In its report, Threat Horizon 2016, it outlines that the disintegration of trust will result in organizations throwing over certain accepted truths: that governments will look out for citizens’ best interests, that security solutions will deliver what’s promised and that their people will help navigate a way through.
“Revelations about how governments had been surrendering commercial and personal privacy in the name of national security – compounded by a number of major economic and technical developments – have left citizens trust badly shaken,” said Steve Durbin, ISF's global VP, in an interview with Infosecurity. “The outcome? Organizations are quickly coming to the realization that what they have trusted and taken for granted for so long, must now be completely re-assessed.”
Organizations must prepare to operate in an environment where governments no longer balance national security with citizens’ and business’s best interests, the ISF stressed, and even as confidence in accepted solutions crumbles. That means embracing a sea change in approaches to security.
“The first action businesses must take is to re-examine the assumptions the organization has made about the internet and adapt their cyber-resilience to this new paradigm,” said Durbin. “For example, one of the threats describes how a key component of internet security – encryption – may fail to hold up. This points to the need to do this immediately. Waiting for the hammer to fall is not advisable.”
Organizations need to build resilience against cyber-threats at a time when a number of accepted solutions are no longer viable, but unless CISOs evolve their skill set to ensure that they can anticipate the CEO’s needs and deliver on an increasingly demanding digital agenda, they will fail. Now, the CISO needs to mature the security function to satisfy the many questions that CEOs will inevitably have. Successful CISOs will anticipate the shifting understanding and demands within the organization around cyberspace and senior management’s expectations.
Durbin added, “Organizations that are proactive in understanding how the newer generations work will be better placed to get ahead of the curve and the competition. A few recommendations I have would be for organizations of all sizes to understand that the new generations’ approach to work, socializing and privacy are vastly different from previous generations and that they won’t fit with traditional security models. They should adapt existing policies and procedures to engage with generations Y and Z and foster an information security culture to promote awareness.”
Complicating things, of course, is the well-documented fact that cybercriminals are still well ahead of information security professionals. And, the insider threat will continue to challenge organizations, because people will remain the weakest link in information security. Meanwhile, the cost of investigating, managing and containing incidents will rise as they grow more complex and regulators’ demands increase.
“The bad guys are getting better at what they do faster than ever before, while the good guys often struggle merely to respond,” Durbin observed. “The situation is made worse by cybercriminals having no budget restrictions, nor having to conform to legislation or comply with regulations – an increasing burden for organizations.”
Nation-states and governmental organizations are attempting to counteract the repercussions from the Snowden revelations, but at the same time they’re showing few signs of winding down espionage activities.
“In order to demonstrate they are in control, they will swing the pendulum between over-reacting and putting in place excessively restrictive rules and regulations, and taking a series of watered down actions to ease public anxiety,” Durbin said. “Whichever way the pendulum swings, doing business on the internet is likely to be more complicated and result in increased transaction costs.”
The ISF also predicts that organizations will be targeted by nation-state-backed players with large budgets and varying agendas – all with little legal recourse. The result will be an even more unruly cyberspace trading environment, characterized by more actors, more attempts at espionage or other malicious activities and, likely, the theft and exploitation of these new tools by criminal organizations.
“Businesses should reinforce basic information security arrangement,” Durbin advised. “This means understanding what and where the most critical information assets are, their key vulnerabilities and the main threats against them. Standards and controls should be in place to mitigate the associated risks to these assets.”