People often ask me what I see happening in the field of security. Recently, I had the pleasure of telling a group about this, which immediately lends itself to a nice article.
The trends I see differ from threats, solutions and developments. So let's go!
1. An increasing number of cyber attacks
If you follow the news, this trend should come as no surprise. The number of cyber-attacks has been rising for years, and we see no end. The rise is confirmed by the NCSC, which writes in its annual report for 2021 that 'Cyber attacks are affecting society's nervous system'. The NCSC mentions as a cause that the digital and physical worlds have become enormously intertwined and less easily distinguished from one another. Thus there are no longer any processes without a digital component.
The Dutch Personal Data Authority (DPA) also reports that the number of data leaks as a result of cyber-attacks has almost doubled. IT companies are mainly targeted, according to the Dutch DPA. In 2021 the Dutch DPA reported 25,000 data breaches, 9% caused by cyber-attacks. The year before that, it was just 5%!
2. Processes without a digital component
The fact that there is no process without a digital component anymore also increases suppliers' dependence on all organisations. According to the Dutch DPA, it is precisely those suppliers (IT companies) that are often targeted. So the demand for such suppliers is getting higher and higher.
On top of this, there is a significant consolidation trend in the IT landscape, with IT companies merging to enter new markets or to offer different propositions. In this consolidation battle, the question is whether security is number one or whether the focus has been shifted. Supplier management is therefore high on the agenda at many organisations.
Regarding suppliers: during the Covid period, many organisations switched to Microsoft 365, Google Cloud or AWS. The implementations are often done with rapidity. Now the question arises whether this has also been done in a secure and (privacy) compliant way. It is worthwhile to check this matter.
4. Zero Trust
Zero trust - never trust, always verify. This is a beautiful vision and solution. Whereas the principle of zero trust was still considered a bridge too far a few years ago ("That does not fit in our organisation"), we are gradually observing the adoption of more and more elements of zero trust. My opinion: we cannot escape zero trust.
To - eventually - reach zero trust, some things have to be put in order. I mention basic things like an application landscape, and a little further: Role Based Access Control(RBAC) and automated Identity & Access Management.
5. Cleaning up and data minimisation
Organisations simply have too much data. And still do. This is again evident in the latest hacks, where BSNs, account numbers and copies of identity documents are appearing. Not to mention all the irrelevant apps and tools that collect far-reaching data. Fortunately, the awareness that too much data is being collected and stored is beginning to grow, and we have noticed a steady increase in 'clean-up' processes and thorough DPIAs.
Being prepared for hacks and ransomware. That is the trend of 2022 so far. Knowing what to do, having the plans (business continuity plan) ready in case you are hacked and knowing what to do. And: practice. Simulate a hack or ransomware attack on a random day!
7. Business Continuity Plan
One of the things that stand out when drafting a Business Continuity Plan is the question of how to know that a hack is underway. This is why the interest in good monitoring and SOC/SIEM functionality is increasing.
8. Privacy as a service
As mentioned earlier, a hack often means a data breach. But what about reporting this? Also, in data minimisation and retention periods, we see that staffing of the privacy office is often limited to having everything set up compliantly. We, therefore, see the privacy-officer-as-a-service requests rising rapidly.
A positive trend is that we are also noticing an increase in security and privacy awareness among departments other than IT and the CISO. In addition, we see a substantial increase in interest from management, regulators and supervisory boards. This is a positive development since they set the budgets and bear the final responsibility.
10. Increase in maturity
In general, we could state that the maturity of organisations in the field of security and privacy is increasing. At the same time: taking security seriously costs more hours and time than previously budgeted or thought. And does the available time increase sufficiently along with the threats?
In a nutshell, these are the most important trends and developments that I have seen in the field of security. Would you like to know more about one of these trends and/or developments? Please feel free to contact me.