In the year ahead, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will most certainly impact both shareholder value and business reputation.
After reviewing the current threat landscape, there are four prevalent security threats that we at the Information Security Forum believe that businesses need to prepare for in 2017. These include, but are not limited to:
- The Internet of Things (IoT) adds unmanaged risks
- Crime syndicates take a quantum leap
- Government and regulators won't do it for you
- The role of the end user - the weakest or strongest link in the security chain
The IoT adds unmanaged risks
Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organisations and impose even bigger fines. The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.
When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organisations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organisations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centres scattered across the globe. In moving their sensitive data to the cloud, all organisations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.
With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organisations need to know precisely to what extent they rely on cloud storage and computing.
Crime syndicates take a quantum leap
Criminal organisations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organisations will facilitate their diversification into new markets and the commoditisation of their activities at a global level. Some organisations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.
Organisations will struggle to keep pace with this increased sophistication and the impact will extend worldwide. Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organisations have experienced previously, leading to business disruption and loss of trust in existing security controls.
Emerging markets will be hit the hardest, particularly where newly connected organisations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organisations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organisations.
Government and regulators won't do it for you
The number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organisations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organisations while doing little to deter attackers.
With reform on the horizon, organisations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it.
The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber-attack or information loss.
The end user - weakest or strongest link in the security chain
In the coming year, organisations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviours that aﬀect risk positively. The risks are real because people remain a ‘wild card’. Many organisations recognise people as their biggest asset, yet many still fail to recognise the need to secure ‘the human element’ of information security. In essence, people should be an organisation’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviours that will result in “stop and think” behaviour and habits that become part of an organisation’s information security culture.
While many organisations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviours can reduce that risk.
Don't be left behind
Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organisations need to be aware of the emerging threats that have shifted in the past year, as well as those that they should prepare for in the coming year.
By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately. This will be of the highest importance in 2017 and beyond.
Steve Durbin, managing director, Information Security Forum
Image source: Shutterstock/Sergey Nivens