Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2015, information security professionals must understand these five trends.
In information
security circles, 2014 has been a year of what seems like a never-ending stream
of cyberthreats and data breaches, affecting retailers, banks, gaming networks,
governments and more.
The calendar year may
be drawing to a close, but we can expect that the size, severity and complexity
of cyber threats to continue increasing, says Steve Durbin, managing director
of the Information
Security Forum (ISF), a nonprofit association that assesses security
and risk management issues on behalf of its members.
Looking ahead to 2015,
Durbin says the ISF sees five security trends that will dominate the year.
"For me, there's
not a huge amount that's spectacularly new," Durbin says. "What is
new is the increase in complexity and sophistication."
1. Cybercrime
Thinkstock
The Internet is an
increasingly attractive hunting ground for criminals, activists and terrorists
motivated to make money, get noticed, cause disruption or even bring down
corporations and governments through online attacks, Durbin says.
Today's cybercriminals
primarily operate out of the former Soviet states. They are highly skilled and
equipped with very modern tools — as Durbin notes, they often use 21st century
tools to take on 20th century systems.
"In 2014 we saw
cybercriminals demonstrating a higher degree of collaboration amongst
themselves and a degree of technical competency that caught many large
organizations unawares," Durbin says.
"In 2015,
organizations must be prepared for the unpredictable so they have the
resilience to withstand unforeseen, high impact events," he adds.
"Cybercrime, along with the increase in online causes (hacktivism), the
increase in cost of compliance to deal with the uptick in regulatory requirements
coupled with the relentless advances in technology against a backdrop of under
investment in security departments, can all combine to cause the perfect threat
storm. Organizations that identify what the business relies on most will be
well placed to quantify the business case to invest in resilience, therefore
minimizing the impact of the unforeseen."
2. Privacy and Regulation
Most governments have already created, or are in the process of
creating, regulations that impose conditions on the safeguard and use of
Personally Identifiable Information (PII), with penalties for organizations
that fail to sufficiently protect it. As a result, Durbin notes, organizations
need to treat privacy as both a compliance and business risk issue, in order to
reduce regulatory sanctions and business costs such as reputational damage and
loss of customers due to privacy breaches.
The patchwork nature
of regulation around the world is likely to become an increasing burden on
organizations in 2015.
"We are seeing
increasing plans for regulation around the collection, storage and use of
information along with severe penalties for loss of data and breach
notification particularly across the European Union," Durbin says.
"Expect this to continue and develop further imposing an overhead in
regulatory management above and beyond the security function and necessarily
including legal, HR and Board level input."
He adds that
organizations should look upon the EU's struggles with data breach regulation
and privacy regulation as a temperature gauge and plan accordingly.
"Regulators and
governments are trying to get involved," he says. "That's placing a
bigger burden on organizations. They need to have resources in place to respond
and they need to be aware of what's going on. If you've got in-house counsel,
you're going to start making more use of them. If you don't, there's a
cost."
3. Threats From Third-Party Providers
Thinkstock
Supply chains are a
vital component of every organization's global business operations and the
backbone of today's global economy. However, Durbin says, security chiefs
everywhere are growing more concerned about how open they are to numerous risk
factors. A range of valuable and sensitive information is often shared with
suppliers, and when that information is shared, direct control is lost. This
leads to an increased risk of its confidentiality, integrity or availability
being compromised.
Even seemingly
innocuous connections can be vectors for attack. The attackers who
cracked Target exploited a web services application that the
company's HVAC vendor used to submit invoices.
"Over the next
year, third-party providers will continue to come under pressure from targeted
attacks and are unlikely to be able to provide assurance of data
confidentiality, integrity and/or availability," Durbin says.
"Organizations of all sizes need to think about the consequences of a
supplier providing accidental, but harmful, access to their intellectual
property, customer or employee information, commercial plans or negotiations. And
this thinking should not be confined to manufacturing or distribution partners.
It should also embrace your professional services suppliers, your lawyers and
accountants, all of whom share access oftentimes to your most valuable data
assets."
Durbin adds that
infosec specialists should work closely with those in charge of contracting for
services to conduct thorough due diligence on potential arrangements.
"It is imperative
that organizations have robust business continuity plans in place to boost both
resilience and senior management's confidence in the functions'
abilities," he says. "A well-structured supply chain information risk
assessment approach can provide a detailed, step by step approach to portion an
otherwise daunting project into manageable components. This method should be
information-driven, and not supplier-centric, so it is scalable and repeatable
across the enterprise."
4. BYOx Trends in the Workplace
The bring-your-own (BYO) trend is here to stay whether
organizations like it or not, Durbin says, and few organizations have developed
good policy guidelines to cope.
"As the trend of
employees bringing mobile devices, applications and cloud-based storage and
access in the workplace continues to grow, businesses of all sizes are seeing
information security risks being exploited at a greater rate than ever before,"
he says. "These risks stem from both internal and external threats
including mismanagement of the device itself, external manipulation of software
vulnerabilities and the deployment of poorly tested, unreliable business
applications."
He notes that if you
determine the BYO risks are too high for your organization today, you should at
least make sure to stay abreast of developments. If you decide the risks are
acceptable, make sure you establish a well-structured BYOx program.
"Keep in mind
that if implemented poorly, a personal device strategy in the workplace could
face accidental disclosures due to loss of boundary between work and personal
data and more business information being held and accessed in an unprotected
manner on consumer devices," he adds.
And realistically,
Durbin says, expect that your users will find a way to use their own devices
for work even if you have a policy against BYOx.
"It's a bit like
trying to hold back the tide," he says. "You may stop it from coming
onto one little bit of sand, but it will find a way around it. The power of the
user is just too great."
5. Engagement With Your People
Thinkstock
And that brings us
full circle to every organization's greatest asset and most vulnerable target:
people.
Over the past few
decades, organizations have spent millions, if not billions, of dollars on
information security awareness activities. The rationale behind this approach,
Durbin says, was to take their biggest asset — people — and change their
behavior, thus reducing risk by providing them with knowledge of their
responsibilities and what they need to do.
But this has been —
and will continue to be — a losing proposition, Durbin says. Instead,
organizations need to make positive security behaviors part of the business
process, transforming employees from risks into the first line of defense in
the organization's security posture.
"As we move into
2015, organizations need to shift from promoting awareness of the problem to
creating solutions and embedding information security behaviors that affect
risk positively," Durbin says. "The risks are real because people
remain a 'wild card.' Many organizations recognize people as their biggest
asset, yet many still fail to recognize the need to secure 'the human element'
of information security. In essence, people should be an organization's
strongest control."
"Instead of
simply making people aware of their information security responsibilities and
how they should respond, the answer for businesses of all sizes is to embed
positive information security behaviors that will result in 'stop and think'
behavior becoming a habit and part of an organization's information security
culture," Durbin adds. "While many organizations have compliance
activities which fall under the general heading of 'security awareness,' the
real commercial driver should be risk, and how new behaviors can reduce that
risk."