Getting ahead of new threats

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/getting-ahead-of-new-threats/article/329723/

Cyber security stepped into the limelight in 2013 with numerous global
cyber attacks, high-profile data breaches and the arrest of several
prominent cyber criminals. Hacktivists developed from the proverbial
teenager in the bedroom into Anonymous and other online collectives,
causing hundreds of millions of dollars in damage to a number of global
organizations. Cyber criminals have evolved from lone agents to
collaborators and competitors in what we call Malspace, where they have a
marketplace to satisfy every demand. This includes malicious software
development, testing and quality control to target identification, payment
and currency conversion and money laundering.

As we move into 2014, cyber attacks will continue to become more innovative
and sophisticated. Unfortunately, while organizations are developing new
security mechanisms, cyber criminals are cultivating new techniques to
circumvent them. Businesses of all sizes must prepare for the unknown so
they have the flexibility to withstand unexpected and high impact security
events.

After reviewing the current threat landscape, the six most prevalent
security threats for 2014 include: bring your own (BYO) trends in the
workplace, data privacy in the cloud, brand reputational damage, privacy
and regulation, cyber crime and the continued expansion of ubiquitous
technology. These threats are not mutually exclusive and can combine to
create even greater threat profiles. While they are not the only threats
that will emerge over the course of the next year, they are the ones that
businesses should be keeping a close eye on.

Let's take a quick look at each:

BYO trends

As the trend of employees bringing mobile devices, applications and
cloud-based storage and access in the workplace grows, businesses of all
sizes continue to see information security risks being exploited. These
risks stem from both internal and external threats, including mismanagement
of the device itself, external manipulation of software vulnerabilities and
the deployment of poorly tested, unreliable business applications. If the
BYO risks are too high for your organization today, stay abreast of
developments. If the risks are acceptable, ensure your BYO program is in
place and well structured. Keep in mind that if implemented poorly, a
personal device strategy in the workplace could face accidental disclosures
due to loss of boundary between work and personal data and more business
information being held and accessed in an unprotected manner on consumer
devices.

Data privacy in the cloud

While the cost and efficiency benefits of cloud computing services are
clear, organizations cannot afford to delay getting to grips with their
information security implications. In moving their sensitive data to the
cloud, all organizations must know whether the information they are holding
about an individual is personally identifiable information (PII) and
therefore needs adequate protection. Different countries' regulations
impose different requirements on whether PII can be transferred across
borders. Some have no additional requirements, while others have detailed
mandates. In order to determine what cross-border transfers that will occur
with a particular cloud-based system, an organization needs to work with
their cloud provider to determine where the information will be stored and
processed.

Reputational damage

Attackers have become more organized, attacks have become more
sophisticated, and all threats are more dangerous, and pose more risks, to
an organization's reputation. In addition, brand reputation and the trust
dynamic that exists among suppliers, customers and partners have appeared
as very real targets for the cyber criminal and hacktivist. With the speed
and complexity of the threat landscape changing on a daily basis, all too
often we're seeing businesses being left behind, sometimes in the wake of
reputational and financial damage.

Privacy and regulation

Most governments have already created, or are in the process of creating,
regulations that impose conditions on the safeguard and use of PII, with
penalties for organizations which fail to sufficiently protect it. As a
result, organizations need to treat privacy as both a compliance and
business risk issue, in order to reduce regulatory sanctions and commercial
impacts, such as reputational damage and loss of customers due to privacy
breaches.

Cyber crime

Cyber space is an increasingly attractive hunting ground for criminals,
activists and terrorists motivated to make money, get noticed, cause
disruption or even bring down corporations and governments through online
attacks. In 2013, we saw cyber criminals demonstrating a higher degree of
collaboration among themselves with a degree of technical competency that
caught many large organizations unawares.  In 2014, organizations must be
prepared for the unpredictable so they have the resilience to withstand
unforeseen, high impact events. Cyber crime, along with the increase in
online causes (hacktivism), the increase in cost of compliance to deal with
the uptick in regulatory requirements coupled with the relentless advances
in technology against a backdrop of under-investment in security
departments, can all combine to cause the perfect threat storm.
Organizations that identify what the business relies on most will be well
placed to quantify the business case to invest in resilience, therefore
minimizing the impact of the unforeseen.

The Internet of Things

Organizations' dependence on the internet and technology has continued to
grow over the years. The rise of objects that connect themselves to the
internet is releasing a surge of new opportunities for data gathering,
predictive analytics and IT automation. As increased interest in setting
security standards for the Internet of Things (IoT) escalates, it should be
up to the companies themselves to continue to build security through
communication and interoperability.

Prepare now, or...

Today, the stakes are higher than ever before, and we're not just talking
about personal information and identity theft anymore. High-level corporate
secrets and critical infrastructure are constantly under attack, and
organizations need to be aware of the important trends that have emerged or
shifted in the past year, as well as those that they should prepare for in
2014.

Organizations of all sizes are operating in a progressively cyber-enabled
world and traditional risk management isn't agile enough to deal with the
risks from activity in cyber space. Enterprise risk management must be
extended to create risk resilience, built on a foundation of preparedness
that evaluates the threat vectors from a position of business acceptability
and risk profiling. From cyber to insider, organizations have varying
degrees of control over evolving security threats, and with the speed and
complexity of the threat landscape changing on a daily basis, far too often
I'm seeing businesses getting left behind, sometimes in the wake of
reputational and financial damage.

Engage with the board

Organizations have limited resources that are prioritized to areas of
greatest need or return. Without knowing the cost of potential incidents,
organizations will misdirect resources and fix symptoms instead of causes,
and worse, not spend money where it's needed to mitigate a major incident
in waiting.

In the past, CEOs received information and reports encouraging them to
consider information and cyber security risk. But, not all of them
understood how to respond to those risks and the implications for their
organizations. A thorough understanding of what happened, and why it is
necessary to properly understand and respond to underlying risks is needed
by the CEO as well as all members of an organization's board. Without this
understanding, risk analyses and resulting decisions may be flawed, leading
organizations to take on greater risk than intended.

The time is now

While it would be nearly impossible for businesses to avoid every serious
incident, few have a mature, structured approach for analyzing what went
wrong. By adopting a realistic, broad-based collaborative approach to cyber
security and resilience, government departments, regulators, senior
business managers and information security professionals will be better
able to understand the true nature of cyber threats and respond quickly and
appropriately. This will be of the utmost importance in 2014 and beyond.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!