November 1, 2016
Every fall Forrester’s Security & Risk team comes together to make a set of predictions on the issues that will have the greatest impact on our clients in the next year. We don’t make broad, Nostradamus-like predictions like “There will be a breach at a large company in a great city.” Instead, we go out of our way to make detailed predictions that force us to take strong stances, can easily prove wrong or right and are actionable by security and risk professionals. Before we provide a sneak peek into our 2017 predictions, it’s worth looking back and grading our 2016 predictions. 2016 was a particularly tumultuous year for cybersecurity. News agencies kept themselves busy as companies and public figures struggled with breaches, companies experienced embarrassing downtime and individuals felt their privacy rights slip away. The result? Cybersecurity has now vaulted from the boardroom to the Senate floor and to the Presidential debate stage. So how'd we do?
- We recently noted how Yahoo took center stage not just because of the size of their breach (half a billion user accounts) but because of how badly they botched the response. Not only did Yahoo not discover their initial 2014 breach until 2016 due to a separate breach investigation but the customer communication left much to be desired. With the acquisition by Verizon now in jeopardy with Verizon’s lawyers calling it a material matter, Yahoo is feeling the ramifications of poor cybersecurity. In last year’s report, we predicted that $100 million cyberinsurance policies would be futile. Considering Verizon has asked to cut $1 billion off of its proposed deal for Yahoo, we give ourselves an A on this one.
- Debbie Wasserman Schultz resigned as the head of the DNC in August confirming our prediction that an exec would step down due to a breach. In addition, Iceland’s Prime Minister, Sigmundur Davíð Gunnlaugsson, stepped down due a breach of the Panama Papers. In our 2016 cybersecurity predictions report we predicted that 2 CEOs would step down due to a breach. We give ourselves a B on this one; 2 senior most executives of a given entity did step down but technically, they’re not CEOs
- In our cybersecurity predictions report from last year, we predicted that Healthcare security budgets would rise 6%. We asserted that healthcare breaches including Anthem which affected 80 million individuals along with larger fines for HIPPA violations would bring healthcare security spending more in line with other industries. On this prediction, we score an A-. We underestimated the increase; healthcare security budget increased by 8% in 2016 telling us that if we bet on our own predictions we should bet on the upside.
- The connected world is here and not only do IoT devices provide an expanded attack surface, these devices can be used as cybersecurity weapons. In the October 2016 Dyn Cyberattack, many of the devices participating in the attack were IoT devices such as smart refrigerators, thermostats, and toasters. This attack provided us with an important lesson about the necessity of secondary DNS providers and proved that IoT devices are not secure leading at least one vendor to recall millions of their devices including their network cameras. Last year, we predicted that a company’s customer experience (CX) score would take a hit from a breach. The fact that a major manufacturer is recalling products due to an inability to secure their device in addition to the Yahoo breach paired with their less than empathic response, we give ourselves a B- due to the lack of actual CX score proof.
- Last year, we predicted that the US presidential candidates would debate cybersecurity. As the presidential debates covered the breach of the DNC, security of private email servers and possible nation state actors or possibly “somebody sitting on their bed that weighs 400 pounds”, we score an A on this prediction. Behind all the obvious security issues, privacy concerns loom in the background with individuals wondering what data should be considered and therefore protected as private(should emails be private? Entire emails? Only emails from private citizens?) as when Apple’s CEO Tim Cook refused to build new software that would substantially bypass the iphone's security features denying a request by the FBI.
So overall, I think we did remarkably well. How well will we do next year? Some of the highlights of our 2017 cybersecurity predictions are:
- An IoT-based attack (of a specific size) will dwarf anything we’ve seen to date and healthcare firms will experience breaches on par with recent retail breaches
- A massive breach and a botched response will put a specific type of organization out of business.
- To stem the tide of security intrusions and breaches, automation adoption will take off.
- The next president will have a cyber crisis in the first 100 days and privacy concerns will come to a head.
Read our Predictions 2017: Cybersecurity report for the full details and learn how you should respond.