In Pictures: 9 biggest information security threats for the next two years
Each year, the Information Security Forum, a nonprofit association that researches and analyzes security and risk management issues, releases its 'Threat Horizon' report to provide a forward-looking view of the biggest security threats over a two-year period. Here are the top 9 threats to watch for through 2017.
Threat Horizon report
The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that assesses security and risk management issues on behalf of its members —puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2017 that your organization may have to manage and mitigate.
Theme 1: Disruption divides and conquers
Technology disruption is generally seen as a good thing, leading to the creation of new markets and value networks. But this principle works as much for the bad guys as it does for everyone else, says Steve Durbin, managing director of the ISF.
"A lot of the threats we see now are enabled or created by technology," Durbin says. "We've always lauded disruptive innovation, but the good guys are not the only ones who can take advantage of this."
Supercharged connectivity overwhelms defenses
Reasonably priced and superfast gigabit connectivity has massive potential to open up new markets and opportunities for business, especially in areas like telepresence, entertainment and embedded devices. But that same superfast pipe opens up new opportunities for criminals.
"The challenge for organizations is how do you really deal with the whole issue of supercharged connectivity," Durbin says. "It's going to mean increased exposure to certain attacks and disruption."
To prepare for this threat, the ISF recommends you conduct robust resilience planning with your suppliers and identify and assess risks from embedded devices.
Crime syndicates take a quantum leap
Organized crime syndicates saw the potential of the Internet early and they have been developing their digital capabilities and migrating their activities online ever since. These attackers have big budgets, deep skillsets and highly sophisticated tools.
"They really are very efficient and effective at communicating with each other and building centers of excellence that try to take advantage of the fact that we do have such advanced technology these days," Durbin says. "This really does point squarely at the need for us to be communicating and collaborating much more effectively."
Organizations need to participate in private threat information sharing. Durbin also recommends prioritizing the protection of your highest-value information and evaluating the costs and benefits of cyber insurance.
Tech rejectionists cause chaos
In past decades, workers in the manufacturing sector have borne the brunt of job losses due to technological advances in automation and efficiency. Today that sort of automation is spreading far beyond the manufacturing sector. The socio-economic inequality that results is likely to lead to widespread social unrest that disrupts local economies and supply chains in the affected regions.
"We're concerned that within the next two years we're going to start seeing civil unrest emerging as a result of rapid technology advances," Durbin says. "Increasingly, individuals are valued for the skillsets they have, and if you have the wrong skillsets that is not a good place to be."
To prepare for this threat, the ISF recommends conducting threat assessments in regions where your organization could be targeted and reviewing your risk appetite to account for chaos and disruption to critical suppliers. It's also a good idea to consider your organization's global economic and social responsibility, Durbin says.
Theme 2: complexity conceals fragility
The Internet may have been originally developed as a resiliency measure, but we are today increasingly dependent on technology and networks to the point that attacks or failures in a few key areas could have devastating effects.
Dependence on critical infrastructure becomes dangerous
Many societies around the world are dependent on critical infrastructure, which is often aging and poorly maintained. Moreover, certain technologies often act as a lynchpin in multiple critical areas.
As an example, Durbin points to a study by the Department of Homeland Security in 2011 that found that of 15 critical infrastructure systems in the U.S., 11 relied upon GPS as a core component. A failure in that system could bring the whole thing crashing down. Another example is the attackers that hijacked the Associated Press's Twitter account in April 2013. The attackers used the account to tweet about a bogus explosion at the White House that injured the president, sending the stock market into freefall for about five minutes until the lie was exposed.
To prepare for this risk, ISF recommends updating your business continuity plans and conducting regular simulations. It also recommends assessing the impact of disruption to important infrastructure like cloud services.
Systemic vulnerabilities are weaponized
Pervasive technology monoculture will lead malicious actors to weaponized systemic vulnerabilities in software systems of individual technology companies, Durbin says. This threatens the integrity of the Internet infrastructure.
"For instance, Oracle can provide a wide range of applications that really do spread across a wide range of vertical markets and applications areas," Durbin says. "Targeting that provider is a concern here."
And it's not just Oracle, of course. The pervasive use of Apple iOS, Android, routers from Cisco and more means that a vulnerability in one of them could be exploited at a massive scale.
The ISF recommends broadening your risk assessments to include consideration of widely used technologies and suppliers. It also recommends updating your organizational response plans to systemic vulnerabilities.
Legacy technology crumbles
Organizations today are striving to extend the life of their technology, which means continuing to support legacy technologies. Increases in connectivity mean that legacy technology will be further exposed to attackers.
As an example, last year 95 percent of ATMs in the U.S. ran on the Windows XP operating system, even as Microsoft moved to end support for the OS, including security patches.
"The impact of some of these things could be an increased cost of maintenance," Durbin says. "That draws resources away from an already stretched IT security budget."
ISF recommends identifying and assessing your organizations exposure to legacy technology. You should also update your system architecture and plan for modernization.
Death from disruption to digital services
As more and more digital systems begin to control physical assets, it's only a matter of time before disruption of these systems -- for instance, transport or medical services -- lead to verifiable deaths. The resulting public pressure will force organizations to respond.
"In the U.K. alone, by 2017 the estimates are there will be five deaths attributed to cyber in some shape or form," Durbin says. "The point in this is not so much about the number, but as a business, as a vendor of services or materials, you do not want to be the organization that is responsible for one of those five deaths."
ISF recommends you assess your exposure to and liabilities of cyber-physical systems and revise your corporate communication and crisis response mechanisms.
Theme 3: Complacency bites back
Organizations have become too complacent today, Durbin says. They are not paying enough attention to threats concealed by international borders.
Global consolidation endangers competition and security
Large-scale information providers, like Google, are continuing to expand into markets all around the world. Their dominant position and lack of commercial competition makes customers vulnerable to potential service disruptions and failures, Durbin says. Platform markets are another example. The Apple iOS ecosystem today fuels a whole range of businesses from app producers to payment networks, making all of them vulnerable to disruption of the Apple ecosystem.
ISF recommends identifying and assessing the risk from dominant providers where there are few alternatives. It also recommends exploring diversifying the suppliers of critical services.
Impact of data breaches increases dramatically
Despite the fact that the number of data breaches and damage caused by them continues to rise, organizations are becoming complacent.
"Companies are becoming more and more complacent about dealing with data breaches," he says. "We've become anaesthetized. We know there isn't a long-term impact on stock price."
In the short term, he says, a massive data breach may cause you to take a hit in the market, but if you can ride that out, the long-term effect on your stock price is likely to be nil. Still, groups like the European Union are coming out with regulations around personally identifiable information (PII) backed up by fines with teeth. New developments in legislation and regulations are likely to catch your organization out unless you shake off the complacency.
ISF recommends reviewing all potential jurisdictional liabilities based on the location and volume of data handled. It also recommends ensuring that liabilities for data breaches are clearly stated in supplier contracts.