Dangers Accelerate: Increasing Global Threats Loom Over Information Security Landscape

Thursday, March 19, 2015

Steve Durbin

D36d0936f0c839be7bf2b20d59eaa76d

The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of today’s most trusted organizations. Attackers have become more organized, attacks are more refined, and all threats are more dangerous, and pose more risks, to an organization’s reputation than ever before. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners have become very real targets for cybercriminals and hacktivists. 

With the security threat landscape rapidly evolving on a daily basis, too many times organizations of all sizes are getting left behind. Often times they’re left in the wake of reputational and financial damage. At the Information Security Forum (ISF), we recently released Threat Horizon 2017, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In Threat Horizon 2017, we highlighted the top nine emergingthreats, as determined by our research, to information security over the next two years.

Let’s take a look at these threats and what they mean for your organization:

Increased Connectivity Speeds Present Issues in Organizational Response Time

Reasonably-priced gigabit connectivity will become widely available to supply the growing demands of devices and users, providing speeds up to 100 times faster than current services in most countries. This will be a dramatic leap forward, increasing both data volume and velocity and providing new business opportunities. As billions of devices are connected, there will be more ‘data in flight’ that must be managed. Conventional malicious use will increase rapidly, resulting in cascading failures between sectors. It will enable new and previously impracticable avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defenses.

Criminal Organizations Become More Structured and Sophisticated

Criminal organizations will become more sophisticated, mature internally and migrate their activities online at greater pace. They will develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some of these organizations will have roots in existing criminal structures, while others will be new and focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the effects will be felt around the world.

Widespread Social Unrest Breaks Out Led by ‘Tech Rejectionists’

In response to record levels of socio-economic inequality, widespread social unrest will break out in countries around the world, led by ‘tech rejectionists’. Rejectionists will dismiss the benefits of technology-enabled globalization, pointing instead at the social and economic costs shouldered by those who are not among the economic elite. They will express themselves through protests, boycotts, strikes and violence, causing significant disruption to local and regional economies. Organizations with supply chains and investments in the affected regions will be caught in this chaos and forced to respond at short notice in order to avoid financial and reputational exposure.

Dependence on Cri­tical Infrastructure Becomes Dangerous

Following several large cascading failures, hidden dependencies on digitally connected critical infrastructure will become transparent. Aging, poorly maintained and highly complex infrastructure will be exposed as internal systems are shown to be accessible from the public Internet. Infrastructure on which whole societies depend will be subjected to attacks and accidents that require significant resources and time to remediate. This will force governments and regulators to take a much closer look at critical infrastructure and the extent to which it is dangerously exposed. Many organizations will be caught unprepared for both the attacks and new regulations. As a consequence, they will be forced to update their resilience and invest in technology transformation programs.

Malicious Agents Weaponize Systemic Vulnerabilities

Targeted exploitation of widely distributed and homogenous technologies will occur frequently. This will have implications for the normal functioning of the Internet and the wider global economy. Malicious actors will weaponize systemic vulnerabilities in this ‘technology monoculture’, threatening the integrity of Internet infrastructure. Targets include government, critical infrastructure and other organizations of interest for economic and political reasons. This will force organizations to both invest in resilience and re-evaluate their technology strategies.

Legacy Technology Crumbles

Organizations will continue to prolong the life of their aging and unsupported hardware and software in an attempt to delay the costs of expensive technology transformation programs. As digital connectivity inside and between organizations grows, legacy technology will be further exposed to attackers and a greater likelihood of accidents, resulting in damage exceeding anything that has come before. This will prompt a re-evaluation of ageing technology, particularly where maintenance is increasingly cost prohibitive. Modernization will be required to replace backlogs of legacy technology. The challenge will be to keep pace.

Disruption to Digital Systems Leads to Verifiable Human Deaths

Disruption to digital systems will lead to verifiable human deaths, after a long existence in the realm of science fiction.  Most of these deaths will be caused by failures in cyber-physical systems. Some of the first deaths will be caused by accidents with smart and self-guided cars, as well as degradation to GPS causing fatal disruption to air, naval and ground transport systems. This will be followed by hacking of Wi-Fi enabled medical devices and attacks on hospital networks including life support devices and surgery suites. There will be only a handful of deaths initially but they will generate far more attention than conventional causes of mortality. This will make it difficult for organizations to accurately assess cyber-physical risks and plan proportionate responses.

Global Consolidati­on of Organizations Endangers Competition and Security

Leading organizations, such as Google, Amazon, Facebook and Apple will continue to expand into increasingly connected regions, solidifying their commercial dominance globally. This will raise regulatory concerns for governments and organizations that are wary of the consolidated power of information companies and the monopolistic power they wield. This will be compounded by post-Snowden security concerns and US-based companies in particular will have to work harder to win the trust of potential international customers. Inevitably, security concerns will arise from heavy commercial and societal dependence on single-source providers and single points of failure.

Cost and Scale of Data Breaches Increases Drama­tically             

The number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. The first billion-person data breach will finally happen and be ruinously expensive for the company at fault. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Angry customers will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers.

Next Steps to Prepare for Threats on the Horizon

The nine threats listed above expose the dangers that should be considered most prominent.  They have the capacity to transmit their impact through cyberspace at break-neck speeds, particularly as the use of the Internet spreads. As a result, many organizations will struggle to cope as the pace of change intensifies.  Consequently, at least until a conscious decision is taken to the contrary, the threats should appear on the radar of every organization, both small and large.

So…what can you do to better prepare?

Apply Information Security Best Practices

Those who have already studied the security threats detailed above will have identified a number of key threads running throughout. These include complexity, connectivity, advances in technology and the dependence on supply chains. In the same way, the recommendations and tips have their own threads, all of which already form a major part of information security best practices.

For example:

  • Organizations of all sizes must apply a rigorous information risk assessment approach to all risks: for example, by using the ISF’s Information Risk Assessment Methodology, IRAM
  • Businesses should focus on resilience arrangements to be clear on what needs to happen should an incident occur
  • Ensure robust Business Contingency Plans are in place and have been rehearsed

Align Business and Security Strategy

Today’s Chief Information Security Officers (CISOs) need to lead and drive engagement with the Board of Directors (BoD) – and start by changing the conversation. They must translate the complex world of information security and information risk into understandable business issues and solutions. CISOs must also change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee.

A thorough understanding of what happened and why it is necessary to properly understand and respond to underlying risks, is needed by all members of an organization’s BoD. Without it, risk analyses and resulting decisions may be flawed, leading organizations to take on greater risk than intended. When boards and CISOs engage successfully, organizations are more likely to realize the benefits of their strategic initiatives.

With cyberspace increasingly critical to every aspect of business, from supply chain management (SCM) to customer engagement, holding back adoption, or disconnecting altogether, is no longer realistic. All this makes it vital for governments and enterprises to build up cyber resilience. This can be achieved through a proportional approach that balances the need to protect organizations and individuals with the need to enable free, legitimate trade and communications.

The commercial, reputational and financial risks that go with cyberspace are real and growing every day. In the drive to become cyber resilient, organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include other risks, such as those to reputation and customer channels, and recognize the unintended business consequences from activity in cyberspace.

Prepare, Engage and Take Action Against Emerging Threats

Organizations of all sizes will continue to accelerate their unrelenting pursuit of competitive advantages from technological innovations. However, they should also prepare and take action against the emerging security threats that may come into play as a result. As dangers accelerate, disciplined and widespread commitment will be needed to ensure that practical plans are in place to deal with major changes the future could bring. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.

Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be fully aware of the each of the important trends that have emerged or shifted in the past year, as well as those listed above that they should prepare for in the years to come.

13518
Cloud Security General HIPAA PCI DSS General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.