Stuart Reay from Alpha Generation, the specialist IT security distributor, talks us through what he thinks the channel will need to address in terms of security in 2018.
Vendors need to be more innovative with their IoT protection offerings and as such, I expect to see a wave of new technology from existing and emerging vendors to extend the reach of security to the IoT.
As corporations spend more time securing their data, hackers are finding new ways to extort money. For example, cyber criminals are developing toolkits to exploit pay-per-view services to steal money, forcing a pop-up to appear on connected TVs demanding a ransom. If the end user doesn’t pay, their connection will be cut via their router or the smart TV and they won’t be able to watch the event they’ve already for.
Sounds outlandish but, if these hackers can develop a sophisticated payment platform that can take the payments in quick succession, they will be able to bypass the big corporates that have the infrastructure set up to prevent attacks and target SMEs and consumers instead.
The same technique could be used in connected cars or healthcare but with more devastating consequences. For example, it could be a ransom has to be paid or the hacker will crash someone’s car, or cut off life support in hospitals.
We could end up seeing a WannaCry-style attack on end-users, with their smart, connected devices making their way into a network.
We’ve worked with many vendors that have introduced products and their time has come to move onto another type of security – that’s just the way security goes. But patch management has been around forever and its importance has yet to fade.
According to the Flexera Vulnerability Review, 17,147 software vulnerabilities were discovered in 2016. The number of ‘highly critical’ vulnerabilities grew from 13% to 18%, a worrying upward trend that suggests the threat is getting bigger every day. With a threat on this scale, effective vulnerability management and patching should be obvious.
The problem we’re experiencing across the entire industry is that, although everyone knows keeping software secure is vital, many choose to ignore regular patch updates. Offering the tools to make patching manageable for end-users can therefore be a hard sell. Patching is a necessity and will continue to be – even more so when vulnerabilities now come in all shapes and sizes.
As little as 10 years ago, the majority of software vulnerabilities were in Microsoft’s core operating systems and applications, with approximately 76% of the total share according to an earlier Vulnerability Review from Flexera. Third party software held the remainder. Now this has completely shifted and 80% of vulnerabilities are in third party software. We all know to patch our Microsoft systems, but who patches third party apps?
The urgency for this needs to be understood and vendors need to educate the channel in driving home the message that the tools exist to offer to end-users, and offer an excellent revenue stream of both licence sales and services.
Prevention rather than detection
Organisations are starting to realise that investing in threat prevention rather than threat detection technology has to be the way forward.
Threat prevention also covers isolating malware when it appears and keeping it away from the rest of the network, which is exactly why we’ve invested in Bromium. We understand the value of prevention software, because the damage is limited rather than spread throughout an organisation. There’s no need to fight fires when you can stop them starting in the first place.
Data-led prevention will play a huge part in threat prevention. Vendors need to develop smart tools using machine learning to understand and recognise the vulnerabilities autonomously.
The impact of GDPR
Although it’s not clear how the ICO and EU will regulate GDPR, I think it will be interesting to see whether vendors that wrongly advise their customers will be named and shamed. I’m sure many of the large enterprises involved in data leaks this year must have spent a lot of money on security and the salespeople selling in security said their investments would have protected the customer. But none of those companies have publicly responded saying it was the vendors or salespeople that were at fault.
I am hoping we’ll start to see those that wrongly advise on data privacy being named and shamed rather than the customer. This may even mean we start to see revisions of the end-user licence agreement so vendors and the channel can protect themselves.
IT security budgets
End-users need to get smarter about how they’re spending their budget and need to move away from the philosophy that throwing money at it won’t solve the crux of the issue. The channel will need to take onboard an end-user’s needs and be the advisors here.
What do they really need? What do they need to be secure? People need to stop and take stock about the threats rather than use a scattergun approach and spending budget on solving problems in the wrong place.
The move to cloud services
The move to cloud services by businesses big and small is accelerating. There’s nothing innovative about that, of course, but where we do need to start seeing innovation is from the cloud providers themselves. They need to make sure the investment in cloud security is a priority to ensure they’re facilitating customers to make that shift to cloud services.
As cloud adoption grows, cloud security is just going to accelerate, with more threats to enterprises and the general public too. So that’s where the first line of defence needs to be whether we’re talking about the huge cloud providers like BT, or smaller firms that are using cloud services like Azure and AWS to host their services. Microsoft and Amazon need to make their platforms absolutely watertight if they’re going to be able to keep up with all the threats.