There are six security threats all businesses should be aware of for 2014, says ISF's Steve Durbin.
Cyber security stepped into the limelight in 2013 with numerous global cyber attacks, high-profile data breaches and the arrest of several prominent cyber criminals. Hacktivists developed from the proverbial teenager in the bedroom into Anonymous and other online collectives, causing hundreds of millions of dollars in damage to a number of global organizations. Cyber criminals have evolved from lone agents to collaborators and competitors in what we call Malspace, where they have a marketplace to satisfy every demand. This includes malicious software development, testing and quality control to target identification, payment and currency conversion and money laundering.
As we move into 2014, cyber attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cyber criminals are cultivating new techniques to circumvent them. Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events.
After reviewing the current threat landscape, the six most prevalent security threats for 2014 include: bring your own (BYO) trends in the workplace, data privacy in the cloud, brand reputational damage, privacy and regulation, cyber crime and the continued expansion of ubiquitous technology. These threats are not mutually exclusive and can combine to create even greater threat profiles. While they are not the only threats that will emerge over the course of the next year, they are the ones that businesses should be keeping a close eye on.
Let's take a quick look at each:
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications. If the BYO risks are too high for your organization today, stay abreast of developments. If the risks are acceptable, ensure your BYO program is in place and well structured. Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices.
Data privacy in the cloud
While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is personally identifiable information (PII) and therefore needs adequate protection. Different countries' regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements, while others have detailed mandates. In order to determine what cross-border transfers that will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organization's reputation. In addition, brand reputation and the trust dynamic that exists among suppliers, customers and partners have appeared as very real targets for the cyber criminal and hacktivist. With the speed and complexity of the threat landscape changing on a daily basis, all too often we're seeing businesses being left behind, sometimes in the wake of reputational and financial damage.
Privacy and regulation
Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of PII, with penalties for organizations which fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to privacy breaches.
Cyber space is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. In 2013, we saw cyber criminals demonstrating a higher degree of collaboration among themselves with a degree of technical competency that caught many large organizations unawares. In 2014, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events. Cyber crime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under-investment in security departments, can all combine to cause the perfect threat storm. Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.