NEW YORK—The "bring-your-own" trend ranks among the top six security threats global businesses will face in 2014, the Information Security Forum (ISF) said at an annual security breakfast discussion here, its second to date.
A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.
Heading into the new year, Steve Durbin, global vice president of the ISF, recommended that businesses take a "resilience-based" approach to risk management.
"Cyber resilience requires recognition that organizations must prepare for a threat," said Durbin. "It requires high levels of partnering and collaborating, and for organizations to have the agility to prevent, detect and respond [to an event] quickly and effectively."
Speaking of the six threats identified as major concerns headed into 2014, Durbin emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that's often treated as private.
"Any one of these threats we could probably deal with," said Durbin. "It's when they combine, and they can, that things get more complicated."
Six: BYO Trends
Topping the ISF's list is BYO, and it's no mistake that the "D" is missing. Workers bring their email accounts, their cloud storage and more. "We've moved on from devices," said Durbin.
"As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited," the ISF said in a report on its findings. "These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications."
If the risks are too high, continue to watch for developments; if they're accepted, advised the report, have a "well-structured" plan in place.
Five: Data Privacy In the Cloud
Wryly, Durbin suggested that the cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies' data are being stored on the same servers; whether one's storage services are being subcontracted; and if there's a clear plan for what happens when a contract with a cloud provider is terminated.
"While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications," said the ISF. "Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection."
Four: Reputational Damage
Garcia Cyber Partners Principal Greg Garcia, presenting at the ISF breakfast, said there are two types of companies—those that have been hacked and those that are going to be.
"There's an idea of personalizing security," said Garcia, speaking to how some companies naively believe they won't be hacked, or dismiss the likelihood as just a cost of business. One way of driving home the idea is to gather key players and consider how each would need to respond to a cyber break-in.
"What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?" said Garcia. When the situation is something that could send stock prices plummeting, the reality of it sets in.