As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.
"2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."
The ISF says the top four global security threats businesses will face in 2017 are the following:
- Supercharged connectivity and the IoT will bring unmanaged risks.
- Crime syndicates will take quantum leap with crime-as-a-service.
- New regulations will bring compliance risks.
- Brand reputation and trust will be a target.
"The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations," Durbin says. "In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target's weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events."
The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.
Supercharged connectivity and the IoT bring unmanaged risks
Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.
Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.
"The thing for me with 2017 is I describe it as an 'eyes-open stance' we need to take," Durbin says. "We're talking about devices that never ever had security designed into them, devices that are out there gathering information. It's relatively simple to hack into some of these things. We've seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they're designed to link."
Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.
"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."
"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."
Crime syndicates take quantum leap with crime-as-a-service
For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.
"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."
And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.
"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."
He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.
New regulations bring compliance risks
The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.
In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it's coming from, what it's being used for, where and how it's being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.
"The challenge in 2017 for organizations is going to be two-fold," Durbin says. "First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?"
"The scope of it is just so vast," he adds. "You need to completely rethink the way you collect and secure information. If you're an organization that's been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you're protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I've spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you're taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to."
Brand reputation and trust are a target
In 2017, criminals won't just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull's eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.
"With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization's reputation than ever before," Durbin says. "In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we're no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come."
While most information security professionals will point to people as the weakest link in an organization's security, that doesn't have to be the case. People can be an organization's strongest security control, Durbin says, but that requires altering how you think about security awareness and training.
Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop "stop and think" behavior and habits.
"2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain," Durbin says. "They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior."
Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.