The array and complexity of information security threats is going to rise significantly over the next two years, and businesses that fail to prepare now will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks may be launched, that provide the greatest danger. This increasingly complex threat landscape is comprised of:
- External threats that come from the increasing sophistication of cybercrime, state-sponsored espionage, activism moving online, and attacks on systems used to manage critical infrastructure in the real world.
- Regulatory threats that come as regulators grapple to implement legislation calling for greater transparency about incidents and security preparedness, all the while increasing requirements for data privacy.
- Internal threats that come as technology continues to develop at “tweetneck” speed, introducing new benefits but also raising the risk temperature as businesses adopt them without fully assessing the security implications.
Preparing for these challenges requires a shift from traditional risk management. Businesses operate in an increasingly cyber-enabled world, and traditional risk management just isn’t agile enough to deal with the risks posed from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness that assesses the threat vectors from a position of business acceptability and risk profiling. This means risk management can’t be the sole responsibility of the information security team; all business units—including human resources and marketing—must be involved. New attacks impact not just technology, but business reputation and shareholder value as well; we’re starting to see a clear link between attack and stock price performance.
Keeping that in mind, let’s look at ways organizations can plan for today’s threat vectors.
Since businesses can expect to see a continuing increase in the frequency, sophistication and effectiveness of attacks, they require the capability to respond more quickly and effectively. Consider these five actions to prepare for today’s external threats:
- Ensure standard security policies and procedures, such as an acceptable use policy for employee-owned computing devices, are in place across the business.
- Develop your cyber-resilience by establishing a cybersecurity governance function—gather and share attack intelligence, assess your own resilience and develop a comprehensive response plan.
- Consider getting involved and shaping local cybersecurity initiatives, sharing incident data, and working with other organizations and industry bodies to build the foundations of resilience.
- Monitor the threat landscape for further developments.
- Increase business leadership involvement in all of the above—this is a business issue, not something solely for information security.
Regulators and legislators the world over are trying to figure out the rules and statutes for an ever-changing environment. Clearly, changes that are businessfriendly and allow innovation will be welcome, as will those that harmonize regulations across jurisdictions. There is always the danger, however, that increased regulation will bring with it an increased cost of compliance, particularly for the unprepared. Businesses can take these steps to better prepare themselves to respond to these regulatory threats:
- Adopt and practice a structured and systematic approach to assessing risk and meeting data breach and other transparency requirements.
- Monitor legislative and regulatory developments on a continuing basis and amend your data protection framework and information management procedures to reflect any changes, including privacy-related controls.
- Join and participate in industry and other associations to assess and influence policy—don’t assume the regulators will get it right.
Whether it’s one person’s error that isn’t caught in time, or an old server that wasn’t upgraded because the plan was cut back, the result ends up the same. Whether it’s accidental, deliberate or malicious, the incident’s cost could easily be immensely out of proportion to the cost of prevention. However, internal threats are more than internal mistakes or deliberate abuse; they also come from the introduction of new technology, underinvestment in security functions, and the pace of technological changes. A business can counter these internal threats by:
- Adopting business-wide information security governance and integrate it with other risk and governance efforts within the organization.
- Improve the integration of security across the business and elevate security reporting to a level with other governance, risk and compliance (GRC) areas.
- Understand your organization’s risk appetite and ensure the value of continuous security investment meets the business need and is well spent; engage business leaders in this so they understand the implications of any zerobudget planning.
- Take ownership of coordinating the contracting and provisioning of business relationships with outsourcers, offshorers and supply chain and cloud providers. How secure are your suppliers? Ask them!
- Monitor new business initiatives and get information security involved early, as an enabler.
With the speed and complexity of the threat landscape changing on an almost daily basis, all too often we are seeing businesses left behind, sometimes in the wake of reputational and financial damage. They need to take stock now to ensure they are fully prepared and engaged to deal with these ever-emerging challenges.
Steve Durbin is global vice president of the Information Security Forum (ISF), an independent, nonprofit association. His main areas of focus include the emerging security threat landscape, cybersecurity, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments. He was formerly senior vice president at Gartner, where he was the global head of Gartner’s consultancy business.