In information security circles, 2014 has been a year of what seems like a never-ending stream of cyberthreats and data breaches, affecting retailers, banks, gaming networks, governments and more.
The calendar year may be drawing to a close, but we can expect that the size, severity and complexity of cyber threats to continue increasing, says Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members.
Looking ahead to 2015, Durbin says the ISF sees five security trends that will dominate the year.
"For me, there's not a huge amount that's spectacularly new," Durbin says. "What is new is the increase in complexity and sophistication."
The Internet is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks, Durbin says.
Today's cybercriminals primarily operate out of the former Soviet states. They are highly skilled and equipped with very modern tools -- as Durbin notes, they often use 21st century tools to take on 20th century systems.
"In 2014 we saw cybercriminals demonstrating a higher degree of collaboration amongst themselves and a degree of technical competency that caught many large organizations unawares," Durbin says.
"In 2015, organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events," he adds. "Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm. Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen."
2. Privacy and Regulation
Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organizations that fail to sufficiently protect it. As a result, Durbin notes, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches.
The patchwork nature of regulation around the world is likely to become an increasing burden on organizations in 2015.
"We are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification particularly across the European Union," Durbin says. "Expect this to continue and develop further imposing an overhead in regulatory management above and beyond the security function and necessarily including legal, HR and Board level input."
He adds that organizations should look upon the EU's struggles with data breach regulation and privacy regulation as a temperature gauge and plan accordingly.
"Regulators and governments are trying to get involved," he says. "That's placing a bigger burden on organizations. They need to have resources in place to respond and they need to be aware of what's going on. If you've got in-house counsel, you're going to start making more use of them. If you don't, there's a cost."
3. Threats From Third-Party Providers
Supply chains are a vital component of every organization's global business operations and the backbone of today's global economy. However, Durbin says, security chiefs everywhere are growing more concerned about how open they are to numerous risk factors. A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.
Even seemingly innocuous connections can be vectors for attack. The attackers who cracked Target exploited a web services application that the company's HVAC vendor used to submit invoices.
"Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability," Durbin says. "Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations. And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets."
Durbin adds that infosec specialists should work closely with those in charge of contracting for services to conduct thorough due diligence on potential arrangements.
"It is imperative that organizations have robust business continuity plans in place to boost both resilience and senior management's confidence in the functions' abilities," he says. "A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components. This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise."
4. BYOx Trends in the Workplace
The bring-your-own (BYO) trend is here to stay whether organizations like it or not, Durbin says, and few organizations have developed good policy guidelines to cope.
"As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace continues to grow, businesses of all sizes are seeing information security risks being exploited at a greater rate than ever before," he says. "These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications."
He notes that if you determine the BYO risks are too high for your organization today, you should at least make sure to stay abreast of developments. If you decide the risks are acceptable, make sure you establish a well-structured BYOx program.
"Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices," he adds.
And realistically, Durbin says, expect that your users will find a way to use their own devices for work even if you have a policy against BYOx.
"It's a bit like trying to hold back the tide," he says. "You may stop it from coming onto one little bit of sand, but it will find a way around it. The power of the user is just too great."
5. Engagement With Your People
And that brings us full circle to every organization's greatest asset and most vulnerable target: people.
Over the past few decades, organizations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach, Durbin says, was to take their biggest asset -- people -- and change their behavior, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.
But this has been -- and will continue to be -- a losing proposition, Durbin says. Instead, organizations need to make positive security behaviors part of the business process, transforming employees from risks into the first line of defense in the organization's security posture.
"As we move into 2015, organizations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that a?ect risk positively," Durbin says. "The risks are real because people remain a 'wild card.' Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure 'the human element' of information security. In essence, people should be an organization's strongest control."
"Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in 'stop and think' behavior becoming a habit and part of an organization's information security culture," Durbin adds. "While many organizations have compliance activities which fall under the general heading of 'security awareness,' the real commercial driver should be risk, and how new behaviors can reduce that risk."