The Information Security Forum (ISF), a global, independent information security body considered the world's leading authority on cyber security and information risk management, has announced their outlook for the top four global security threats that businesses will face in 2017. Key threats for the coming year include:
- The Internet of Things (IoT) Adds Unmanaged Risks
- Crime Syndicates Take a Quantum Leap
- Government and Regulators Won’t Do It For You
- The Role of the End User – the Weakest or Strongest Link in the Security Chain
“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations. In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target’s weak spots or threats mutating to take account of defenses that have been put in place,” said Steve Durbin, Managing Director of the ISF. “Cyberspace is the land of opportunity for hacktivists, terrorists, and criminals motivated to wreak havoc, commit fraud, steal information, or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high impact security events.”
The top four threats identified by the ISF for 2017 are not mutually exclusive and can combine to create even greater threat profiles. The most prevalent threats include:
The IoT Adds Unmanaged Risks
While the political, social and economic implications are not fully clear, gigabit connectivity represents a significant overnight leap forward. This will enable the IoT and a new class of applications to emerge that will “exploit the combination of big data, GPS location, weather, personal-health monitoring devices, industrial production and much more. Connectivity is now so affordable and prevalent that sensors are being embedded everywhere, increasing the flood of data and creating an ecosystem of embedded devices that are nearly impossible to secure. This will raise issues not just over privacy and data access, but also will expand the threat landscape exponentially, increasing the security burden for many organizations that are unaware of the scale and penetration of internet enabled devices that are deploying IoT solutions without due regard to risk management and security.
Crime Syndicates Take a Quantum Leap
Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide. Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.
Government and Regulators Won’t Do It For You
In 2017, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.
With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber attack or information loss.
The Role of the End User – The Weakest or Strongest Link in the Security Chain
In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that aﬀect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.
“With attackers more organized, attacks more sophisticated, and threats more dangerous, there are greater risks to an organization’s reputation than ever before. In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers, have become targets for cybercriminals and hacktivists,” said Durbin. “The stakes are higher than ever, and we’re no longer talking about merely personal information and identity theft. High level corporate secrets and critical infrastructure are regularly under attack and businesses need to be aware of the important trends that have emerged in the past year, as well as those we forecast in the year to come.”
The threats outlined above are included in the annual ISF Threat Horizon series of reports, aimed at both senior business executives and information security professionals. These reports are designed to help organizations take a proactive stance to security risks by highlighting challenges in the threat landscape and identifying how the confidentiality, integrity and availability of information may be compromised in the future. For more information, please visit the ISF website.