In 2015 saw the rise of hackers motivated to steal data for the purpose of public extortion and public shaming. The Ashley Madison data breach was one highest profile examples, where the hackers attempted to blackmail the company to close down its infidelity website operations. When the company failed to comply with hacker's demands, the hackers released millions of Ashley Madison members account details online. In 2016 I think we will see more company sensitive user databases targeted for the purpose of blackmail by cybercriminals, and for the purpose of public shaming by hacktivists, hell bent on causing reputational damage to any companies they take a dislike to.
2016 will finally see the demise of arguably the greatest user inconvenience and 'Achilles Heel' in cyber security, the humble password. In the coming year more organizations will embrace ‘no password’ authentication models, using authentication alternatives to a password, such as biometrics, picotographs, and Bluetooth/geotagging proximity. These methods are not only more secure to passwords, but offer a quicker and more convenient authentication experience to users, as proven with Apple’s iPhone 6s and ApplePay. The iPhone’s clever biometric fingerprint scanning authentication allowing users to securely unlock their smartphone at speed, and is even secure enough to be used to make payments at shops without the user having to key in a passcode or password.
As manufacturers continue to rush towards IoT technology, namely the network connectivity and monitoring or controlling of physical world objects, it will led to more insecure IoT devices, caused inadequate IoT software development and post support. As I explained in my recent IoT article for IBM. We can expect to see state sponsored hackers, cyber criminals, hacktivists and even terrorists target this new found low hanging fruit. In 2015 we saw cars, planes, various kitchen appliances and even toys with network connectivity were shown to be insecure by IoT security researchers. This situation could be a frightening precursor to more significant IoT attacks in 2016 and beyond. IoT cyber attacks carries risks well beyond the traditional data theft and IT systems outage scenarios, such IoT attacks could specifically target the destruction of physical world infrastructure, and endanger human life.
A key priority in 2016 for any European company, and non-European company which stores or processes EU citizen personal data, is to prepare for the EU General Data Protection Regulation (GDPR), as I blogged about here.
The GDPR comes into force in 2018 and is biggest shake up in history, to how enterprises legally must meet information security and individual citizen privacy rights. The new regulation comes with serious financial teeth for any compliance failure, with fines of up 20 million Euros or 4% of enterprise's annual global turnover. Businesses must also disclose any personal data breaches within 72 hours, which is another major game charger, as currently under the existing EU data protection directive, companies do not have to disclose any personal data breaches to a body or the public. There are new individual rights which will require redesigns of IT systems and business processes, such as the right to be forgotten and data portability. Even though the GDPR doesn’t come into force until 2018, give the major changes required to businesses handling personal data, together with the risk of large financial penalties if not done correct, 2016 should be a year to commence preparation the GDPR.