Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, cause disruption or even bring down corporations and governments through online attacks.
With new technical vulnerabilities being discovered every day it has never been more important for businesses to assess and understand their critical infrastructure in an increasingly connected environment. Organizations need to be aware that cyber-criminal syndicates are ahead of the game, finding new sophisticated ways to gain access to an organization’s "crown jewels", often through their networks.
Information Security Breaches are Increasing
The capacity for disruptive innovation among technology entrepreneurs is a well-regarded quality, but they are not the only ones known for constantly upsetting traditional procedure. Hackers and organized criminals continue to hone their capabilities and attacks, hiding their online activity in a flood of data and overwhelming or subverting organizational defenses.
PwC recently highlighted a number of cyber security issues that should be of concern in today’s connected society. Furthermore, according to the Ponemon Institute’s 2015 Cost of Data Breach Study, the average consolidated total cost of a data breach is $3.8 million. Each of these findings validates the importance of having a business process in place for cyber security preparedness.
Just as privacy has developed into a highly regulated discipline, the same is happening for data breaches sourced in the Internet of Things (IoT) environment. Not only are the number of breaches increasing, but the fines for data breaches are also increasing. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines.
Organizations that get on the front foot now and prepare for stricter data breach laws with bigger fines for non-compliance will find themselves ahead of the curve and in customers’ good graces. They’ll also make better business decisions along the way.
Cybercrime Has a Value
It goes without saying that information that is being stolen, leaked or lost, has a value. Cybercrime is increasing in its maturity as malspace continues to develop. Let’s take a look at a few of the areas of cybercrime that we at the Information Security Forum (ISF) are seeing:
Rogue governments already provide support to terrorist groups in the form of financing, weaponry and logistics. These partnerships are based on a government’s need to carry out covert actions with deniability and a terrorist group’s need for access to resources they would struggle to find elsewhere. These partnerships will evolve to include advanced cyber-attack capabilities and will be used to attack infrastructure or organizations in other countries. The result will be cyber incidents that are more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in the effectiveness of existing security controls.
I mentioned earlier how cybercriminals are becoming more sophisticated and mature. In addition, crime syndicates are aligning commercially and diversifying their enterprises, seeking profits from moving more of their activities online. They are basing their operations where political and law enforcement structures are weak and malleable, and where they can conduct their activities relatively undisturbed. This is forcing domestic organizations to adapt their security strategies and fortify their internal business operations.
In a criminal marketplace with a global talent pool, professionalization will encourage specialization. Different criminal business units will focus on what they do best, and strategy development and market segmentation will follow best practice from the private sector. Malware development will be a prominent example of specialization. Profits will allow crime syndicates to steadily diversify into new markets and fund research and development from their revenue. Online expansion of criminal syndicates will result in increased Crime-as-a-Service (CAAS) along with distributed bulletproof hosting providers that sell services and turn a blind eye to the actions of malicious actors.
Smartphones are creating a prime target for malicious actors. The rapid uptake of Bring Your Own Device (BYOD), and the introduction of wearable technologies to the workplace, will increase an already high demand for mobile apps for work and home in the coming year. To meet this increased demand, developers working under intense pressure and on razor-thin profit margins will sacrifice security and thorough testing in favor of speed of delivery and low cost, resulting in poor quality products more easily hijacked by criminals or hacktivists.
As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.
IoT Adds Unmanaged Risks
The billions of devices that comprise the IoT will collect a wide variety of data from users, who will be unaware that it is happening, where the data is being stored or who has access to it. Additionally, these devices may be inadequately protected, exposing critical infrastructure – such as industrial control and financial systems – to malicious actors.
As organizations deal with this complex digital environment, they will respond by automating tasks previously performed by people. Human cognitive abilities will be regarded as a bottleneck to task completion and efficiency. In response, algorithms will be increasingly used to ensure tasks are performed with accuracy and timeliness. However, the interactions between these algorithms will become complex to understand introducing the potential for significant vulnerabilities. As a consequence, new challenges will be created for those tasked with identifying, assessing and managing the resulting information security risks.
Insiders Continue to Pose a Threat
Most high-profile attacks on corporate data centers and institutional networks have originated outside of the victimized organizations. But the network openings that allow outside cyber-attackers to burrow in, infect databases and potentially take down an organization’s file servers, overwhelmingly originate with trusted insiders. According to a worldwide survey of ISF members, the vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
Moving forward, organizations must nurture a culture of trust, one where the organization can trust its insiders – and insiders can trust the organization in return. Organizations with a high exposure to insider risk should expand their insider threat and security awareness programs. The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.
Reducing the Risk of Attack
These days, establishing cyber security alone is not enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any damaging impacts of cyberspace activity.
Cybercrime often involves sophisticated, targeted attacks against an organization, and additional security measures are required to respond to specific cybercrime-related attacks and to put in place cyber resilience programs that anticipate uncertainty. There is an ever increasing need for a prepared and comprehensive rapid-response capability, as organizations will continue to be subject to cyber-attacks regardless of their best efforts to protect themselves.
Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Utilizing Standards to Protect Against Risk
Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. That’s why the Information Security Forum (ISF) has designed its new tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an “out of the box” approach to address a wide range of challenges – whether they be strategic, compliance-driven, or process-related.
For example, the ISF’s Standard of Good Practice for Information Security (the Standard) is the most comprehensive and current source of information security controls available. It enables organizations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organizations, and trends from the ISF Benchmark, along with major external developments including new legislation.
Institute a Risk Assessment Process
Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.
A piece of supplementary material that I recommend reviewing is the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping to determine its relative importance for an individual organization. It can also demonstrate any likely change that may happen over the period in discussion using arrows.
It is important to remember that it is neither possible, nor feasible, to defend against all threats. An organization therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimize impact, speed recovery and learn from incidents, in order to further minimize impact in the future.
Further detail on cyber resilience is available in our report Cyber Security Strategies: Achieving Cyber Resilience.
Preparing Your People
Many organizations recognize their people as their biggest asset. However, they still fail to recognize the need to secure the human element of information security. In essence, people should be an organization’s strongest control. Nevertheless, instead of simply making people aware of their information security responsibilities and how they should respond, the answer for organizations is to embed positive information security behaviors that will result in their behavior becoming a habit and part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new employee behaviors can reduce that risk.
The perspective that disclosure will be more damaging than the data theft itself – is a guaranteed way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments. The lesson that we tell our members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. This is particularly true as data breaches are happening with greater frequency and as the general public pays greater attention to information security. I also recommend running simulations with your public relations firm so that you are better prepared to respond following a breach.
Requirements for Security Professionals in 2016…and Beyond
Businesses operate in an increasingly cyber-enabled world and traditional risk management is not agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling.
In preparation for making your organization more able to manage what I like to call the “security minefield”, here are a few steps that businesses should implement to better prepare themselves:
- Re-assess the Risks to Your Organization and its Information from the Inside Out
- Identify the Roles and Responsibilities that Apply for Sensitive Information
- Change your Thinking About Network-Related Threats
- Adopt a Risk vs. Reward Mindset
- Identify the Major Threats to Your Mission Critical Information
- Embed Security in Business Unit Plans
- Determine a Critical Information Assets Protection Strategy
- Revise Cyber Security Arrangements
- Focus on the Basics
- People and Technology. Not Just Process
- Be Ready to Provide Proactive Support To Business Initiatives
- Think Resilience Not Security
- Help Your Organization Understand How to Counter Threats
- Prepare for the Future
Organizations of all sizes need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping themselves to better deal with attacks on their business as well as their reputation. This may seem obvious, but the faster you can respond to these problems, the better your outcomes will be.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.