10 Top Information Security Threats for the Next Two Years

The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that assesses security and risk management issues on behalf of its members — issues its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year horizon. What follows are the 10 biggest threats on the horizon through 2016 that your organization may have to manage and mitigate, along with commentary from Steve Durbin, the ISF’s global vice president.

Until recently, government espionage activities were mostly covert. But a series of revelations over the past year have forced details of many of these activities out into the open. That’s likely to encourage other nation states to get into the game, says Steve Durbin, global vice president of the Information Security Forum.

“State-backed [cyber] espionage is no longer limited to the Chinese and North Koreans; it’s now democratic states,” Durbin says. “I think that’s come as a shock to a number of people, and it changes the landscape significantly.”

The ISF recommends organizations respond by participating in threat intelligence sharing forums and building relationships within and across industry sectors. In addition, ensure appropriate information security knowledge and awareness is in place across your organization.

To exert control over the free-wheeling nature of the Internet, nation states have begun using filtering to prevent citizens from accessing undesirable content and they have begun exploring the use of sovereign networks to isolate their communications from foreign spies — essentially a local approach to Internet governance through which they hope to draw “geopolitical borders on the Internet,” Durbin says.

“It is going to be interesting to see just how the rhetoric around local or closed Internets ends up,” Durbin says. “Balkanized Internets do not really work as far as I’m concerned.”

ISF recommends coordinating and maintaining partnerships for information sharing across industry sectors to support cyber resilience, and engaging in external multi-stakeholder governance processes to share intelligence.

As authorities attempt to police their corner of the Internet, many organizations can expect to suffer collateral damage — like the blows to reputation many U.S. service providers have suffered as details of some NSA spying programs became public.

Durbin points to the U.S. Department of Justice’s shutdown of file-sharing site Megaupload in 2012 for illegal activities including copyright violations. But the action also blocked the sharing of more than 11 million legitimate files.

ISF recommends building resilience and implementing proportional security measures against this threat. It also suggests preparing a message for customers. For instance, Google recently released a video detailing how it seeks to protect users’ privacy and security when it is served U.S. search warrants.

Service providers are becoming a key vulnerability in supply chains that cybercriminals can exploit to target organizations indirectly.

“Today we’re sharing data with third-party providers and our supply chain,” Durbin says. “We need to understand and monitor the integrity of the supply chain, how the supply chain is collecting data on our behalf. Imagine if someone gets in and changes some of that data. There is a market for being able to slow your competitor down or get information before they do so you can get to market first.”

ISF recommends fostering strong working relationships with service providers with the aim of becoming partners, and understanding clearly which legal jurisdictions govern your organization’s information.

Data analytics can be a huge boon to your organization if leveraged properly, but basing strategic decisions on faulty or incomplete datasets can lead to disaster, Durbin says.

“The challenge from an organizational standpoint is to understand exactly where the information you are using comes from,” Durbin says. “You have to ensure you have adequate skillsets in place to validate the findings using multiple data types to test results.”

In addition to ensuring that your organization has the skillsets necessary to analyze big data, ISF also recommends outlining a process for applying big data analytics to the information security problem.

Mobile continues to be one of the most disruptive trends affecting the tech landscape today. But the rapid development cycle and lack of security considerations around mobile apps make them a prime target for cybercriminals and hackers seeking a way into the enterprise.

“More enterprise services are going to be run on a smartphone or mobile device,” Durbin says. “We know they are not the most secure devices. It’s easier for cyber criminals to get a route into the enterprise using them. We’re going to see more compromises coming in at that point.”

ISF recommends you incorporate user devices into existing standards for access management, and that you begin to promote education and awareness of BYOx (Bring Your Own Anything) risk in innovative ways.

Encryption has become the default approach to securing Internet interactions. But the increasing availability of massive amounts of computing power, combined with back doors in software, means you can no longer expect something to be secure simply because it’s encrypted. There’s no such thing as ultimate security, Durbin says. Encryption should be a component of a security plan, but not the entirety of it.

“Encryption is not the Nirvana we had hoped for. You need to examine the encryption you’re deploying and determine what other forms of protection you’re also going to put in place,” Durbin says.

ISF recommends classifying information to know where the sensitive assets are and identifying current cryptographic solutions you have deployed so you can determine a strategy for improving implementation.

For years, the CISO and other security professionals have been lone voices in the wild. But that’s changing. The CEO and other C-suite executives are coming around to the need for security.

“You have to thank Target for helping to get these messages across,” Durbin says. “Now, over the next six to 18 months, we’re going to see more corporate boards getting it. Now you’ve got to go off and do what you’ve been telling we need to do, which is secure the organization. I think the challenge for the CISOs will be to keep up with the challenges.”

ISF recommends building credibility by positioning the security function as a center of excellence and aligning the security function with the organization’s approach to risk management.

As organizations reach out for security professionals to help them fill key positions, people with the right skills will become increasingly scarce, Durbin says.

“The problem we’re starting to face is we’ve got a maturing information security group and at the same time a more sophisticated level of cyberattack capability getting developed,” Durbin says. “Organizations are going to have to find and retain people with the right skills and motivate them to perform. It’s moved away from being the guys who have primarily been focused on firewalls to people that know how to apply security skills to enterprise-based challenges.”

ISF recommends building out mentoring programs, external coaching opportunities and promoting from within. In addition, it recommends supporting external initiatives to develop and source new talent.

Millennials who have grown up in the digital age have a different view of security and privacy than preceding generations.

“We’ve got people who don’t know any other way of working other than collaborating electronically,” Durbin says. “They offer innovative ways of working that they’ve built up through the school systems. Some of their approaches to information security and privacy are at odds with the existing processes you find within many organizations. It’s unrealistic to tell people who have learned that they need to collaborate in cyberspace that ‘No, you can’t do that.’ How do we adapt to new generations?”

ISF recommends seeking to understand how new generations approach work, socializing and privacy and then adapting policies and procedures to engage with these generations.