STUDY

Cyber attacks and IT security management in

Expert survey concerning future trends and challenges in IT security

Powered by

2025

2 3

Designated IT security experts in Europe and Asia have been interviewed with

regards to future IT security trends and challenges. They shared their views

concerning the development of cyber attacks and security technologies until

2025. In addition they provided notes with regards to the biggest challenges

and proposed different approaches in order to achieve more security in IT. The

“big picture” for IT security based on the expert answers is characterized by an

alarming future trend: a lack of IT security awareness by users and new technol-

ogy providers are considerably complicating future IT security. Even more so:

these factors will play into the hands of cyber attackers. A worrying outlook if

one takes into consideration the rapidly growing dependency of (secure) IT in all

areas of life as well as its potential disruption effects. The expert answers should

be understood as warning signals: namely that it is high time to improve the

framework conditions of users and technology providers for the further develop-

ment of IT security, instead of unconsciously enhancing the sphere of activities

for cyber attackers.

Executive Summary

4 5

The question “How secure is today’s IT?” does

not seem to be answered easily based on the

constantly reported incidents and attacks. Even more

controversial is the question how IT security will be

doing in 2025.

The only ones capable of assessing that are today’s industry experts. They were interviewed in the course of this study with regards to digital threats that are waiting for us in the next couple of years as well as concerning fur-ther development of IT security:

How secure is tomorrow’s IT?

With which type of cyber attacks will we be confronted with

in 2025?

Which functionalities are IT security technologies currently

lacking and what do they need to offer in 2025?

Which are the biggest challenges for IT security today and

which will there be in 2025?

In which areas of IT security do companies need to invest in

order to be viable in 2025?

».

».

».

».

6 7

In the course of this study exclusively designated IT security experts were inter-

viewed. In total 110 experts were participating. Among them:

» IT security officers of medium-sized and large enterprises with more than 10 years of professional experience

» highly specialized analysts that monitor IT security of large corporations and that have university based IT security degrees with continuous training in this area

» researchers that deal with IT security research for more than 5 years

» programming experts with specialization on IT risk analyses software

The survey was conducted in the second and third quarter 2016. The origins of the experts comprised 31 coun-tries in Europe and Asia. They work for companies employing between 50 and 300,000 people. It is an exclu-sively qualitatively conducted study. The survey was conducted in English. Access to the questionnaire was only granted to persons exclusively selected for this study as well as to directly contacted experts. The answers were submitted in writing and anonymously. They were subject to typological analyses. Examples for expert answers in its original wording will be provided on the following pages.

About the experts and the method

8 9

Cyber attacks in 2025: This is what experts are expecting.

The statements of experts were unambiguous. Cyber at-

tacks of the future will be concentrated on the Internet

of Things, increasingly conducted with the help of mal-

ware of the next generation and will focus especially on

the user as a starting point.

Danger No. 1: The number of attacks with regards to the Internet of Things will explode

Almost a quarter of all expert answers concerned the Internet of Things (IoT). The connection between physical objects with the virtual world will lead to the disap-pearance of regular PCs. They will increasingly be replaced by “intelligent things” that support people in their daily lives. This development triggers entirely new IT security problems. IT security is neglected strongly in course of the design of intel-ligent things according to experts.

“The Internet of Things will play an important role in the future. Everything will be interconnected. Due to various standards existing in parallel there will be immense IT security problems. Ancient attacks will appear again – especially due to the Internet of Things because nobody is providing for IT security (and most of the devices are not able to offer an adequate level of IT security protection).”(Commentary of an expert in its original wording)

Not only is the comparatively easy vulnerability of devices considered as a threat. The Internet of Things is also considered as a starting point for the increase in cyber criminality.

“The Internet of Things is coming. Therefore your IoT-infrastructure will be used as a basis for ransom attacks (analogue to today’s crypto-viruses) or espionage (from private persons to governments).”

1110

Danger No. 2: malware of the next generation will be even more dangerous

Malware is and remains a widely distributed type of cyber attack – according to 21% of experts. It comprises e.g. computer viruses, computer worms, trojans, backdoors for example for the usage of comprised computers as spam distributors or for DDoS-attacks, spyware, scareware and ransomware. It mostly is distributed via commu-nication channels from companies and users e.g. as email attachments or through web downloads at available computers.

According to experts malware will develop itself further in all its facets in the future.

“Malware of the next generation – adapts itself, and is changing. Software is ever more complex – as a conse-quence bugs are created that represent potential security loopholes.”

Malware of the next generation is entirely automated and distributed through autonomously acting programs. Therefore in a short period of time malware is capable of infecting millions or billions of others.

“Customers accept integrated backdoors in standard software (e.g. Windows 10). These security gaps can be insufficiently secured on the side of the software provider and therefore be exploited by hackers. Autonomously acting computer programs are attacking systems with previously unknown precision, range and speed.”

“Attacks with undreamed of precision, range and speed”

“Integrated backdoors”

1312

Attacks in the context of IoT

Malware of the next generation

Social engineering

Extensive, targeted attacks

Attacks through artificial intelligence

Attacks on Clouds

(Other)

24%

21%

14%

13%

10%

6%

12%

With which type of cyber attacks will we be confronted with in 2025?

“Users are the weakest link”

“Social engineering is growing”

“Personal data is stolen”

Danger No. 3: The user as starting point for attacks, especially for social engineering attacks

“Users will remain the weakest link in the entire system.“

Users are considered nowadays and also in future as the starting point for targeted and mass attacks. 14% of all experts focus on this aspect.

A big danger is especially emanating from social engineering attacks. Social engineers are spying on – partly over weeks and months – the personal environment of the victims, deceive or make use of specific behaviors such as obedience to authority. Their goal is to trigger certain behaviors of their victims, e.g. to relinquish confidential in-formation, buy products or release financial means. In 2016 various cases with damages in the two-digit million ranges become known.

“Social engineering will get a lot stronger, personal data will be stolen in order to get hands on pass-words, passwords from other accounts will be stolen in order to get to know used passwords.“

Other numerously mentioned types of cyber attacks comprise extensive, targeted attacks on companies, econo-mies and governments, attacks with the aid of artificial intelligence, attacks on clouds and theft of user data.

14 15

Experts say: IT security technologies have to get more “intelligent” and offer a

considerable higher degree of automatization. Further developments are ur-

gently necessary in the area of authentication.

Most important ability: artificial intelligence for prompt reactions to attacks

In more than 28% of the experts answers the further development of the artificial intelligence for IT security technologies is addressed.

Since 1999 already theoretical research with regards to this topic exists. The first milestone for the actual, practi-cal usage of intelligent systems were reached only recently due to the immensely long computing times and the therefore necessary, high-performance processes. Since then artificial intelligence is applied for the detection of cyber attacks. It is worked with high-pressure on the enhancement of its application field.

“IT security systems could communicate with each other and tune themselves (self defense of systems). If this is possible in the context of artificial intelligence in 2025 is questionable.”

Additional important abilities: Major advances in automated attack detection and reaction

A big part of the attacks is based on automated processes in the future. Thus systems can be attacked on short notice a million times or also targeted attacks can be supported by machine intelligence. Risk detection processes have to be stronger automated and threats need to be met more effectively – according to 24% of the experts. Analysts cannot keep track of the speed and volume due to today’s still very manual evaluation works. In future they need considerably more support by automated attack detection processes and far-reaching reaction mecha-nisms. Experts repeatedly mention in their answers that in the year of 2025 there still will be no “substitute” for human intelligence and analysis capabilities.

“Intelligently automated detection of targeted attack. They have to be capable of actively preventing security-relevant events, not only for logging and documenting.”

Tomorrow’s IT security technology

“Artificial intelligence”

“Self-defense of systems”

“Automated attack detection”

1716

And a third component: Urgently needed new authentication methods

Conventional password protection is regarded as very critical and non-future compliant by 14% of the experts.

Access and password data is currently massively available for purchase in the darknet – and finds matching buyers. They use the data for automated or specific use on portals, web sites and for spying on mail accounts or preparing social engineering attacks.

“The end of the password generation”

As a solution on the one hand biometrical identification processes were mentioned. For this purpose unique attributes of people such as e.g. finger prints, patterns of the iris, the pattern of veins on hand palms or the voice could be used. On the other hand authentication by the means of hardware token, a sort of electronical key, is recommended.

“Authentication with the help of hardware tokens. Passwords are getting longer and more complex. This leads to the fact that users have to write down passwords and that trigger new, respectively already known problems. A possible solution is hardware tokens as second security layer.”

Besides these three components, the following were also mentioned: heuristic analyses, improvements in com-munication between various software and solutions with the goal of proactive attack prevention.

Artificial Intelligence

Automated attack detection and reaction

New authentication methods

Heuristic Analyses

Improvements of communication between software

Proactive attack prevention

(Other)

28%

24%

12%

8%

6%

6%

16%

What do IT security technologies have to offer in 2025?

“The end of the password generation”

“Hardware Token”

“Biometric Identification”

18 19

Challenges for IT security today and in 2025

Various challenges that experts observe at this moment – according to their

response – should be solvable in the future. Other challenges will also exist in

future or will even grow.

An area, which is especially critical for IT security today: The lack of IT standards and coordination between actors that fight against cyber criminality

From the perspective of the experts the lack of IT standards makes life easy for attackers. In addition there is little coordination between different states, companies and organization in the fight against cyber criminality. This is what 30% of the experts have to say with regards to today’s challenges. Effective information exchange could prevent attacks but is not promoted and not supported by governments.

“The lack of standards and coordination between countries offers attackers plenty of freedom.”

The fast technological progress, above all the IoT, is for “here and now” as well as for 2025 considered as a permanent challenge for IT security

“As technologies are developing itself at breakneck speed, IT-security will have difficulty to keep up with the new, disruptive threats.”

The speed of the technological advance is breath-taking. According to 18% of the experts companies are putting back the issue of IT security in order to put their products faster on the market. Attackers are exploiting this approach.

“(Today’s challenge consists in…) integrating the speed of the technological change adequately and consistently in the IT security.”

Viewed with criticism is not only the IT security in context with the fast development and distribution of the technology in every day’s life. Also negligence of IT security in the context of design of new devices and applica-tions is criticized.

“The biggest challenges are consisting in the protection of mobile devices and integrated systems as they were not designed in the context of application security.”

“Lack of IT standards and coordination”

“Technology development at breakneck speed”

“Disruptive threats”

2120

Here the challenges are growing: Users, their security awareness and knowhow

As users are already considered as an especially decisive starting base for threats of IT security (see question 1/social engineering), they are also on top of the list with regards to the question of arising challenges in the future. 24% of experts are agreeing to this statement.

“The creation of security knowhow for users of information technology is a big problem. We have to start training the young generation with regards to the issue of IT security so that they know at a later point how technology can be used safely.”

The lack of security knowhow is connected with a lack of awareness for a responsible handling of one’s indi-vidual data.

“(To the challenges belong…) people that are not aware that their personal and corporate data are goods that need to be protected.”

And this is an increasing problem: the analysis of today’s data mass and the future data explosion

The extracting of essential information from immense data masses is getting increasingly difficult the bigger the data base is. And the data base is getting bigger and bigger in the future. This is what 18% of the experts confirm and see as one of the main challenges for IT security management in the future.

“(The challenge is…) at present: the handling and the interpretation of immense data volumes. As also found in the Snowden case, even the NSA has problems with the handling of collected data. 2025: the same problem, only that there will be even more data, even more devices and faster technologies. Facebook and other com-panies intend to bring the Internet to the entire world. Consequently not only the amount of users but also the amount of attackers and the existing data will increase.”

The experts were addressing cloud computing as well as the growing complexity of attacks in their answers numerous times.

“Young generation and IT security”

“Data explosion”

“Big Data Analytics”“Cloud Computing”

22 23

Resource allocation for a secure corporate IT in 2025

IT security will need more attention in the future within companies. This chal-

lenge is regarded as top priority and thereby also on top of the recommenda-

tions for investments in security technologies.

The experts are warning: Companies have to increase their awareness on all hierarchy levels and need to train their security professionals continuously

Human resources need to be the focus of the right resource allocation according to experts. 46% of all experts are pointing out a lack in the awareness for IT security on all hierarchy levels.

“The current lack of IT security professionals is a big problem, but in fact the neglect on CxO level is the big-gest problem as IT security is only regarded as a cost factor until something happens. This is the case today and will most probably not be changing until 2025.”

New technologies will strengthen the necessity to boost the awareness of IT security.

“Cloud nowadays stands for most of the security problems due to the required cost reductions in the company. Persons and companies do not care a lot about IT security. In 2025 even more data will be online and more sys-tems will be connected, thus can be manipulated with serious consequences.”

Besides that experts are pointing out a specific starting base for targeted investments in the existing IT security area of companies: the constant and intensive training of IT security professionals with regards to new threats and technologies.

“At the moment: raise awareness. The stakeholders and the majority of staff worldwide are in the security stone age. If each company only has a small number of experts this will not lead to full protection. 2025: I do not dare to make predictions, but according to my estimation I think it will remain the same. Because then the majority will have arrived in the security middle ages, while the prevention of attacks would actually require abundant awareness of modern scenarios.”

“Staff in the security stone age”

“Ignorance on CxO level”

“2025 – possibly security middle ages reached”

2524

More attention to automatized analyses of security relevant data in real time

“(It should be created…) a better overall access to the issue of IT security: predict attacks and implement secu-rity mechanisms in the applications, not only one security level above”

Right after the investments in human resources there are the investments in the advance of IT security technolo-gies. 24% of experts see the necessity of investments in the automated analyses of security relevant data in real time. Also the merging of IT that is comprised in products and their security components is a numerously addressed topic. This means: IT security has to be considered already in the product development phase.

“Automated handling, e.g. a system finds a new vulnerability and closes it. But this would mean that other prod-ucts have implemented an interface with code and behavior modifications.”

Additional multiple responses comprise investments in (actually) secure cloud solutions and in the develop-ment and increased application of Open Source Software.

Boost awareness, train security professionals

Automated analyses of security relevant data in real time

Development and usage of Open Source Software

Investments in (actually) secure Cloud solutions

(Other)

46%

24%

8%

7%

15%

In which areas of IT security companies need to invest in order to be viable in 2025?

“Predict attacks”

“Analyses in real time”

“(Actually) secure cloud solutions”

26 27

Based on the expert answers, important framework factors that define the future were derived. These are:

» the user behavior » advance of IT security at similar pace as the technological progress» the development of cyber attacks in comparison with the further development of IT security technologies

The user behavior

Experts are observing the current knowledge of various users with regards to incidents, gateways and threat po-tentials through cyber attacks with deep concern. Also the fact that users are often only taking the advantages of the new technologies into consideration and only see the simplification of their daily lives is alarming. Despite partially existing skepticism technologies are rapidly asserting themselves. Especially the Internet of Things is mentioned in this context. In addition many users are lacking the awareness concerning the data value.

An improvement of the situation is not foreseen for the future. Rather the experts are worried, that users in 2025 – within and outside their professional world – will offer a potentially bigger target as compared to today. The gateways for attacks will be almost uncontrollable for users. They will be exposed to these threats complete-ly unprotected.

Furthermore what experts already see in its initial phases today and what they categorize as the biggest threat for IT security: the user as central target or “unconscious helper” for successful attacks.

Conclusio: The framework factors that define the future of IT security

2928

The advance of IT security at similar pace as the technological progress

The speed of the technological advance, above all the Internet of Things, is causing considerable concern among experts. New technologies are quickly launched on the market. Security aspects are thereby often neglected. A “security by design”, the taking into consideration in the course of the product development, is often missing. In fact often backdoors in software are installed that play into the hands of attackers.

Experts observe this with deep concern. Technology will unfold in nearly all areas of our professional and private lives. Thereby the dependency on technology is drastically increasing and system failures are having extensive ef-fects. Furthermore disruptive technologies are creating the same threats.

A similar pace of the advance in IT security as well as the technological progress on the road to 2025 is not ap-parent for the experts.

The development of cyber attacks in comparison with the further development of IT security technologies

According to experts today’s cyber attacks are successful among other reasons due to the lack of coordination between states, companies and organizations, a lack of unmanageable data masses and a negligent handling of data worth protection.

For the future experts foresee an explosion-like growth in attacks and the number of attackers. The basis for this is the growing number of connected people and devices and the exponential growth of data masses. The threat potential is an extensive effect of potential system failures. At the same time the attack technologies are quicker, more precise and more complex.

In this context the race between IT security responsibles and cyber attackers is only getting tougher.

Technologicaladvance

User behavior

Further developmentof cyber attacks

Today: » Missing security by design» Backdoors in software» Too quick product launch

2025:» Explosion-like growth of attacks and in the number of attackers» Basis: growing number of interconnected people, devices and data masses» Quicker, more precise and more complex attack technologies

Today:» users have little knowledge about incidents, gateways and threat potentials as well as a lack of awareness with regards to the data value

2025:» Users are considerably larger target than today» Gateways for attacks are almost uncontrollable» Users are exposed to threats mercilessly

Today:» Advantages of new technologies lead to (quicker) acceptance» High dependency of technologies in many areas

2025:» Technology in nearly all areas of professional and private life» Very high dependency on technology in all areas» Extensive effects of system failures

users within and outside of their professional world

» Potential of further development does exist as direction is clear» Role that IT security is playing for users is regarded as minor» Doubts, if IT security can develop fast enough» Reminder for users: live more self-confidence

Further developmentof IT security

Impact: Competition becomes tougher

Problem: Neglect of IT security, at the same time: user behavior as “uncontrolled risk” for IT security

Problem: apparently no similar pace in advances

30 31

Where experts would get started in order to make IT more secure for the future

Starting point for better framework condition for IT security are the users. Criticized is the often marginal role that IT security is playing. Experts are therefore urging to live more self-confidence in IT security that means to protect data actively, to inform oneself actively about threats and protection and to reject badly secured tech-nologies and force providers to more security awareness.

This would lead to improvements of two important foundations for framework conditions of future IT security: advances in IT security at similar pace as the technological progress. Providers would have more incentives to put the issue of security of their products in focus and to take IT security into consideration in the course of product development.

Basically experts see enormous potential in the further development of IT security technologies. Also specific di-rections (artificial intelligence, automatization and threat detection in real time) are identified. Experts only have doubts with regards to the speed of the advance in IT security. Is IT security as quickly developed as the frame-work conditions are requiring it?

Outlook

Experts currently are observing an alarming future trend: the lack of IT security awareness of users and technol-ogy providers are making the progress of IT security difficult. At the same time these factors are playing into the hands of cyber attackers. An alarming trend if the in future strongly growing dependency on (secure) IT in all areas of life and the comprehensive effects in case of failures are considered.

The expert answers should be understood as warning signals: namely that it is high time to improve the frame-work conditions of users and technology providers for the further development of IT security, instead of uncon-sciously enhancing the sphere of activities for cyber attackers.

32

© 2016 RadarServices Smart IT-Security GmbH. FN371019s. Commercial Court. All rights and modifications are reserved. RadarServices is a registered trademark of RadarServices Smart IT-Security GmbH. All other products or company names are if applicable trademarks or registered trademarks of the respective owners. Copyright notice: Cover, page 16 – iStock.com/hocus-focus | page 4 – iStock.com/NI QIN | page 8, page 10 – iStock.com/South_agency page 12 – iStock.com/Courtney Keating | page 20, S.24 – iStock.com/xijian

RadarServicesCybersecurity WorldZieglergasse 61070 Vienna, Austria

Phone: +43 (1) 929 12 71-0Fax: +43 (1) 929 12 71-710E-mail: publishing@radarservices.com www.radarservices.com

Authors of this study: Dr. Isabell Claus; Claudia Panozzo, MA; Translation: Mag. (FH) Sigrid Walzl, BA

About RadarServices Publishing

RadarServices Publishing is publishing articles, reports, studies and journals with regards to the subject matter of IT security. Our goal is

to provide an insight into the experiences of industry experts as well as to pass on knowhow regarding IT security through academic and

non-academic research to companies, public institutions and other organizations. We are actively including co-authors from academia and

the economy in order to promote knowhow about current developments in the field of IT security in the public and especially for corporate

executives as well as in politics. RadarServices Publishing is part of RadarServices.

About this publication

This publication exclusively contains general information. RadarServices and/or its related companies do not render technical consulting

services with this publication. This publication does not substitute consulting services and should not be regarded as a basis for business or

investment decisions/negotiations. Neither RadarServices nor its related companies are liable for losses that incurred due to persons relying on

information provided in this publication.

About RadarServices

RadarServices is the European market leader for proactive IT security monitoring and IT risk detection as managed services. The services

uniquely combine automated detection of security relevant issues and risks with the analysis and assessment done by experts. Data never

leaves the client’s premises. There is no need for training, configuration or maintenance and no requirement for additional capital expendi-

tures or headcount.

Publishing