By Sharon Florentine
Dec. 1, 2016
"We've had some clients who say, 'Well, I just stick my users or outside vendors on the VPN and they're fine,' but they have no idea what they are actually accessing! With privilege management, think of it like an elevator bank, where depending on your role, you can only get to certain floors. It really limits what you can do, especially if you're malicious. Even if I do have a valid password, if my privilege lets me access floors one and seven, but I try to go to six, then the system will block me and notify someone," Dircks says.
Addressing this issue, too, will involve organizations willing to provide extensive education and training on the potential dangers involved, especially in an increasingly mobile workforce where many individuals would rather sacrifice privacy and personal data for access and believe their security will be taken care off by the third-party services providers and application creators, he says.
"Especially in the last few generations of digital natives, people are more than willing to give up their personal information and data for access to apps, connectivity, information -- this can easily be exploited. And they are willing to trust that these app developers, these providers, will make sure they're safe and secure. That's dangerous. Combine the cybersecurity skills gap, talent shortage, mobile workforce, app-centric environment, more sophisticated hacking and it's a perfect storm. We think it's just going to get worse before it gets better," Dircks says.
3. The security blame game will heat up
"When we talk to our clients, one trend we're seeing that is really horrifying is that they don't even say 'if' an attack occurs anymore, they say 'when.' It's like, at this point they are just throwing up their hands and saying, 'Well, I'm gonna get hit, how bad is it going to be?' and that, to me, is just terrifying," Dircks says.
The IoT and increasing reliance on security solution providers means companies may not be able to easily account for ownership or origin once a breach happens, he says. Who is responsible for securing, maintaining and patching the various technologies? Worse yet, has a product been connected to internal systems that can't yet be patched? A number of IoT devices are often overlooked because they fall outside of IT's traditional purview, but that means exposure to threats.
"With the integration of IoT, automation and the cloud, no one seems entirely sure who's actually responsible for maintaining security of all these various pieces: the IoT device manufacturer? The security services provider? The internal IT department? Individual users? You're only as secure as the least-secure device or relationship," Dircks says.