History has a way of repeating itself.
2013 ended with revelations of a huge data breach at Target Brands Inc.
2014 ended with revelations of a huge data breach at Sony Pictures Entertainment.
So it comes as no surprise that Forrester Research predicts data encryption and key management will be one of the big priorities for CIOs/CSOs in 2015 to protect sensitive information.
It was one of nine predictions for the coming year made by the industry research firm’s privacy and security analysts.
Data privacy is now part of the daily conversation of organizations, says report co-author Heidi Shey. “It’s not just the job of the privacy officer or delegated to the security team. It’s pretty much involved in all parts of the organization.”
And the planning isn’t merely to meet regulatory requirements, she added, but how to handle data, how to communicate privacy policies to customers and making sure those policies align with technology and internal policies.
The increased focus on encryption comes as malware for finding and retrieving encryption keys increases. In its prediction report Forrester notes that in 2013 hackers compromised the U.S. Emergency Alert System by a firmware update that exposed secure shell (SSH) keys. This year Heartbleed bug allowed attackers to steal private encryption keys.
Yet while security pros want to increase the use of encryption for on-premise and cloud data security, the lack of widespread key management standards poses a problem for centralizing their efforts.
Forrester notes a recent study estimated that the average US$1 billion-plus enterprise has more than 17,000 keys and certificates.
The analysts believe in 2015 new encryption and key management vendors will emerge, along with some mergers and acquisitions. In the meantime, Shey adds, organizations “need to do something (on encryption) and not wait around.”
Other predictions include:
— Half of enterprises will consider privacy a competitive differentiator.
According to Forrester surveys this year, one-third of security decision makers already are shaping their corporate strategy that way. More will make the choice in 2015.
Target briefly lost business after its breach was admitted, Shey said. However, she added that in its most recent quarterly report the company posted a gain.
Still, many companies are now taking data privacy much more seriously that before. Shay points to a public letter Apple CEO Tim Cook released announcing enhanced security features for iCloud and iOS 8 after the hacking of iCloud accounts and the release of what were supposed to be private celebrity photos.
— Rights management is no longer a dirty word.
Security pros are tiring of the various versions of DRM, IRM, ERM, eDRM. But it protects access to information. Customers are using it in some way, and just calling the overall capability “rights management.”
“While these standalone types of management tools are probably less appealing to enterprises today the capability is attractive,” says Shey. Enterprises increasingly will make use of it if included in other solutions, such as content management or file sharing.
Forrester recommends organizations carefully ask vendors what the rights management capabilities are in their software, or done through partners, what it can — and can’t — do.
–Data disposal will gain importance.
It’s overlooked in many enterprises, says Shey, but “it’s about cleaning up house” after data is classified. At that point IT has a good idea of what isn’t needed any more. That’s where secure disposal comes in — not just for digital data, but also paper and hard drives.
Forrester notes that a large Canadian consulting company allegedly sold old servers that contained sensitive client data, although the news report hasn’t been confirmed.
In 2013, there were 69 publicly reported incidents involving improper disposal of paper documents containing sensitive data, says Forrester, compromising more than 300,000 records. As of November there were one-third as many incidents, but more than 53,000 records compromised.
–Government regulators will set rules for protecting health data generated by wearables.
The number of digital watches that can monitor heartbeats and footsteps are growing, but the data isn’t secured. A data breach in 2016 will spur regulators to step in, Forrester predicts.
–As for the large volume of electronic medical records held by hospitals, they will increasingly be the targets of hackers — including countries.
While many nation states are looking for critical infrastructure to attack, medical records can be also be valuable. Medical research in particular could be a target for information on the latest treatments.
Forrester notes that security consultants hired by a major U.S. health network that operates over 200 hospitals in 29 states concluded a data breach earlier this year was sponsored by China.
–Cloud security will improve.
More of a wish, Shey admits. Unfortunately, the key word in the prediction is the adverb. Security pros need to push cloud providers and managed security service providers to do a better job of providing monitoring capabilities, says Forrester. The firm find that security is still the primary inhibitor of cloud adoption.
— Political instability globally will put privacy in the cross-fire.
As nations increase their adversarial relationships — for example, between western nations and Russia over Ukraine — the odds of co-operation of the arrest and prosecution of organized hacker groups drops. The other way of looking at it is that the odds increase that nations will use hacking of corporations as a retaliatory weapon.
“The ongoing attacks from organizations that operate under the cover, with sanction or in co-operation with organized crime and nation state actors, present unprecedented challenges to privacy protection,” warns Forrester.
monitoring will slowly improve,
Unfortunately, the key word in that sentence is the adverb.
Security pros need to push cloud providers and managed security service providers to do a better job of providing monitoring capabilities, says Forrester.
— Political instability globally will put privacy in the cross-fire.
As nations increase their adversarial relationships — for example, between western nations and Russia over Ukraine — the odds of co-operation of the arrest and prosecution of organized hacker groups drops. The other way of looking at it is that the odds increase that nations will use hacking of corporations as a retaliatory weapon.
“The ongoing attacks from organizations that operate under the cover, with sanction or in co-operation with organized crime and nation state actors, present unprecedented challenges to privacy protection,” warns Forrester.
