If you thought 2017 was a dire year for data breaches, wait until 2018. The Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts an increase in the number and impact of data breaches, thanks in large part to five key global security threats that organizations will face in 2018.
"The scope and pace of information security threats is jeopardizing the veracity and reputation of today's most reliable organizations," says Steve Durbin, managing director of the ISF. "In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target's weak spots or metamorphosing to take account of defenses that have already been put in place. These days, the stakes are higher than ever before."
Growing with the number of data breaches will be the volume of compromised records, Durbin says. Because of this, next year’s attacks will be far more expensive for organizations of all sizes. Traditional areas, such as network clean-up and customer notification, will account for some of these costs, but additional costs will arise from newer areas, such as litigation involving a growing number of parties, Durbin says. The ISF predicts angry customers will pressure governments to introduce tighter data protection legislation, with concomitant costs.
- Crime-as-a-service (CaaS) will expand available tools and services.
- The internet of things (IoT) will further add unmanaged risks.
- The supply chain will remain the weakest link in risk management.
- Regulation will add to the complexity of critical asset management.
- Unmet board expectations will be exposed by major incidents.
Last year, ISF predicted CaaS would take a quantum leap forward, with criminal syndicates further developing complex hierarchies, partnerships and collaborations that mimic large private sector organizations.
Durbin says that prediction proved prescient, as 2017 has seen a "huge increase in cybercrime, particularly crime-as-a-service." The ISF predicts that process will continue in 2018, with criminal organizations further diversifying into new markets and commodifying their activities at a global level. Some organizations will have roots in existing criminal structures, the ISF says, while others will emerge that are focused solely on cybercrime.
The biggest difference? In 2018, CaaS will allow “aspirant cybercriminals” without much technical knowledge to buy tools and services that allow them to conduct attacks they would otherwise not be able to undertake, Durbin says.
"Cybercrime is moving away from just being targeted at the very large honeypots: intellectual property and big banks," he adds.
Take cryptoware, the most popular category of malware today. In the past, cybercriminals using ransomware depended on a perverse form of trust: They would lock up your computer, the victim would ransom it with money, and the criminal would unlock the computer. But Durbin says that the introduction of aspirant cybercriminals to this area means that “trust” is breaking down. Even victims that pay the ransom might not get the key to unlock their property, or the cybercriminals might come back again and again.
At the same time, Durbin says cybercriminals are becoming more sophisticated in their use of social engineering. While the targets are generally individuals rather than the enterprise, such attacks still pose a threat to organizations.
"For me, there is increasingly this blurring between the enterprise and the individual," he says. "The individual is increasingly the enterprise."
Organizations are increasingly adopting IoT devices, but most IoT devices are not secure by design. Additionally, the ISF warns there will be an increasing lack of transparency in the rapidly evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. On the enterprise side, it will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices like smartphones and smart TVs.
When data breaches do occur, or transparency violations are revealed, organizations are likely to be held liable by regulators and customers. And in a worst-case scenario, security compromises of IoT devices embedded in industrial control systems could lead to physical harm and death.
"From a manufacturer's point of view, knowing what your usage pattern is, getting a better understanding of the individual, clearly is important," Durbin says. "But all of that has opened up more threat vectors than we've ever had before."
"How do we secure them so we're in control as opposed to the device being in control? We're going to see more of a raised level of awareness in this area," Durbin adds.
The ISF has been raising the issue of the vulnerability of the supply chain for years. As the organization notes, a range of valuable and sensitive information is often shared with suppliers. When that information is shared, direct control is lost. That means increased risk of compromise of that information's confidentiality, integrity or availability.
"Last year we started to see big manufacturing organizations losing manufacturing capability because they were locked out and their supply was being affected," Durbin says.
"It doesn't matter what line of business you're in. We all have supply chains," he adds. "The challenge we face is how do we really know where our information is at each and every stage of the lifecycle? How do we protect the integrity of that information as it's being shared?"
In 2018, organizations will need to focus on the weakest spots in their supply chains, the ISF says. While not every security compromise can be prevented ahead of time, you and your suppliers will have to be proactive. Durbin recommends adopting strong, scalable and repeatable processes with assurance proportional to the risk faced. Organizations must embed supply chain information risk management within existing procurement and vendor management processes.
Regulation adds complexity, and the sweeping European Union General Data Protection Regulation (GDPR) will come online in early 2018, adding another layer of complexity to critical asset management.
"There probably isn't a conversation that I have with anybody, anywhere in the world in which GDPR isn't touched on," Durbin says. "It isn't just about compliance. It's about making sure you have the ability across your enterprise and supply chain at any point in time to be able to point to personal data and understand how it's being managed and protected. You have to be able to demonstrate that at any point in time, not just by regulators, but by the individual."
"If we're really going to implement this properly, we're going to have to change the way we're doing business," he adds.
ISF notes the additional resources required to address the obligations of GDPR are likely to increase compliance and data management costs, and to pull attention and investment away from other activities.
Unmet board expectations
Misalignment between the board's expectations and the reality of the information security function's ability to deliver results will pose a threat in 2018, according to the ISF.
"The board, as a rule, does get it. It understands it is operating in cyberspace. What it doesn't understand, in many cases, is the full implications of that," Durbin says. "They think the CISO has it all under control. In many cases the board still doesn't perhaps know the right questions to be asking. And the CISO still doesn't perhaps understand how to talk to the board, or the business for that matter."
The ISF says boards will expect that their approval of increased information security budgets in past years will have enabled the CISO and information security function to produce immediate results. But a fully secure organization is an unattainable goal. And even if they understand that, many boards don't understand that making substantial improvements to information security takes time — even when the organization has the correct skills and capabilities in place.
This misalignment means that when a major incident does occur, it won't just be the organization that feels the effects; it's likely to reflect badly on the reputations of board members, both individually and collectively.
Because of this, the CISO role must evolve, Durbin says.
"The role of the CISO these days is to anticipate, not to make sure the firewall stays up," he says. "You have to anticipate how the challenges coming down the road will affect the business and articulate that to the board. A good CISO needs to be a salesman and a consultant. You can't not have both. I can be the best consultant in the world, but if I can't sell my ideas to you, it's not going to go anywhere in the board room."