People often want to know, “Can I be protected completely?” And the answer to that is no, there is not a time where you can reasonably expect to be 100% protected. And that’s a scary thought for us to face, and it’s kind of a new thought. Just a few years ago, I would have been more optimistic to say, “Yes, you can reasonably expect that you’re not going to have a breach or some event,” but now I think if you line up security professionals, they will pretty much agree that it’s no longer if but when, and there is likely to be some issue, some problem or breach somewhere down the road. The criminals are smart, and they are staying one step ahead of the people trying to protect against them, so it’s an evolving, continual threat.
As we go into the future, I think we will see more tools and more things that will make us more comfortable. Biometrics has now taken off, and it’s become real time. I tried to use some biometric devices a number of years ago, and they just weren’t ready for primetime, but now I can access my bank account from my phone using my thumbprint and that’s wonderful. So I think we will see more in that arena, but we will also see more threats because as we move to the internet of things, and we can control everything from a smartphone, we’re going to see more risk with that. And products are put out quickly these days, and there’s not as much time for testing, and there’s not as much time to devote to security as there may have been once. So I expect the future will hold more threats with mobile devices, more threats with internet of things, other devices being hacked and targeted, and I think the ransomware issue will continue to plague us for some time.
It’s important that we acknowledge the risk and it’s certainly big and scary, but we can’t stop doing business. So we have to take steps to protect ourselves, and we have to do the basic things—get the basic tools, put in layers of controls—and if we do that we really can minimize the risk tremendously. I think over 90% of the breaches last year had malware or vulnerabilities as a central component, and so if organizations will put a lot of resources into keeping systems updated and trying to limit the people clicking on phishing emails and limit the malware coming in, those steps could take the risk and shrink it tremendously. So there is some optimism of getting the word out, putting some tools in place, and I think we will just see organizations better protected. It’s the organization that’s not taking any steps to measure their risk, so they haven’t tried to mitigate it. We have good track records with people we work with. Once we present the risk to them and they put steps in place, they shrink their risk.