Information security threats are intensifying every day. Organizations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, data proliferation, increased regulation, and a debilitating skills shortage.
The year 2019 will dawn on a hyper-connected world where the pace and scale of change—particularly in terms of technology—will have accelerated remarkably. People will find themselves caught in a vortex of economic volatility and political uncertainly far beyond the levels experienced today. The consequences will be job losses, social divisions and civil unrest. While some organizations will find ways to prosper in this new world, many will struggle. The determining factor will be the degree to which organizations are prepared to meet the challenges.
At the Information Security Forum, we recently released Threat Horizon 2019, the latest in an annual series of reports that provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In Threat Horizon 2019, we highlighted the top three threats to information security emerging over the next two years, as determined by our research.
Let’s take a quick look at these threats and what they mean for your organization:
Disruption
An over reliance on fragile connectivity requires a seismic shift in the way business continuity is planned, practiced, and implemented.
To survive in a hyper-connected world, organizations depend on instant and uninterrupted connectivity, smart physical devices and machines, and trustworthy people. As the boundary between the physical and digital world disappears, organizations will learn that the availability of connected physical assets cannot be taken for granted. Attacks on core internet infrastructure, endpoint devices, and key people will disrupt operations, hinder access to mission critical information, and cripple productivity.
In an atmosphere of heightened international political tension and simmering low-level conflict, core internet infrastructure will become a target as nation states and terrorist groups aim to inflict widespread economic damage on their adversaries. Internet outages will halt business operations and prevent trade, and in extreme cases, will cause the breakdown of critical national infrastructure and vital supply chains, resulting in widespread disruption to commerce and civic life.
While international adversaries introduce chaos to core internet infrastructure, attackers will be honing their abilities to exploit the increasing numbers of physical assets connected through the Internet of Things (IoT). Ransomware, already one of the most prevalent ways to exploit the value that organizations place on digital information, will evolve to target connected smart physical devices integral to daily life and business functionality. Holding these assets for ransom will threaten the lives of customers and employees, interrupting operations and causing heavy financial losses.
Cyber attacks on infrastructure and devices are increasing in sophistication and impact, but basic methods of compromising information will still result in severe damage. People with access to mission-critical information will be subject to old-fashioned criminal techniques of coercion and fraud. Organized criminal groups will exploit soft human targets, finding or creating leverage over those with privileged access to highly valuable data and systems.
To protect against the scale and scope of these threats, an organization will be forced to rethink its defensive model, particularly its business continuity and disaster recovery plans. Established plans that rely on employees being able to work from home, for example, will not stand up to an attack that removes connectivity or personally targets individuals. Revised plans should cover threats to physical safety as well as periods of operational downtime caused by attacks on infrastructure, devices or people. Creating a cyber-savvy workforce that takes information security seriously, while fostering a culture of trust, will help to eradicate poor security practices as well as reduce the number and scale of incidents.
Distortion
As trust in the integrity of information is lost, the monitoring of access and changes to sensitive information will become critical, as will the development of complex incident management procedures.
Businesses and public agencies depend on accurate and reliable data. Malicious actors will increasingly attack organizations by compromising the integrity of that information. By spreading lies, distorting operational data, or sabotaging official records, attackers will hope to gain a competitive or financial advantage by damaging their target’s reputation or operational effectiveness.
The rise of fake news is already a fledgling industry, as evidenced by the wealth of stories surrounding major political figures and events. Fueled by advances in artificially intelligent personas, the practice of deliberately spreading misinformation will soon target commercial organizations. 'Chatbots', indistinguishable from humans, will disseminate convincing misinformation about an organization’s working practices or products. Without breaching the digital boundary, an attacker will be able to inflict insidious damage that lasts well beyond the attack.
Attacks on an organization’s internal information will also increase in number and scale, resulting in operational, financial and reputational damage. Inaccuracies in big data will impede decision-making capabilities, and slow down research and development projects. Manipulated financial details will enable fraud, or misrepresent an organization’s financial performance and impact share price. Stolen information can also be modified and exploited for blackmail, causing embarrassment and brand damage when leaked.
Even supposedly secure mechanisms such as blockchains – which have the potential to revolutionize business processes across various industries – will be used to spread misinformation. Blockchains will be subverted to commit fraud or launder money, shattering the trust on which they rely and reversing any process efficiencies gained from implementing the technology.
Organizations can mitigate the damage caused by misinformation by taking proactive measures. Monitoring what is being said about the organization online and tracking changes made to internal information will reveal early warning signs of an integrity attack. Planning with external stakeholders for such eventualities and putting effective incident response processes in place will further protect the organization’s information and reputation.
Deterioration
Cyber security controls are being eroded and outpaced by regulations, surveillance, and AI technology. To navigate the complexity, conflicting mandates, and resulting vulnerability, organizations need a strong, constant focus on risk assessment and management.
Rapidly advancing intelligent technologies and conflicting demands for both heightened national security and individual privacy will inadvertently erode an organization’s ability to control information. Surveillance laws designed to secure nations against adversaries, new regulations protecting individual privacy and intelligent systems that make their own decisions, will inhibit an organization’s ability to protect its assets and people.
Surveillance laws aiming to improve national security will require the communications providers underpinning the digital economy to bulk-collect data that can potentially identify corporate secrets. Organizations will not be able to define the security arrangements around these reservoirs of data, which will be specifically targeted by attackers who will have the knowledge and capability to extract and exploit them.
At the same time, new privacy regulations will restrict the ability to combat a major threat. Stipulations that the profiling of individuals must be transparent will result in a conundrum for an organization: either stop using tools that monitor user behaviour, thus enabling malicious insiders to hide and continue to compromise information; or continue to use the tools, expose the organization and suffer consequences.
Updated regulations are implemented only after lengthy processes to obtain consensus and approval, yet advances in technology will continue apace. The use of increasingly mature AI in automated systems will produce outcomes that go beyond the expectations and understanding of business leaders, developers and system managers. Without a sufficiently skilled workforce to oversee the technology, AI systems will start to make independent decisions that contradict defined business rules, disrupt operations and create new security vulnerabilities.
Organizations will need to take steps to manage emerging risks in a complex regulatory and technological environment. Even though many factors will be beyond the direct control of the organization, business and security leaders can prepare to address these threats through: considered risk assessments; open and honest negotiations with communications providers; taking legal counsel to understand the effects of new regulations; and building a workforce that is ready for the adoption of advanced technology.
Preparation must begin now
Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.
The three themes listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.
