Cyber security continued to step into the public eye in 2015 with numerous high-profile data breaches at major, global organizations. As we move into 2016, cyber-attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cybercriminals are cultivating new techniques to sidestep them.
Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact business reputation and shareholder value.
After reviewing the current threat landscape, there are five prevalent security threats that we at the Information Security Forum believe that businesses need to prepare for in 2016. These include, but are not limited, to the unintended consequences of state intervention, Big Data, mobile applications and the Internet of Things (IoT), cybercrime and the growing skills gap in the information security industry.
Let’s take a quick look at each:
1. The IoT Adds Unmanaged Risks
Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines. Organizations that get on the front foot now and prepare for stricter data breach laws with bigger fines for non-compliance will find themselves ahead of the curve and in customers’ good graces. They’ll also make better business decisions along the way.
The IoT will also transform supply chain leaders' access to information, as well as the exposure of operations to cyber-risk. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake. Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.
When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organizations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.
Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of PII, with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and loss of customers due to privacy breaches. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.
2. Cybercrime Causes the Perfect Threat Storm
Cybercrime, along with the increase in hacktivism, the surge in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm. Organizations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.
But, establishing cyber security alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cybercrime often involves sophisticated, targeted attacks against an organization, and additional security measures are required to respond to specific cybercrime-related attacks and to put in place cyber resilience programs that anticipate uncertainty. There is an ever increasing need for a prepared and comprehensive rapid-response capability, as organizations will continue to be subject to cyber-attacks regardless of their best efforts to protect themselves.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognises the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
3. Mobility Concerns
Smartphones are creating a prime target for malicious actors. The rapid uptake of BYOD, and the introduction of wearable technologies to the workplace, will increase an already high demand for mobile apps for work and home in the coming year. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.
Mobile device risk in the workplace is established on one fundamental factor: ownership of the device. Employees who bring their own devices expose the organization to different behaviors and thwart long established organization controls when it comes to managing the associated risk. The fact that the employee, not the organization, owns the device has consequences that many organizations have yet to understand or have the proper resources to apply.
Some employee tablet or smartphone activities would be entirely unacceptable if the devices were owned by the organization. For example, the device may be taken to an unsuitable location where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Devices, especially small form-factor phones and tablets, can easily be lost. If the device contains sensitive organizational data, or can connect to a corporate network to access such data, these behaviors greatly increase the risk of compromising an organization’s information.
Time is critical and businesses need to formulate a response to the growing trend of mobile devices in the workplace with a sense of urgency. Focusing on the organization’s information as a guiding principle for considering risk as part of a BYOD program can bring a great deal of clarity to decision-making as it facilitates the definition of device-agnostic solutions which could be re-used for other BYOD deployments. This approach must be tempered against the willingness of executives to increase their risk appetite to enable BYOD
4. Skills Gap Becomes an Abyss for Information Security
A maturing information security field and more sophisticated cyber-attack capabilities will demand skilled information security professionals who are increasingly scarce. Cybercriminals and hacktivists are increasing in numbers and deepening their skillsets. The ‘good guys’ are struggling to keep pace. Where will these resources and skillsets come from? CISOs need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organization’s cyber resilience.
In 2016, the skills gap will deepen as hyper connectivity increases. CISOs should prepare to build information security capabilities across the organization and position the executive team to recognize and retain talent, both those who have come up through the ranks and newer employees who have worked in a digital environment and business roles. Moving forward, there will be a need to be more aggressive about getting the skill sets that the organization needs. While the industry continues to attract the right level of interest, and while businesses continue to work with Universities and passing needed legislation, the industry as a whole must realize that there is a skills gap problem that needs to be resolved.
5. Governments and Regulators Won’t Do it For You
Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.
Additionally, conflicting official involvement in cyberspace will create the threat of collateral damage and have unforeseen implications and consequences for all organizations reliant on it. Varying regulation and legislation will restrict activities whether or not an organization is the intended target. Even organizations not implicated in wrongdoing will suffer collateral damage as authorities’ police their corner of the Internet.
Moving forward, it will be about organizations understanding what governments are able to ask for and being open about that with partners. In the past, we didn't have this kind of openness.
The Need to Engage with the Board
The role of the C-Suite has undergone significant transformation over the last decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization (ostensibly among the victims of the crime) will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.
The executive team sitting at the top of an organization has the clearest, broadest “big picture” view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.
Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.
Information Risk Assessment Methodology
With the explosion of digital information, it’s not possible for organizations to protect all their information and associated systems to the same level. In addition, threats aren’t monolithic; they vary immensely in origin, intent, strength, and a multitude of other factors. While much has been written on this subject, there are few methodologies that provide an end-to-end approach to presenting a business-focused view of information risk.
That is, until now.
At the Information Security Forum, we recently introduced our Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.
The six IRAM2 phases include:
Scoping
Business Impact Assessment
Threat Profiling
Vulnerability Assessment
Risk Evaluation
Risk Treatment
Threats, threat events, vulnerabilities and potential impacts are not necessarily static. This results in the need for the practitioner and key stakeholders to review risks on a regular basis, as well as when any contributing factor in the organization or environment significantly changes.
As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.
The Time is Now: Get Prepared…or Be Prepared to Get Left Behind
Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be aware of the emerging threats that have shifted in the past year, as well as those that they should prepare for in 2016.
Organizations of all sizes are operating in a progressively cyber-enabled world and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling.
From cyber to insider, organizations have varying degrees of control over evolving security threats and with the speed and complexity of the threat landscape changing on a daily basis, far too often we are seeing businesses getting left behind, sometimes in the wake of reputational and financial damage. Businesses must take stock now in order to ensure that they are prepared and engaged to deal with these ever-emerging challenges.
While it would be nearly impossible for businesses to avoid every serious incident, few have a mature, structured approach for analyzing what went wrong. By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately. This will be of the highest importance in 2016 and beyond.
Copyright 2010 Respective Author at Infosec Island