1. A massive breach will be caused by negligent employees and needlessly excessive data access privileges.
Much attention is paid to the role of cyber criminals but the far more common threat begins with well-intentioned employees. According to a new survey, 71% of employees believe they have access to company data they should not be able to see, and 54% characterize that access as frequent or very frequent. Only 22% of employees say their organization is able to tell them what happened to lost data, files or emails. The failure of companies to create and enforce a least-privilege model for confidential or sensitive data – from personal data to credit card numbers or health records – will lead to a highly publicized breach and loss of critical data. (New survey of more than 2,000 worldwide employees and IT professionals to be published in December by Varonis and Ponemon Research.)
Cloud and IaaS companies will need to compete on how well they manage and protect data while also providing productivity-enhancing functionality to their clients.
Cloud companies, no matter large or small, will face increasing pressure to differentiate themselves while ensuring that their offerings can keep customer data safe and sound. As their potential clients, companies continue to examine which vital data needs to remain on premise while understanding that employee productivity and mobility cannot be sacrificed. Failure to offer the same levels of access control, data protection and breadth of productivity enhancement that enterprises are accustomed to enjoying inside the walls of their own data centers will force cloud companies into service niches that exclude their clients’ most vital data.
Data Security in the Zettabyte Era
In 2015, human-generated unstructured data will continue to be one of the fastest-growing data sets and the most relevant for digital collaboration, mobile or otherwise. It will also – more than ever – be the most valuable and sensitive data, and thus be subject to intense security and compliance requirements, whether it’s on premise, or in a private or public cloud. In total, companies are beginning to generate several zettabytes of data per year and they must be accountable for any and all of it. If the data isn’t secured from the start, then these organizations are more vulnerable than ever to internal and external security breaches.
Continuous monitoring and tighter access controls become the new normal
It’s best to assume that whatever network you’re on, there’s probably already something or someone present that represents a threat — but a threat to what? Once they are inside, do they have free reign to find the most sensitive information – like customer credit card numbers, employee social security numbers, or personal medical records? Organizations have far greater ability to control that than many realize. With automated controls, organizations efficiently implement and maintain a least-privilege model, audit data access, spot abuse, and identify stale data. Several of the data security standards are now emphasizing monitoring because it’s a real-world defense against hackers, insiders, malware, and mistakes. In 2015, IT will be able to make an impact by putting stronger policies in place requiring continuous monitoring and stricter access controls, which will help limit potential damage, better detect and stop unwanted activity and make recovery from incidents faster and more effective.
Data Will be More Secure in the EU, but What Will Happen in the US?
Early in 2014, after the Target breach there was some support in the U.S. Congress for a national breach notification law. Proposed legislation would put into place for the first time a single set of rules for alerting consumers when their personal information has been exposed. Unfortunately, the idea has not advanced any further. More progress has been made in Europe. The highly anticipated EU Data Protection Regulation or DPR would require consumers to be promptly alerted after a data exposure. The new rules are modeled after breach reporting requirements already in place for ISPs and telecom carriers. Will the DPR finally be approved in 2015? It’s still possible, although some of its tougher requirements—right to be forgotten and heavy fines for non-compliance—will likely be relaxed. In any case, data security laws are moving in the direction of greater consumer safeguards. We’ll see which side of the Atlantic has more political will to protect consumers in the coming year. The final results will have a strong influence on consumer confidence in global companies.
6. Rise of “Salami attacks” will leave a bad taste at the big data banquet
Even when encrypted or anonymized, the vast amount of data being collected on people through social networks, credit-card transactions, security cameras and digital footprints are increasingly being pieced together into a frighteningly complete picture. This threatens not only individuals but government organizations, corporations and their business partners. In a recent example, the privacy of New York City taxi drivers and their riders may have been compromised. In 2015, a major big data initiative somewhere will be derailed by a salami attack.