By the end of 2013, revelations about how governments had been surrendering commercial and personal privacy in the name of national security – compounded by a number of major economic and technical developments – have left citizens trust in cyberspace badly shaken, and the timing couldn’t be much worse as many CEOs are ramping up their demands to take even greater advantage of cyberspace.
So if this is where things are now, how will all of this look by 2016? How will new threats hurtling over the horizon complicate matters even further? Just what will organizations be able to rely on? And most importantly, are they powerless or can they do something now?
Threats are on the Horizon
At the Information Security Forum, we recently released Threat Horizon 2016, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In this report, we’ve determined that organizations are quickly coming to the realization that what they have trusted and taken for granted for so long, must now be completely re-assessed.
Threat Horizon 2016 highlighted the top three themes, as determined by our research, to information security over the next two years. These include:
- No-One Left to Trust in Cyberspace – Organizations must prepare to operate in an environment where governments no longer balance national security with citizens’ and business’s best interests
- Confidence in Accepted Solutions Crumbles – Organizations need to build resilience against cyber threats at a time when a number of accepted solutions are no longer viable
- Failure to Deliver the Cyber Resilience Promise – Unless Chief Information Security Officers (CISOs) evolve their skill set to ensure that they can anticipate the CEO’s needs and deliver on an increasingly demanding digital agenda, they will fail
Threat Horizon 2016 also highlighted the top ten threats to information security over the next two years.
Let’s take a look at a few of the highlights:
Nation-State Backed Espionage Goes Mainstream
Nation states and governmental organizations are attempting to counteract the repercussions from the Snowden revelations while at the same time showing little signs of winding down espionage activities. In order to demonstrate they are in control, they will swing the pendulum between over-reacting and putting in place excessively restrictive rules and regulations, and taking a series of watered down actions to ease public anxiety. Whichever way the pendulum swings, doing business on the Internet is likely to be more complicated and result in increased transaction costs.
Organizations will be targeted by nation state backed players with large budgets and varying agendas – all with little legal recourse. The result will be an even more unruly cyberspace trading environment, characterized by more actors, more attempts at espionage or other malicious activities and, likely, the theft and exploitation of these new tools by criminal organizations. Businesses should reinforce basic information security arrangement. This means understanding what and where the most critical information assets are and their key vulnerabilities and the main threats against them. Standards and controls should be in place to mitigate the associated risks to these assets.
A Balkanized Internet Complicates Business
Organizations will no longer be able to depend on a free and open Internet as governments attempt to govern their corners of the Internet. Nation-states have already attempted to introduce governance of the Internet via the International Telecommunications Union (ITU), the United Nations and Internet Governance Forum, to name a few. This will prove unsuccessful and in its place governments and regional blocs will attempt to standardize these norms at national and regional levels.
This increased government involvement will undermine the perception of a free and open Internet, resulting in a less predictable Internet for conducting business, a more complex regulatory and legislative environment, and reduced access to markets. It will be of the utmost importance to stay up-to-date with regulatory and legislative developments related to cyberspace across the jurisdictions the organization operates in. This is no easy feat as these approaches become more localized. Organizations should prepare now by creating partnerships for information sharing and engaging in multi-stakeholder governances processes to share intelligence.
Mobile Apps Become Main Route for Compromise
Smartphones will be the motherboard for the Internet of Things (IoT), creating a prime target for malicious actors. The rapid uptake of Bring Your Own Device (BYOD) and the introduction of wearable technologies to the workplace will increase an already high demand for mobile apps for work and home. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.
Organizations should be prepared to embrace the increasingly complex IoT and understand what it means for them. CISOs should be proactive in preparing the organization for the inevitable by ensuring that apps developed ‘in-house’ follow the testing steps in a recognized systems development lifecycle approach. They should also be managing user devices in line with existing asset management policies and processes, incorporating user devices into existing standards for access management and promoting education and awareness of BYOD risk in innovative ways.
Big Data, Supply Chains and Information Security
Moving forward, organizations of all sizes will increasingly make important business decisions based on data analytics. Their failure to respect the human element of data analytics, however, will put the organization at risk of overvaluing big data output. Poor integrity of the information sets used can mean their analysis leads to bad business decisions, missed opportunities, brand damage and lost profits.
For the information security department, big data analytics could help identify cyber-criminal or state-sponsored zero-day attacks. Modern malware and attacks often rely on stealth and the element of surprise, which makes them increasingly successful even against state of the art anti-malware solutions. As a result, many of the anti-malware vendors are using big data analytics to analyze malware reports and associated network traffic in an effort to identify and mitigate malware campaigns as they occur.
In terms of supply chain security, big data analytics has the potential to profile or identify suppliers by scanning sources such as contracts, service level agreements, procurement and vendor management databases, connectivity logs, invoices, delivery and shipping notes, payment records and expense records. Big data analytics can create an overarching view of supply chain security by analyzing high-risk suppliers’ security data such as that held in suppliers’ network logs, event management databases or intrusion detection systems. It can also compare suppliers across different dimensions of information security risk.
Pressure is mounting on businesses to embrace big data because of the enormous insights and competitive advantage it can provide. Since we’re still in the early days, we have not yet seen a tremendous amount of external requirements mandating businesses to assure information integrity. However, the sheer scale of information processed by businesses remains on the increase and with big data analytics bringing business decisions closer and closer to raw data, the quality of information has become increasingly important.
Internet transactions rely on encryption to provide confidentiality of information and non-repudiation. However, encryption will prove not to be the security panacea previously assumed. The cracks are already visible with revelations that US and UK intelligence agencies can break many forms of encryption algorithms and rumors that backdoors exist in widely used systems and software.
Businesses should prepare themselves by identifying their most sensitive assets and preparing appropriate solutions for protecting them. All data is not created equal, and so neither should their protections be the same. They should reinforce basic information security arrangement. This means understanding what and where the most critical information assets are and their key vulnerabilities and the main threats against them. Standards and controls should be in place to mitigate the associated risks to these assets.
Information Security Fails to Work with New Generations
As they move into the workplace, members of Generation Y and Z will offer fresh and innovative ideas that will change ways of working and conducting business. Their approaches to information security and privacy will certainly challenge traditional models as they are the first generations raised in the digital age to enter the workplace. They’ve lived their lives on the Internet, sharing vast amounts of personal information in cyberspace, and communicating with friends and colleagues via social media and networking outlets rather than email. Unchallenged, these generations approach information security and privacy in a way that is starkly at odds with traditional models.
Organizations that are proactive in understanding how the newer generations work will be better placed to get ahead of the curve and the competition. A few recommendations I have would be for organizations of all sizes to understand that the new generations’ approach to work, socializing and privacy are vastly different from previous generations’ and that they won’t fit with traditional security models. They should adapt existing policies and procedures to engage with generations Y and Z and foster an information security culture to promote awareness.
For Every Action, There Is an Equal and Opposite Reaction
The first action businesses must take is to re-examine the assumptions the organization has made about the Internet and adapt their cyber resilience to this new paradigm. For example, one of the threats describes how a key component of Internet security – encryption – may fail to hold up. This points to the need to do this immediately. Waiting for the hammer to fall is not advisable.
Secondly, resilience to ongoing threats of operating in cyberspace must be reassessed regularly as:
- Cybercriminals are still well ahead of information security professionals. The bad guys are getting better at what they do faster than ever before, while the good guys often struggle merely to respond. The situation is made worse by cybercriminals having no budget restrictions, nor having to conform to legislation or comply with regulations – an increasing burden for organizations.
- The cost of investigating, managing and containing incidents will rise as they grow more complex and regulators’ demands increase.
- The insider threat will continue to challenge organizations, because people will remain the weakest link in information security. Whether it is through deliberate or inadvertent actions, organizations will still face threats from within.
Finally, it’s highly unlikely that governments will clean up the mess they’ve made before 2016. For this reason, organizations need to give immediate consideration to additional actions they may wish to take to counter possible impacts from the recent disclosures.
Effective management of information risk has never been more critical. Information risk management has been elevated to a board-level issue that should be given the same level of attention afforded to operational risk management and other established risk management practices. Organizations of all sizes are facing a wide range of challenges today, including the insatiable appetite for speed and agility, the growing importance of the full supply chain, and the mounting dependence on diverse technologies.
Businesses need to ensure they are fully prepared to deal with these ever-emerging information security challenges by equipping themselves better to deal with attacks on their reputations. This may seem obvious, but the faster you can respond to these problems, the better your outcomes will be.