In a few short years, we’ve gone from worrying about securing the network perimeter to worrying about everything. As organisations struggle to manage complex technology, data proliferation, and increasing government intervention (amidst a shortage of skilled information security professionals) they risk being overwhelmed by the sheer volume of threats.
The global security threat landscape shifts constantly, threatening to topple organisations that aren’t firmly grounded by comprehensive security measures and a holistic approach to risk management and information governance. As attacks intensify, business reputation and shareholder value are at stake. Disruptive business models, global crime syndicates, rogue governments, and supercharged connectivity, collectively introduce unprecedented levels of uncertainty.
So how can organisations avoid becoming lost in the maze?
The Information Security Forum (ISF) recently released Threat Horizon 2018, the latest in our annual series of reports which provide organisations of all sizes with a forward-looking view of the increasing threats in our always-on, interconnected world. In this report, we discussed the top three emerging threat themes, as determined by ISF research, to information security over the next two years.
Here are a few of the highlights:
As technology and connectivity spread, threats intensify and multiply
Technology will increasingly become an integral part of everyday life in modern society over the next two years, both at a business and a personal level. Organisations will seek to maximise efficiency and effectiveness through improved connectivity. However, with these benefits will come associated threats. The expanded and more complex security threat landscape will see new vulnerabilities introduced by the growth of the Internet of Things (IoT).
The billions of devices that comprise the IoT will collect a wide variety of data from users, who will be unaware that it is happening, where the data is being stored, or who has access to it. Additionally, these devices may be inadequately protected, exposing critical infrastructure – such as industrial control and financial systems – to malicious actors.
As organisations deal with this complex digital environment, they will respond by automating tasks previously performed by people. Human cognitive abilities will be regarded as a bottleneck to task completion and efficiency. In response, algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness. However, the interactions between these algorithms will become complex to understand, introducing the potential for significant vulnerabilities. As a consequence, new challenges will be created for those tasked with identifying, assessing, and managing the resulting information security risks.
Today’s protective measures will not stand up to tomorrow’s threats
Dealing with cyberattacks and avoiding data breaches is enough to keep most organisations busy, but this will become even more challenging as established methods of information risk management are eroded or compromised by a variety of (usually non-malicious) actors.
The problems will begin at the top, with misalignment between board expectations and the reality of the security function’s capability. Having increased information security budgets, the board will expect change to happen quickly and may not fully appreciate the scale of the organisation’s information security challenges. When a major incident occurs, this misalignment will be exposed for all to see.
These challenges are multiplied when knowledge of software vulnerabilities is deliberately suppressed. This will happen with increasing frequency as security researchers discover vulnerabilities, only to be threatened with legal action by the manufacturer if they disclose the details publicly. This will prevent organisations from maintaining and strengthening their security.
The financial impact of some information security risks are already being transferred through cyber insurance. However, several large data breaches will expose aggregated risks and cause insurers to suffer significant financial losses. As a result of this mispricing debacle, several insurers will be forced out of business while others will raise premiums significantly, expand contract exclusions and restrictions, or avoid cyber insurance altogether. This will make cyber insurance no longer financially viable for many organisations, and the market will contract and take several years to recover.
Government intervention and regulation will complicate security on a global scale
Governments around the world will take an even greater interest in scrutinising both new and existing technology products and services used by their citizens. They will begin to adopt a more intrusive approach in dealing with organisations that handle personal information, especially major technology companies. These governments will justify their activities on the grounds of regulating disruptive business models and organised crime. However, their efforts in combating international crime – where many think they should be concentrating their resources – will fall significantly short of expectations.
A key trigger to the change in the attitude of many governments will be the effects of disruptive business models on local economies. These models include those introduced by Uber, Airbnb, and Google, which often ignore or overlook local regulations when pursuing aggressive international growth targets. However, while regulatory action will begin by focusing on what could be perceived as anti-competitive practices, it will quickly be extended to include many other technology companies that could be accused of violating privacy and data protection regulations.
Many of the resulting regulations will be aimed at monitoring the location of information, particularly information that travels internationally through cloud services. To overcome the natural time lag between the deployment of new technology and government regulation, many regulators will err on the side of caution and over-regulate. These actions will fragment cloud environments by incentivising both organisations and cloud providers to divide data centres along national boundaries.
Cybercriminals will continue to exploit gaps between the law enforcement mechanisms of different countries. The new threat is that the capability of cybercriminal groups is now equal to many nation states, and will surpass some of them in the near future. Organisations will respond by turning to their law enforcement agencies for assistance with cross-border investigations, leading to growing tensions between governments that are unwilling or incapable of collaborating to fight cybercrime.
While a new and more open dialogue on these threats will gradually begin between the world’s major technology companies and governments, this is unlikely to produce tangible results before 2018.
Plan now to be ready for rapidly emerging threats
Information security professionals are facing increasingly complex threats, some new and others familiar but evolving. Their primary challenge remains unchanged; to help their organisations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
As dangers increase on a global scale, methodical and extensive commitment is needed to ensure that practical plans are in place to deal with major changes the future could bring. Employees at all levels of the organisation will need to be involved, including board members and managers in non-technical roles.
These three themes outline the dangers that should be considered most prominent. Invest the time and resources now to assess their potential impact on your most valuable assets and most critical operations. As the use of the Internet spreads, takes on new forms, and advances in nonlinear fashion, unintended consequences and negative developments will transmit through cyberspace at the speed of lightning.
Many organisations will struggle to cope as the pace of change intensifies. Adopting new security measures while in the midst of radical change is like trying to build a house in a hurricane. Set about laying a strong and resilient foundation now: do the groundwork of comprehensive risk management, weave business and IT leadership into a collaborative defensive strategy, and build an organisation capable of rapidly and proactively addressing changes in regulations, threats, and technologies.
Steve Durbin is Managing Director of the Information Security Forum (ISF)