Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.
"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."
"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."
Crime syndicates take quantum leap with crime-as-a-service
For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.
"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."
And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.
"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."
He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.
New regulations bring compliance risks
The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.
Sign up for Computerworld eNewsletters.