Business Security Predictions We Got Right
Given our many years working at the forefront of business security with a focus on information protection, we often have insights into what’s coming next, and our team of experts frequently discusses predictions relevant to organizational security.
Here are a few predictions we made not too long ago that suggest we’re better than most in anticipating what’s around the corner for our tight-knit security community.
Business Security Prediction #1: “Bring Your Own Device” or “BYOD” hits a tipping point
Before it was a big topic of discussion, we accurately predicted that businesses would scurry to deal with the reality that privately owned devices — over which they have zero control — now contain corporate information, particularly email and attachments.
Noting that all of us use the “email file system” copiously, we were early to warn that corporate email on unmanaged devices is a big concern. What happens when the device is lost or stolen? What happens when the employee/device owner leaves or is terminated? Is it legal and ethical to “remote wipe” devices that are personally owned? Is it OK for my 13 year-old son to play with the iPad I read corporate email on? What sorts of restrictions on mobile applications are reasonable (or even possible) for devices connected to corporate networks?
Many businesses are just starting to grapple with these issues now, and these information vulnerability challenges are only likely to get worse.
Business Security Prediction #2: Compromised accounts due to password reuse explodes
Password reuse — using the same or similar username and password on multiple systems — has always been a security ‘no-no’ but the pain directly attributable to reuse has been low. Not any more. We saw the change coming and advised our clients accordingly. The issue went mainstream in recent years after the security community saw some of the largest breaches ever in terms of compromised usernames and passwords; many of the attackers proceeded to post the usernames/passwords publicly.
This has been coming for some time. Security researchers — and surely the bad guys — have analyzed these publicly available lists of credentials and noted that password reuse is rampant. Aggregating large password lists also illuminates obvious patterns — like cycling through punctuation on the end of a common password. Since most usernames are email addresses — and email addresses are relatively good identifiers as they are unique and don’t change often — bad guys are now able to put together a “password dossier” on individuals pretty easily. This is a boon to social engineering attacks like highly targeted phishing.
As a result, more people will start (voluntarily or otherwise) to use strong passwords and password managers. We don’t think this will spur greater adoption of multi-factor authentication, but we do think the value of better password hygiene will begin to outweigh the inconvenience. If this topic is of interest to you, check out: https://shouldichangemypassword.com
Business Security Prediction #3: No major change in tactics from those committing industrial espionage — typically foreign intelligence services
Our take was that there was no need for the bad guys to change their tactics. What they’re doing is still working, and nothing American businesses or the American Government is doing will stop or even slow the exfiltration of critical information out of the country. Such exfiltration causes little short-term pain, so the problem will be allowed to persist.
The long-term pain, however, is significant: the erosion of sustainable competitive advantage in the form of R&D, trade secrets, and other proprietary information, will disadvantage victims for decades into the future. Businesses that ‘get-it’ and act decisively to protect their proprietary information will be best positioned to compete in an increasingly global market into the future. Businesses that don’t ‘get-it’ will wake-up one morning to find their global competitors three steps ahead of them.