NEW YORK—The “bring-your-own” trend ranks among the top six security threats global businesses will face in 2014, the Information Security Forum (ISF) said at an annual security breakfast discussion here, its second to date.
A nonprofit group founded in 1989, the ISF performs research on topics dictated by its 350-plus global member organizations. Only recently has it begun making its findings public.
Heading into the new year, Steve Durbin, global vice president of the ISF, recommended that businesses take a “resilience-based” approach to risk management.
“Cyber resilience requires recognition that organizations must prepare for a threat,” said Durbin. “It requires high levels of partnering and collaborating, and for organizations to have the agility to prevent, detect and respond [to an event] quickly and effectively.”
Speaking of the six threats identified as major concerns headed into 2014, Durbin emphasized the need for companies to find trusted partners and talk about cyber-security—a topic that’s often treated as private.
“Any one of these threats we could probably deal with,” said Durbin. “It’s when they combine, and they can, that things get more complicated.”
Six: BYO Trends
Topping the ISF’s list is BYO, and it’s no mistake that the “D” is missing. Workers bring their email accounts, their cloud storage and more. “We’ve moved on from devices,” said Durbin.
“As the trend of employees bringing mobile devices in the workplace grows, businesses of all sizes continue to see information security risks being exploited,” the ISF said in a report on its findings. “These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.”
If the risks are too high, continue to watch for developments; if they’re accepted, advised the report, have a “well-structured” plan in place.
Five: Data Privacy In the Cloud
Wryly, Durbin suggested that the cloud presented no danger, as long as one could tick off a list of items, including knowing how many clouds a company has; what other companies’ data are being stored on the same servers; whether one’s storage services are being subcontracted; and if there’s a clear plan for what happens when a contract with a cloud provider is terminated.
“While the cost and efficiency benefits of cloud computing services are clear, organizations cannot afford to delay getting to grips with their information security implications,” said the ISF. “Organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection.”
Four: Reputational Damage
Garcia Cyber Partners Principal Greg Garcia, presenting at the ISF breakfast, said there are two types of companies—those that have been hacked and those that are going to be.
“There’s an idea of personalizing security,” said Garcia, speaking to how some companies naively believe they won’t be hacked, or dismiss the likelihood as just a cost of business. One way of driving home the idea is to gather key players and consider how each would need to respond to a cyber break-in.
“What would a hack mean to your marketing manager, to your head of investor services, to your PR team that needs to put out that statement?” said Garcia. When the situation is something that could send stock prices plummeting, the reality of it sets in.
‘Bring Your Own’ Makes Top 6 Security Threats List for 2014
Three: Privacy and Regulation
Organizations need to treat privacy as both a compliance and a business risk, according to the ISF.
“Furthermore,” the report added, “we are seeing increasing plans for regulation around the collection, storage and use of information along with severe penalties for loss of data and breach notification, particularly across the European Union. Expect this to continue and develop further, imposing an overhead [cost] in regulatory management above and beyond the security function and necessarily including legal, HR and board level input.”
Both Durbin and Garcia emphasized how shockingly excellent criminals are at coordinating and working together toward a cause. The Syrian Electronic Army’s hack into The New York Times was offered as an example.
“The bad guys are really great at collaboration, because there’s a lot in it for them,” said Garcia.
Cyber-crime, hacktivism—hacking for a cause—and the rising costs of compliance, to deal with the uptick in regulatory compliance issues, can create a perfect storm of sorts, said the ISF.
“Organizations that identify what the business relies on most will be well-placed to quantify the business case to invest in resilience, therefore minimizing the impact of the unforeseen.”
One: The Internet of Things
Durbin said he’d recently met with the CEO of Telefonica, who is excited about the “massive amount of opportunity around 4G.”
High-speed networks and the Internet of Things will create scenarios like the ability for a car to detect a traffic jam ahead and understand that its driver won’t make it to the airport in time for his flight—and so contact the airport to change the flight.
“That level of information, in the wrong hands, is concerning,” said Durbin.
Businesses can’t avoid every serious incident, and few have a “mature, structured approach for analyzing what went wrong,” he added. “By adopting a realistic, broad-based, collaborative approach to cyber-security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber-threats and respond quickly and appropriately.”