Threat Horizon report
The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Information Security Forum (ISF) — a nonprofit association that researches and analyzes security and risk management issues on behalf of its members — puts out its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year period. What follows are the nine biggest threats on the horizon through 2018 that your organization may have to manage and mitigate.
Theme 1: Technology adoption dramatically expands the threat landscape
Technology is already an integral part of everyday life in modern society. The ISF predicts that will only increase over the course of the next two years — both at a business and personal level. “Everything we do now is so inherently dependent on technology,” says Steve Durbin, managing director of the ISF. “Organizations certainly are starting to understand that they need to be looking at how they can maximize the effectiveness of this particular trend rather than holding back the sea.” But as organizations work to maximize their efficiency and effectiveness through improved connectivity, Durbin says they will also open themselves to associated threats in an expanded and more complex threat landscape.
The IoT leaks sensitive information
The Internet of Things (IoT) is growing as a rapid clip as the value of real-time data collection becomes clear. Whether it’s about optimizing uptime of expensive industrial equipment, monitoring traffic, collecting real-time health information or a myriad of other uses, organizations and individuals are adopting IoT devices. But the devices used to collect the data aren’t necessarily secure, potentially creating a backdoor into organizations. Organizations may also stumble over privacy issues stemming from an increasing lack of transparency in the IoT ecosystem as a result of vague terms and conditions that allow organizations to use personal data in ways customers don’t intend. “This is a particular challenge for organizations that we need to get our heads around,” Durbin says. “Nobody goes into a store and says, ‘Give me the most secure device I can have.’ They want the one that’s nicest-looking or has the most features.” The ISF recommends that you do the following:
- Implement security processes for adding IoT devices to a network, or risk regulatory fines and reputational damage for poor data protection.
- Seek consent for data collection ahead of IoT deploy and consider not only what information is collected but also what is allowed to be shared and with whom.
- Ensure that terms and conditions for using customer data are transparent and meet regulatory requirements.
- Look at IoT security holistically, as opposed to dealing with devices in isolation.
Opaque algorithms compromise integrity
Organizations are increasingly using algorithms to operate and make decisions in critical systems — from self-parking cars to automated trading. Without a human at the center of these decisions, organizations have less visibility into how their systems function and interact. Durbin says this lack of transparency poses significant security risks that are likely to be revealed by unintended interactions between algorithms that create incidents that result in significant disruption. One example is the October 2014 ‘flash crash’ of U.S. Treasury bonds, when algorithms briefly drove bond yields down dramatically before correcting themselves. “We know they’re going to do some quirky stuff from time-to-time,” Durbin says. “You need to understand some of the exposure you have to algorithmic systems. We’re building more and more of our systems on top of algorithms — industrial control, critical infrastructure. There is an increasing risk in this space we need to be addressing.” The ISF recommends you do the following:
- Identify exposure to algorithm-controlled systems and know when human involvement is a liability and when it is a fail-safe.
- Update code maintenance policies.
- Identify alternative ways of treating risk from algorithm-related incidents, especially if insurance is not an option.
- Conduct robust business continuity and resilience planning.
Rogue governments use terrorist groups to launch cyberattacks
Rogue governments already support terrorist groups with financing, weaponry and logistics so they can carry out covert actions with deniability. The ISF believes that in the next two years this support will expand to include cyberattack capabilities (knowledge, training, software and hardware) used to attack infrastructure or organizations in other countries. This would result in cyberattacks that are more persistent and damaging than many organizations have previously experienced. Durbin notes that cyber incidents involving terrorist groups like the Islamic State (IS) have already taken place. While large enterprises involved in critical infrastructure are likely to be early targets, smaller companies in the supply chain of those large enterprises may also be seen as a route into those enterprises, Durbin warns. “We’re expecting this to not just continue but potentially increase,” he says. “This is a different level of threat. This isn’t about financial gain or control. This is much more sinister. The attacks could be more aggressive or persistent than what we’ve seen with cybercriminals.” The ISF recommends you do the following:
- Adapt risk management processes to account for threat actors, such as terrorist groups, with new capabilities and reinforce this with regular scenario planning.
- Review existing controls and focus on increasing resilience.
- Explore possibilities for threat intelligence collaboration with governments and organizations facing similar threats.
Theme 2: Ability to protect is progressively compromised
Established methods of information risk management will be eroded or compromised by a variety of (usually non-malicious) actors, Durbin says. “There are more than enough cyberattacks to go around to keep people busy,” Durbin says. “But other things going on are compromising our capabilities in risk management.”
Unmet board expectations exposed by a major incident
In past years, the ISF warned that the board and the CEO didn’t appreciate the value of security, naming it a top threat. But that’s changed. Boards have approved increased information security budgets and they want to see immediate results. Security has moved to the top of the agenda, but Durbin says boards don’t understand that substantial improvements to information security will take time — even if the organization already has the correct skills and capabilities in place. Durbin warns the expectations of boards will rapidly accelerate beyond the ability of their information security functions to deliver. “Boards are viewing this in much the same way they view any other business issue,” Durbin says, noting that boards often have a quarterly review cycle and expect significant progress in that span. “Security is being pulled into that similar cycle, but a lot of things have very much longer tails than that.” The ISF recommends you do the following:
- Engage with the board regularly to provide a credible view of risk in line with the board’s risk appetite.
- Align the board’s expectations of security improvements based on current and future capability of the CISO and information security function.
- Initiate a talent program to transform the CISO and information security function from technical specialists into trusted business partners.
- Learn from those who have already transitioned into trusted business partners.
Researchers silenced to hide security vulnerabilities
As software replaces hardware in domains across all major sectors, Durbin says security researchers regularly uncover vulnerabilities and make them public in an effort to improve security. But manufacturers have begun responding to this trend with legal action rather than working with the researchers to fix the vulnerabilities. The ISF believes this trend will become even more prevalent over the next two years, leaving customers with software riddled with vulnerabilities manufacturers have hidden rather than fixed.
“We have seen an increase in the number of researchers that have been silenced with lawsuits and such being chucked at them Durbin says. He points to one large retailer in Australia that has responded by providing bounties to white hat hackers that can crack their systems before they launch them. “You need to be pretty brave to be doing that and you certainly need a sign-off from the top of the organization,” he adds. The ISF recommends that technology buyers insist on greater transparency during the procurement process, including access to the manufacturer’s vulnerability discovery policy and external vulnerability testing results. For manufacturers, the ISF recommends you consider offering financial rewards to researchers who responsibly disclose vulnerabilities. If necessary, use mediation services to agree to satisfactory disclosure practices.
Cyber insurance safety net is pulled away
The ISF believes that several large data breaches in the next two years will result in significant financial losses for insurance companies that have offered cyber insurance and mispriced the risk. They expect many insurers to withdraw from the market as a result, set more stringent requirements for policyholders, narrow the scope of existing products, increase premiums sharply and restrict underwriting to sectors with less perceived risk. Organizations that have become dependent on cyber risk insurance will probably feel the burn. “I think more and more insurers are understanding that this is a complex area,” Durbin says. “The standard actuarial approach to writing insurance policies perhaps doesn’t apply.” The ISF recommends you do the following:
- Reassess risk management strategies in advance of a crisis, in particular the extent of risk that is being transferred via cyber insurance.
- Examine cyber insurance policies for potential costly exclusions.
Theme 3: Governments become increasingly interventionist
The ISF believes the next two years will see governments around the world take an even greater interest in scrutinizing new and existing technology products and services used by citizens. It predicts governments will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies. “Governments have woken up to the fact that there are some things that they need to get involved. We’re seeing some rather quirky behavior,” Durbin says, pointing to the European Union’s decision last year to no longer recognize Safe Harbor. “We’re also seeing some other governments around the world using the potential threat of terrorism and so on to introduce some legislation they wouldn’t otherwise be able to get passed,” he adds.
Disruptive companies provoke governments
The ISF believes that companies with aggressive commercial strategies that are disrupting their sector — companies like Uber, Airbnb and Google — will prompt politicians and regulators to take a closer look at the domestic impact of new technologies. They’ll start with the examination of anti-competitive practices, but ISF expects regulation to spread to include product and service providers across the broader technology sector. The ISF believes governments’ awareness of these technologies will grow faster than their understanding of the social and political implications, leading to reactive and poorly conceived government policies that neither encourage economic growth nor increase data protection for their citizens. As one example, you can expect a move from global to national clouds that restrict organizations’ ability to move data freely around the globe. The ISF recommends you do the following:
- Avoid political opposition by understanding the local context within which products and services are delivered. This is a particular challenge for organizations that scale fast and have minimal physical presence outside the country where they are headquartered.
- Develop a clear strategy for political influence and engagement, focusing on a principle-based system of regulation (as opposed to compliance checklists).
- Explore possibilities for collective influence, such as joining or starting a trade association.
Regulations fragment the cloud
Regulatory and legislative changes will impose new restrictions on how personal data is collected, stored, exchanged and disposed of over the next two years, according to the ISF. Organizations that depend on cloud services can expect to suffer a particularly heavy impact. They will be stuck trying to remain compliant with new data protection and data localization requirements, while trying to conduct business as usual. Durbin notes the location of data became a particularly pressing issue after the overturning of the US-EU Safe Harbor Agreement in October 2015, and the newly launched EU General Data Protection Regulation will complicate the situation with a wide array of compliance requirements backed by significant fines for non-compliance. “Regulators want to see that companies are being responsible,” Durbin says. “I do expect regulators to be taking a view that if you have done everything that is reasonably possible and there is still a breach? Okay. But it will necessarily impact the way that we use cloud.” The ISF recommends that you do the following:
- Understand how current and proposed regulations and legislation could evolve in light of growing political and popular demand for greater data protection.
- Don’t wait. Be proactive and prepare for change in regions where regulatory sentiment is shifting.
Criminal capabilities expand gaps in international policing
Cybercriminals now have technical capabilities and reach on a level with governments and other organizations. Over the next two years, the ISF believes they will extend those capabilities far beyond those of their victims. This will diminish the ability of current control mechanisms to protect organizations. Organizations will turn to law enforcement agencies and governments for assistance, but criminals — who generally attack organizations outside their home countries — will continue to evade prosecution by exploiting the lack of cross-border cooperation between law enforcement agencies of widely varying capabilities. The ISF believes organizations will suffer from more numerous and damaging attacks and will have less recourse to government assistance. “Criminals are not stupid,” Durbin says. “They understand there is no consistency multi-nationally in the way policing is carried out. You don’t necessarily have a direct line between where a crime is committed and the person committing it. From a law enforcement perspective, that raises a very big challenge.” The ISF recommends that you do the following:
- In the short-term, stay abreast of cybercrime’s evolution and put in place appropriate controls and robust, resilient systems.
- In the medium-term, build a threat intelligence capability so that risk assessments are carried out at regular intervals, and are as fully informed as possible.
- In the long-term, proactively influence governments to cooperate and build international legal frameworks that can effectively fight cybercrime.
Thor Olavsrud — Senior Writer
Thor Olavsrud covers IT security, big data, open source technology, Microsoft tools and servers for CIO.com. He resides in New York.