2013 will be remembered as a somewhat turbulent year for cyber and data security. Amongst the numerous high profile data breaches, involving such companies as The New York Times, Adobe and Facebook, was of course Edward Snowden and the NSA scandal, which effectively changed the game in terms of the 'insider threat'.
However, promising to be just as significant a year for security, we look at the top 5 challenges affecting organizations in 2014.
1. A mad dash to migrate to Windows 7
The imminent expiration of Windows XP in April 2014 will see a raft of businesses starting or completing their migrations in the early part of 2014, bringing with it new risks to businesses that don’t take proper precaution in rolling out their new operating system. Once Microsoft halts support of XP, companies running the OS will not only be faced with huge custom support costs, but will also expand their attack vector, becoming potential targets for new malware and vulnerabilities targeting unpatched systems.
What’s more, a number of vendors will stop supporting XP after April, further increasing organizations’ risks of downtime and increasing the TCO of XP as uplifted support contracts come into force. That is why I predict most enterprises will be rushing to adopt Windows 7 in the first half of next year, if they haven’t already done so. Conversely, I believe that only a small percentage of organizations will upgrade to Windows 8 in 2014.
Looking beyond next year, organizations will eventually replace a proportion of their laptop estate with Windows 8 tablets, ultra books and hybrid devices to eventually drive greater Windows 8 adoption.
2. Post-PRISM, user privileges will become a higher priority
Data security breaches were high profile in 2013, from the NSA’s notorious infringement, to the Adobe security breach that leaked information from 38 million users. The fact is, corporate data is vulnerable now more than ever, which I predict will cause more organizations to adopt defense-in-depth security strategies to protect their valuable assets and mitigate reputation risk. In particular, organizations that previously thought it was acceptable to grant administrator privileges to all users and systems administrators will think again.
According to a recent survey of IT decision makers, the NSA breach has already caused 52 percent of IT security professionals to reconsider their approach to user and systems administrator privileges - they now just need to prioritize taking action. If the Snowden affair was any indication of where pain-points lie, organizations should take all necessary steps to control excess privileges in order to defend against threats on the inside, whether deliberate or accidental.
3. A new era of CYOD
Despite BYOD’s hype, its security risks cannot be ignored. According to many of the organizations I talk to, they still don’t have a BYOD policy in place. But in this always-on world, organizations still want to reap the flexibility and productivity benefits provided by mobile devices. That is why I predict organizations will move away from struggling to integrate a BYOD environment, instead implementing a Choose-Your-Own-Device (CYOD) policy, which enables organizations to own the devices and therefore take responsibility for securing and managing them, as well as setting them up on the corporate network.
Windows 8 will go some way in helping organizations provide a tablet experience without compromising on security, as Windows 8 Pro devices provide enterprises with the same level of control as the traditional form factors. In addition, technologies such as Windows 8 To Go will also help in this area. As organizations start to support Windows 8 devices, they will need privilege management policies in place to enable the benefits of touch-screen tablets without compromising on security or losing control of corporate IT governance.
4. More commoditization of antivirus
If this year’s security threats taught us anything about endpoint protection, it’s that antivirus just isn’t enough on its own. Organizations are too reliant on first-generation security solutions when dealing with the next-generation threats of today. Too many attacks were able to successfully penetrate antivirus software’s security defenses and it makes sense; while antivirus can prevent certain types of external attack, it cannot block malware that has already found its way onto corporate endpoints.
As more organizations learn that antivirus on its own can’t be relied on for comprehensive protection, I predict that they will turn to multiple next-gen technologies to defend against tomorrow’s advanced attacks, like Advanced Persistent Threats (APTs) and other honey-pot style techniques like DNS poisoning and drive-by-downloads.
Layered security strategies such as patching, application allow listing and privilege management will be used to complement antivirus to protect the spread of malware. I predict that the antivirus industry will continue to commoditize to meet customer expectations, with more antivirus companies moving towards giving the software away free of charge.
5. Gen Y Revolts, Bringing Increased Risk
Organizations today are struggling to balance security with user flexibility and empowerment. Though they want to use IT as a business enabler, the weight of current endpoint security systems is often limiting employee productivity. If organizations don’t learn how to strike this elusive balance, I predict that savvy “Gen Y Techies” will circumvent the burdensome security policies in place, finding their own ways to access the documents, files and tasks they need and therefore potentially introducing the organization to new attack vectors.
Recent research even shows that 80% of Gen Y employees admit to not obeying IT policies. Many organizations will take the easy road out and let employees dictate the security agenda, opting for convenience over security and gradually softening security policies and reintroducing local admin access. This should not be allowed to happen.
In fact, according to Gartner, by year-end 2014, 70% of large enterprises will permit access to external social media sites, compared with 50% in 2010, which will open up a whole new attack vector. There are many solutions that mitigate risk without suffocating employees at the endpoint and organizations that put these into place with grant their users the flexibility they demand without needing to compromise on security.