2014 was a year that seemed to have seen an inexorable stream of cyberthreats, data breaches and has impacted retailers, banks and gaming networks, governments, and many other organizations.
Although the calendar year is coming to an end, we can still expect cyber threats to grow in severity, complexity, and size. Steve Durbin, managing Director of the Information Security Forum (ISF), says that cyber threats will continue to increase. Durbin is a non-profit association that assesses security issues and manages risk for its members.
Durbin says that the ISF sees five security trends leading 2015 and beyond.
Durbin states, “There’s not a lot that’s really new.” “What’s new is the increase of complexity and sophistication.”
Durbin states that the Internet is becoming a more attractive hunting ground for terrorists, activists, and criminals who want to make money, get noticed and cause disruption or even bring down governments and corporations through online attacks.
Cybercriminals today mainly operate from the former Soviet countries. They are highly skilled and have modern tools. Durbin says that they often use 21st-century tools to combat 20th-century systems.
Durbin states, “In 2014, we saw cybercriminals demonstrate a higher level of collaboration amongst them and a greater degree of technical competence that caught many large organisations unawares.”
He says that organizations must be prepared for the unexpected in 2015 to be able to withstand high-impact, unforeseen events. Cybercrime, the rise in hacktivism, the rising cost of compliance to meet the increased regulatory requirements, and the relentless advances of technology against a background of underinvestment in security departments can all create a perfect storm for the perfect threat storm. Organizations that know what their business depends on the most will be able to quantify the business case for investing in resilience and minimize the impact of the unforeseeable.
2. Privacy and Regulation. Most governments have created or are currently creating regulations that impose conditions on the use and safeguarding of Personally Identifiable Information (PII). Organizations that fail to adequately protect it will face severe penalties. Durbin says that privacy must be treated as both a compliance issue and a business risk in order to reduce regulatory penalties and business costs, such as reputational damage or loss of customers, due to privacy violations.
2015 will see organizations become more burdened by the patchwork nature regulation in the world.
Durbin states that there are increasing plans to regulate the collection, storage, and use of information. He also mentions severe penalties for data loss and breach notification, especially in the European Union. “This will continue to develop further, imposing an overhead regulatory management above the security function and necessary including legal, HR, and Board level input.”
He suggests that organizations should use the EU’s data breach regulation and privacy regulation struggles as a gauge of their own capabilities and plan accordingly.
He says, “Regulators and governments want to get involved.” This is putting organizations under greater pressure. They must have the resources to respond, and they must be aware of what’s happening. You will make more use of your in-house counsel if you have it. If you don’t have in-house counsel, there will be a cost.
3. Threats from Third-Party Suppliers Supply chains are an essential component of any organization’s global business operations. They are the backbone of today’s global economy. Durbin states that security chiefs around the world are becoming more concerned about how open their organizations are to many risk factors. Suppliers often have access to sensitive and valuable information. When that information is shared, it can lead to loss of direct control. This increases the risk of information being lost or stolen, and can also lead to a loss of confidentiality, integrity, or availability.
Even seemingly innocuous connections could be used as a vector for attack. Target was hacked by attackers who exploited a web service application that the HVAC vendor used for submitting invoices.
Durbin states that third-party providers will continue being under pressure from targeted attacks over the next year and will not be able provide assurance of data confidentiality and integrity over the next year. Organizations of all sizes should consider the consequences of suppliers having unintentional, but potentially harmful, access to their intellectual property and customer or employee information. This thinking should not be limited to distribution partners or manufacturing partners. This thinking should include your professional service suppliers, your lawyers, and accountants, who all have frequent access to your most valuable data assets.
Durbin also stated that infosec specialists should be closely supervised by those responsible for contracting services in order to do thorough due diligence on possible arrangements.
He says that it is crucial that organizations have business continuity plans in place to increase resilience and senior management confidence in their functions’ abilities. A well-structured supply chain information risks assessment approach can help to break down a daunting project into manageable parts. This method should not be supplier-centric and should be information-driven. It should be scalable and repeatable throughout the enterprise.
4. Trends in the Workplace: BYOx The bring-yourself (BYOx) trend is here to stay, Durbin states. However, few organizations have created good policies to deal with it.
“As employees bring mobile devices to work, applications are becoming more popular.”