10 Threats to IT over the Next Two YearsThreats IT Security Leaders Must Address
Providing IT security will only get tougher over the next couple of years as digital threats become more numerous and complex.
That's the gist of a new report from the Information Security Forum entitled Threat Horizon 2014: Managing Risks When Threats Collide.
"While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organized criminals adopt techniques developed by online activists," Steve Durbin, global vice president of the Information Security Forum, said in announcing the report. "Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace."
The report categorizes 10 threats in three basic areas: external, regulatory and internal, including:
1. Cyber criminality increases as the malware space matures: The sophistication and scale of the global industry that has evolved to commit cybercrime, espionage and other malevolent activity will grow and develop.
2. The cyber arms race leads to a cyber cold war: Nations developing more sophisticated ways to attack via cyberspace will get better at it, those who haven't will start, and organizations will suffer collateral damage. Targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage.
3. More causes come online; activists get more active: Anyone not using the Internet to advance their cause will start: customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs - the list is endless. Online organizing will become easier and protest channels will be available to greater numbers.
4. Cyberspace gets physical: The increasing convergence of cyber and physical worlds will bring more attacks on physical systems, from attempts to turn out lights or climate control systems to disrupting manufacturing systems. Whether attacks are successful or not, credible publicised threats will cause disruption and panic.
5. New requirements shine a light in dark corners exposing weaknesses: Further movement toward increasingly transparent security disclosures will publicize weaknesses, making organizations more vulnerable to attack. Organizations forced to report security risks may have as much to fear from customers and business partners as they do from hackers and regulators.
6. A focus on privacy distracts from other security efforts: New privacy requirements from consumers, business customers and regulators impose a heavy compliance burden. Organizations will need to decide whether to invest in the necessary security and legal controls, outsource to someone who can or exit certain markets. They will also need to consider the message their actions send to their customers.
7. Cost pressures stifle critical investment: An undervalued function can't keep up. It would be normal to see investment increase after the prolonged downturn, but some economies are still struggling. Even organizations that are increasing security spending have a legacy of under-investment that can't be corrected overnight. But cyber criminals have been investing, and it will become easier and less expensive to buy criminal technology and services.
8. A clouded understanding leads to an outsourced mess. Continued cost pressure will lead to a new form of digital divide: between organizations that understand the marriage between IT and information security - and everyone else. Leading organizations will appreciate the strategic value of channels, systems and information and will invest; the others will suffer competitive disadvantage and heightened risk of damaging incidents.
9. New technologies overwhelm: Organizations are unlikely to slow their adoption of new technology or decrease their participation in cyberspace. Along with business benefits come potential vulnerabilities and methods for attack, and organizations will continue to be hit. Organizations that don't understand their dependence on technology may have a nasty surprise if it leads them astray or suddenly goes offline.
10. The supply chain springs a leak as the insider threat comes from outside: A modern organization's data are spread across many parties, and more organizations will fall victim to incidents at suppliers. This will increase as organizations further digitize supply chains, outsource functions and rely on external advisers. 3D printers create three-dimensional products from digital blueprints - increasing the theft of intellectual property, the frequency of attacks and the amount of counterfeit product on the market.
Durbin says organizations are being left behind, with some seeing their finances and reputations damaged because of the speed and complexity of the threat landscape. "They need to take stock now to ensure they are fully prepared and engaged," he says.
The Information Security Forum is global, independent, industry-supported, not-for-profit association that investigates, clarifies and resolves issues in cyber, information security and risk management and develops best practice methodologies, processes and solutions.