. However, regulatory compliance is not equivalent and does not confer security. It is enough to turn to Heartland Payment Systems for such an example. The company passed its PCI evaluation, and yet, they had suffered one of the biggest breaches in history.
This past year we have seen a shift in the corporate attitude for several reasons:
- Breaches are costly. Security breaches such as those suffered by Epsilon, RSA and Sony dominated front page news. The high profile breaches highlighted the impact of security. Brand damage, loss in brand, legal costs, notification costs, service outages and loss in shareholder value all became news of the day. In fact, the day after Sony’s breach announcement, the stock price dropped steeply. DigiNotar, a CA company was breached in September (see SSL trend) went underbelly later that month. While actual assessments of the cost of these past year breaches have not yet been made public, we can return to the Heartland Payment Systems breach for a lesson. For nearly two years financial analysts watched as large legal payments for damages were settled before the market could feel comfortable about Heartland’s ability to stabilize revenues.
- Companies with an online presence, regardless of size, are targeted. Not only were large corporations affected by breaches in the past year. Hackers have become very adept at automating attacks. According to the 2011 Verizon Data Breach Investigation Repot, hackers have “created economies of scale by refining standardized, automated, and highly repeatable attacks directed at smaller, vulnerable, and largely homogenous targets”. In other words, in a world of automated attacks, everyone is – or will be – a target. This point was exemplified in August 2011 when USA Today published that 8 million websites were infected by malware. Our own research highlights how applications are likely to be probed once every two minutes and attacked seven times a second.
- Hacktivism brings (in)security to the frontlines. Hacking groups such as Anonymous and Lulzsec have received headlines when they repeatedly hacked into different corporations, large and small. Visa, Paypal, Sony Pictures, Fox.com, PBS.org as well as countries such as Tunisia, and government agencies such as Infragard all felt the hackitivist wrath whose attacks targeted applications and infrastructure.
- APT becomes an actual threat. Advanced Persistent Threats (APT) attacks are sophisticated attacks which relentlessly target corporations and governments for espionage and destruction. However, with good branding from worldwide Marketing and PR teams, this term has become the alternative description to a compromise following a corporate-phishing attack. The fear of such an attack is boosting the security budget. A recent survey by ESG indicated that due to APT concerns, 32% of respondents are increasing security spending by 6-10%.
- Intellectual property requires protection. Organizations are beginning to understand the risk and consequences of a compromise of their bread and butter. The biggest risk of exposure of intellectual property is actually caused unintentionally. For example, through an employee leaving the company with corporate info obtained rightfully over time. Or, through a mis-configured server holding confidential documents (see trends on the externalization of collaboration platforms). Organizations also face the risk the deliberate theft of data from vengeful or malicious employees. For instance, this past year a former Goldman Sachs employee received an eight year sentence for stealing proprietary software code. Compromise of intellectual property may even be performed by the hands of external hackers. In the past we saw how hackers were solely focused on credit card numbers, login credentials and other such generic commodities. Although this type of data is still on the attacker’s radar, we are starting to see hackers focusing also on intellectual property. As a point in case, consider the RSA attack which involved the data relating to the SecureID tokens.
- Shareholders are now involved. The SEC has recognized the impact of a security breach to a company. As a result, recent updated SEC regulations require reporting information security breaches to shareholders. If in the past breaches could have been swept under the carpet, this regulation will make it harder to do so.
For these reasons, we will increasingly see how companies will perform wise security decisions based on actual security reasoning. Furthermore, the abundance of regulations – which ultimately try to set a minimal bar of security – will make it too costly for organizations to handle on a regulation-by-regulation basis. Instead, enterprises will implement security and then assess whether they have done enough in the context of each regulation.