Note: This is the second post in a two-part series. Click here for Part 1.
We’re not done yet! A few more predictions for small business cyber security trends in 2016 are below. Read on to see what we expect to see in healthcare, regulation, and DDoS attacks.
Prediction #5. Healthcare cyber security will improve (but not enough)
After the first half of 2015, the healthcare sector was the most-breached industry of the year. Breaches at Anthem, Premera Blue Cross, Excellus BlueCross BlueShield, and others affected more than 100 million records.
The FBI sounded the alarm in 2014 about lax data security in healthcare, and those warnings apparently went unheeded.
Health data encryption
Data encryption will become more popular in health IT in 2016. We predict this for two reasons:
Reason #1. “Lost and stolen assets” is the number-one cause of healthcare data breaches, according to cyber security statistics in the 2015 Protected Health Information Data Breach report from Verizon.
Reason #2. When an unencrypted device is stolen from a healthcare office, the organization must disclose this as a data breach. However, if the device is encrypted, the organization does not have to disclose the theft (because the thief most likely cannot access the data).
So healthcare organizations will want to cut down on their number-one cause of data breaches, and they can do that by encrypting data. This is why we expect to see an expansion of encryption as a small business cyber security trend next year.
Internet of unhealthy ‘things’
Researchers are also starting to find malware inside of medical devices. And for the first time, in July, the FDA advised against using a medical device due to a major security flaw. We expect to see more news on the poor security of health devices in 2016 as the “Internet of Things” expands in the medical field.
Prediction #6. Cyber security regulation will expand
An avalanche of cybersecurity laws hit the business world in 2015. Some of them landed only last month.
In 2016, we will see cyber security regulation touch more industries. Well established guidelines, such as PCI DSS and HIPAA, may also adjust as more vulnerabilities are discovered.
Below are just a handful of recent developments in this space.
Information Sharing – December 18, 2015.
Signed just a few weeks ago as part of a major spending bill, the Cybersecurity Act of 2015 is now U.S. law. It includes the Cybersecurity Information Sharing Act of 2015 (CISA), which is intended to encourage companies to share cyber threat information with the federal government and each other.
U.S. Defense Contractors – Aug. 26, 2015
The Department of Defense issued an interim rule in August that obligates defense contractors and subcontractors to protect “covered defense information.” Cyber security incidents that affect systems containing this data must be reported. Policies and procedures for contracting cloud computing services are also outlined.
European Union – December 16, 2015
New regulations in the European Union will affect companies around the world.
“The impact of the new General Data Protection Regulation (GDPR) cannot be overstated. It will affect not only companies established in the EU, but also any company in the world that processes personal data of EU residents, even if the company does not have an office there.” (more via Lexology)
Financial Services – Nov. 9, 2015
Banks in New York can expect more regulation in 2016. The New York Department of Financial Services sent a letter to state and federal regulators in November to ask for help crafting new cybersecurity regulation for financial institutions.
Sanctions on Foreign Actors – Jan 4. 2016
The U.S. Treasury Department hopes to discourage cyber threats from overseas. It proposed new regulations this month to impose sanctions on foreign cyber security threats that target the country’s infrastructure.
Prediction #7. Same cyber security trends in small business
2016 will have a few surprises, but we also expect a few well-known, long-time cyber security trends to continue in small business IT.
Old vulnerabilities continue to dominate
First, new vulnerabilities will be discovered, but most security breaches will be based on vulnerabilities that are at least 12-months old. Cyber statics from Verizon’s 2015 Data Breach Investigations Report show that an astounding 99.9% vulnerabilities that were exploited in 2014 were disclosed more than a year prior.
Whether through negligence or ignorance, people do not patch systems as often as they should. In 2016, outdated systems will continue to be breached by simple exploits that have been around for years.
Email phishing will still work
The approach is very simple but very effective at penetrating cyber security systems – especially when an attacker crafts a custom email for a target. On average, phishing emails can receive email open and click rates that rival email marketing of the business world:
- 23% of recipients open phishing messages
- 11% click on attachments (via Verizon DBIR 2015)
Researchers saw phishing increase 74% in the second quarter of 2015 – so you can expect to see plenty of it in 2016.
DDoS attacks will grow bigger and badder
Third, DDoS attacks are a common means of cyber attack, and they seem to grow stronger and more popular every year.
We see no reason for the swell of DDoS attacks to end in 2016.
Defy the trends
All three of these small business cyber security trends involve simple but effective methods of attack, especially when used against unsuspecting targets.
The question is not if your organization will experience a data breach. The question is when, because the statistics show it is almost inevitable. Will it happen in 2016? Time will tell. But whenever it happens, be ready. Have your systems patched. Teach users about phishing emails. And protect yourself against DDoS attempts.