Security threats and defenses must constantly evolve to keep up with developing threats. We asked security experts to identify the top information security trends that will affect small and midsize businesses over the next three to five years.
Will the security program you have in place today stand up to tomorrow's threats?
To create an effective information security program, planning and preparation are key. In particular, security managers must understand how security threats are changing, and evaluate which new technologies will most effectively mitigate their top risks. Then, at least at small and midsize companies, they must identify and adopt the most cost-efficient and automated security approach possible.
Not surprisingly, given those criteria, a study by Forrester Research found that small and midsize companies' top security spending priorities this year will be to integrate new endpoint security technologies, to place more security defenses within the network fabric, and to continue adopting multifunction security appliances.
Yet given the scarce resources with which the average small or midsize company combats security, are these spending priorities appropriate? In addition, how might the security environment evolve over the next three to five years, and in that timeframe, which attacks, technologies, and techniques will hold the most peril -- or promise?
To find out, we asked security experts to detail the top 10 security trends for the near future:
1. Attackers Will Keep Innovating
What types of security threats will companies face over the next five years? "The general types of attacks and principles for security aren't going to change," predicts Randy Abrams, the director of technical education at ESET, a security software provider. Rather, "existing techniques and modes of attack will enable innovative new approaches."
Take the 419 scams perpetrated via e-mail. These are phishing attacks, which trick people into thinking they're dealing with a legitimate business online. Conceptually speaking, these attacks aren't new. Rather, the vast majority of today's attacks are simple variations on a theme -- how to steal money.
"What's really important for the business to focus on is understanding the fundamentals," says Abrams. In other words, maintain a strategy for mitigating top security threats, including updating security policies and regularly training employees, especially in the art of recognizing social engineering attacks. "Social engineering is going to continue to be one of the most successful attacks against SMBs," he notes, and "education is really your only defense against it."
2. Phishing Attacks Will Decline
Already, educators can point to a notable success: The declining effectiveness of phishing attacks. "Phishing is starting to burn out," reports Steve Cole, a supervisor at the San Mateo Credit Union, which has about 180 employees. "Internet Explorer 7, Firefox 2, extended security certificates from Verisign -- they've made a pretty big dent in all that, and it's just end user-training: Don't click links in e-mails."
Even though education is effective, in the future some automated defenses wouldn't hurt either. "I'd love to see something that would actually stop phishing attacks," he notes.
3. Vista Productivity Questions Linger
Despite the continuing prevalence of spam, spyware, malware, and the like, Cole says his biggest security-related headache isn't the latest attack, but rather the operating system now coming pre-installed on new PCs. "Near-term, our biggest difficulty is we're forced to put Vista on the desktop." He elaborates: "Every time I've talked to somebody about Vista, it's been an absolute nightmare," primarily because of the sheer number of "security-enhancing" prompts which ask, warn, or advise users before they try to do something that may not be completely safe.
If Vista's security enhancements create a potential productivity nightmare, how long might it take Microsoft to make it right? "Seven years ago, back at @stake, people were saying, 'What do we do about Windows 2000? Do we upgrade from NT 4.0?'" says Michael Gavin, security strategist at Security Innovation, a security risk assessment provider. "Our standard answer was, give it at least one or two service packs and plenty of time so everything can get worked out, because at this point in time, and not just from a security perspective, if something goes down on you, just because it's so new, you're out of business for a little while."
Next Page: Mobile Security, NAC, and UTM
