Five information security trends that will dominate 2015

To combat the threat in 2015, information security professionals must understand these five trends

In information security circles, 2014 has been a year of what seems like a never-ending stream of cyberthreats and data breaches, affecting retailers, banks, gaming networks, governments and more.

The calendar year may be drawing to a close, but we can expect that the size, severity and complexity of cyber threats to continue increasing, says Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members.

Looking ahead to 2015, Durbin says the ISF sees five security trends that will dominate the year.

"For me, there's not a huge amount that's spectacularly new," Durbin says. "What is new is the increase in complexity and sophistication."

1. Cybercrime

The Internet is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks, Durbin says.

Today's cybercriminals primarily operate out of the former Soviet states. They are highly skilled and equipped with very modern tools -- as Durbin notes, they often use 21st century tools to take on 20th century systems.

"In 2014 we saw cybercriminals demonstrating a higher degree of collaboration amongst themselves and a degree of technical competency that caught many large organisations unawares," Durbin says.

"In 2015, organisations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events," he adds.

"Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements coupled with the relentless advances in technology against a backdrop of under investment in security departments, can all combine to cause the perfect threat storm.

Organisations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimising the impact of the unforeseen."

2. Privacy and regulation

Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organisations that fail to sufficiently protect it.

As a result, Durbin notes, organisations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and business costs such as reputational damage and loss of customers due to privacy breaches.

The patchwork nature of regulation around the world is likely to become an increasing burden on organisations in 2015.

"We are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification particularly across the European Union," Durbin says.

"Expect this to continue and develop further imposing an overhead in regulatory management above and beyond the security function and necessarily including legal, HR and Board level input."

He adds that organisations should look upon the EU's struggles with data breach regulation and privacy regulation as a temperature gauge and plan accordingly.

"Regulators and governments are trying to get involved," he says. "That's placing a bigger burden on organisations. They need to have resources in place to respond and they need to be aware of what's going on. If you've got in-house counsel, you're going to start making more use of them. If you don't, there's a cost."

3. Threats from third-party providers

Supply chains are a vital component of every organisation's global business operations and the backbone of today's global economy. However, Durbin says, security chiefs everywhere are growing more concerned about how open they are to numerous risk factors.

A range of valuable and sensitive information is often shared with suppliers, and when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.

Even seemingly innocuous connections can be vectors for attack. The attackers who cracked Target exploited a web services application that the company's HVAC vendor used to submit invoices.

"Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability," Durbin says.

"Organisations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their intellectual property, customer or employee information, commercial plans or negotiations.

"And this thinking should not be confined to manufacturing or distribution partners. It should also embrace your professional services suppliers, your lawyers and accountants, all of whom share access oftentimes to your most valuable data assets."

Durbin adds that infosec specialists should work closely with those in charge of contracting for services to conduct thorough due diligence on potential arrangements.

"It is imperative that organisations have robust business continuity plans in place to boost both resilience and senior management's confidence in the functions' abilities," he says.

"A well-structured supply chain information risk assessment approach can provide a detailed, step by step approach to portion an otherwise daunting project into manageable components. This method should be information-driven, and not supplier-centric, so it is scalable and repeatable across the enterprise."

4. BYOx trends in the workplace

The bring-your-own (BYO) trend is here to stay whether organisations like it or not, Durbin says, and few organisations have developed good policy guidelines to cope.

"As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace continues to grow, businesses of all sizes are seeing information security risks being exploited at a greater rate than ever before," he says.

"These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications."

He notes that if you determine the BYO risks are too high for your organisation today, you should at least make sure to stay abreast of developments. If you decide the risks are acceptable, make sure you establish a well-structured BYOx program.

"Keep in mind that if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held and accessed in an unprotected manner on consumer devices," he adds.

And realistically, Durbin says, expect that your users will find a way to use their own devices for work even if you have a policy against BYOx.

"It's a bit like trying to hold back the tide," he says. "You may stop it from coming onto one little bit of sand, but it will find a way around it. The power of the user is just too great."

5. Engagement with your people

And that brings us full circle to every organisation's greatest asset and most vulnerable target: people.

Over the past few decades, organisations have spent millions, if not billions, of dollars on information security awareness activities. The rationale behind this approach, Durbin says, was to take their biggest asset -- people -- and change their behaviour, thus reducing risk by providing them with knowledge of their responsibilities and what they need to do.

But this has been -- and will continue to be -- a losing proposition, Durbin says. Instead, organisations need to make positive security behaviors part of the business process, transforming employees from risks into the first line of defense in the organisation's security posture.

"As we move into 2015, organisations need to shift from promoting awareness of the problem to creating solutions and embedding information security behaviors that effect risk positively," Durbin says.

"The risks are real because people remain a 'wild card.' Many organisations recognise people as their biggest asset, yet many still fail to recognise the need to secure 'the human element' of information security. In essence, people should be an organisation's strongest control."

"Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviours that will result in 'stop and think' behaviour becoming a habit and part of an organisation's information security culture," Durbin adds.

"While many organisations have compliance activities which fall under the general heading of 'security awareness,' the real commercial driver should be risk, and how new behaviours can reduce that risk."

Join the CSO newsletter!

Error: Please check your email address.

Tags forumsecurity

More about EU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place