Where is data security heading in 2014?

Data security will be a big focus for organisations in 2014 as the Australian Privacy Principles and enhanced powers of the Privacy Commissioner take effect on March 12. Revelations this year of spying by the US government's National Security Agency (NSA) have also heightened awareness of security and privacy issues.

“We are going to see this increased focus on privacy. That’s because it has been brewing for a few years,” says Gartner research director Rob McMillan.

Pointing to examples published on oaic.gov.au website of where organisations have failed to meet security requirements, McMillan warns that it looks like the Privacy Commissioner next year won’t be tolerating even the smallest of mistakes.

“If you read some of those case studies you’ll see how easy it is to fall fowl of the [Privacy] Act. I was reading one case study the other day where one organisation… missed one vulnerability in their scanning, and as a result there was a privacy breach and they were found to potentially be in breach of the Act,” he says.

“With the Act changing next year, these sorts of misses or near enough won’t be good enough; they become more important than what they are now.”

Read: Australian Privacy Commissioner won’t be taking ‘softly, softly approach’ with privacy reforms.

Telsyte analyst Rodney Gedda says if there is one thing we can learn from the NSA revelations it is that organisations need to be on high alert, as clients or customers become more protective of their personal data.

“Where people would have trusted in their favourite cloud service, we’ll maybe they won’t [any more]. Maybe they will take a deeper look at what security levels the cloud service offers, what alternatives there are, how they can keep their data private even in the cloud, etc. So I think that’s the overarching trend for 2014.”

Read Some Australian businesses unaware of Privacy Act changes: survey.

Gedda adds that organisations will also start to look at their security strategies in a more holistic way. “We will see more security strategies developing an end-to-end view, so not just ‘OK, I have got my cloud data here – I need to secure it. I have got my on-premise data here – I need to secure it. We’ve got mobile devices that can access either – I need to secure it’.”

Security-as-a-service will become a trend in 2014, McMillan says, driven by more corporate users accessing cloud-based services from their mobile devices.

“They might not be going through the security controls that are traditionally housed within the infrastructure in the home organisation; they will be going from the personally owned mobile device to a cloud service. That means the organisation, if they need to implement some level of security control, they will probably need a cloud-based security layer for those mobile devices to go through in order to implement their security policy.”

Advanced persistent threats are also calling for new defence technologies, says McMillan. Near real-time analysis of payload and monitoring of malware will be the main focus for many organisations next year, he says.

Forrester analyst Tim Sheedy says zero-day threats will continue to increase throughout 2014, spurring organisations to expect the unexpected.

“Next year or the year after we will see some unexpected, unpredicted security threat to our businesses. And we don’t know what that is today. Who would have thought there would be Cisco branded routers coming out of China that nobody knew were not Cisco’s and had malware on them?

"Who would have known there were printers in organisations spreading malware and viruses? No one can really predict these things.”

He says organisations should not only focus on preventing security attacks but also prepare for how they will recover if the worse case scenario were to happen.

“For most organisations it’s not a matter of ‘will we be hacked?’ or ‘will we have a security threat?’ It’s a matter of ‘when will it happen?'" he says.

“There is a huge amount of misinformation regarding NSA [spying], regarding the [US government's] Patriot Act and you have lawyers giving various different advice.

"At the moment we can’t understand the risk around the access and availability of our information to other governments or other organisations. That’s regardless of whether information is sitting in our data centre or sitting in a cloud-based service.

“Therefore, you assume the highest level of risk and if you do that then you have to plan for what happens when that risk is realised.”

Follow Rebecca Merrett on Twitter: @Rebecca_Merrett

Other trends to watch out for in 2014:


Copyright © 2013 IDG Communications, Inc.

7 secrets of successful remote IT teams