Access management responsibilites are extending. There are more and more reasons people need access to information to do their jobs. And it’s not just employees. The ‘extended enterprise’ means your supply chain, your partners and even your customers need access, or temporary access, to sensitive information such as company data, financial data, patient data and personal data.
As the responsibility to manage this access grows, the risk to valuable and sensitive data are greater than ever before. There are plenty of examples of how much damage one incident of unwanted access can do to a company’s reputation and/or finanical bottom line.
Given some of the high-profile attacks of the previous year, businesses today — large and small — are much more aware today than this time last year of their universal susceptibility to security threats, realising that no company is fully safe and the consequences can be dire. This improvement in awareness is set to drive a number of new trends in 2016 as companies rethink their security approach around access management, some of which we’re already beginning to see now.
Here’s what I believe will happen over the next 12 months.
1. IT security will cease to be primarily a vertical-specific problem
Traditionally, IT security experts have focused on the particular verticals or markets that are naturally security conscious. We all know that financial organisations place a lot of importance on security because they hold valuable and sensitive customer data, retailers are security conscious because they handle cardholder data, and healthcare organisations must protect patient records. But with high-profile attacks this year, for example T-Mobile and Experian, I expect in 2016 to see cyber security become much more of a priority for all sectors — and not just financial services, retail or healthcare.
We’re also seeing more companies rebalance their IT security. Preventing attacks is only part of the problem, and companies are beginning to focus more on sophisticated detection and response as well.
2. Insider threat will move up the IT security priority list
Our research in 2015 found that of those companies in the UK and US that don’t currently have an insider threat programme, two thirds planned to launch one before the year is out. I would expect in 2016 that more than 80–85% of companies will have an insider threat programme in place — and those that don’t will be playing with fire as employees both negligent and malicious pose one of your organisation’s greatest threats.
3. Businesses will shift towards “user-centric” security
2016 will see organisations focus more on protecting users from being exploited by hackers — for example through social engineering to gain access to login credentials — rather than organisations blaming their users. Through technology, education and processes, organisations will guide users towards good behaviour. This is especially important with today’s modern and ‘digital’ workforce, which needs almost consumer-like user experiences to make IT security processes easier to follow.
4. C-suite will begin to understand the broader business benefits to IT security
IT security has often been in danger of being one of those things that only the IT department care about — often seen by the C suite as simply a cost to the business that doesn’t add to revenue streams. 2016 will see more and more C-level executives wake up to the fact that IT security can help close business deals, build trust with customers, remain competitive and improve relations with partners and the supply chain.
5. Unknown access to data and networks will phase out
User access to data and networks will tighten in 2016 — shifting from simple password access to login credentials that incorporate context-aware rules like location, time, device and security posture. In addition, attributes associated with the user will vary dynamically over time (adaptive access control) — rather than remain just static entitlements.
The time to act is now
Improving your IT security stance is not just a case of throwing more money at the problem. You cannot afford to lose sight of effective IT security training and having solid processes in place to complement your existing tech. If one of those three are not up to scratch, you’re at risk of becoming next year’s cybercrime statistics.