As we approach the end of the year it is only natural that people start looking forward to what may happen in the upcoming New Year. My inbox, like everyone else’s, has been flooded with messages from vendors predicting the threats that we will face in 2013, and by some strange twist of fate only their product can product us from them. So instead of predicting what technological threats we will face, and let me point out that there will be more viruses, more critical security bugs and more data breaches, I thought I should instead look at how a trend I have seen in the industry will influence the information security landscape in 2013.
One of the big influences I see coming in 2013 is how security and privacy issues will be dealt with. This will happen for a number of reasons. The adoption of cloud computing will continue to increase; however, many companies will face the challenge of how do they adopt the cloud without infringing on the privacy rights of their customers? In particular, European companies and those organisations headquartered in the EU will have to ensure they comply with the European Data Protection Directive.
This challenge is not just restricted to corporate cloud solutions that companies may employ but also the consumer services that employees may use, such as Dropbox, Google Drive, and Microsoft Skydrive to name but a few. Many employees will use these consumer services to share data with co-workers, colleagues or to simply allow them to take work home. However, they may unknowingly and without any malicious intent be placing sensitive personal information onto these services, making the organisations themselves liable for any privacy breaches that may occur.
The other driver will be the continued move toward Bring Your Own Device (BYOD). While offering many advantages, BYOD also brings many challenges for companies on how they manage and secure personally identifiable information on these devices. In addition to ensuring PII is stored on employees' devices in a secure manner, they also need to make sure that they do not infringe on the private and personal information that employees may store on their phones, tablets and laptops. Examples would be where companies may wish to remotely wipe data from a device of an employee leaving the company: Can they ensure only company data is deleted and not the employee's personal information such as photos, etc.? Or in the event of an investigation, companies will need to balance their need to conduct an investigation against possibly impeaching on the private material and data an employee will hold on their own device. Investigators will need to learn how to clearly define and remain within the scope of internal investigations.
The other area of concern regarding privacy in 2013 and the coming years is how governments respond to the ever-increasing number of cyber-attacks, particularly those carried out by online activists. We have seen in the past how governments have introduced privacy-invasive legislation to deal with certain threats. The EU Data Retention Directive and US Patriot Act in response to fears about terrorism are prime examples of this type of reaction. In response to online attacks by activists to highlight freedom of speech or government transparency issues, a number of governments will ironically be tempted to take a knee-jerk reaction and introduce new legislation that could impose on the online privacy and rights of individuals.
Many governments, and private security companies operating in this area, will also want to gather and share information to try and identify potential online threats. Be that ways to combat online criminals, nation-state electronic attacks, cyber-terrorism or electronic espionage. Many of these organisations see current privacy laws as inhibitors to obtaining and sharing this information. This was highlighted by RSA’s CEO Art Coviello at RSA Europe earlier this year where during his keynote he claimed that well-meaning activists and laws designed to protect people's privacy are hampering businesses and security vendors' ability to defend against cyber attacks.
Consumer privacy is also becoming a hot topic, with many companies promoting their apps and services as being more privacy aware. Microsoft’s Do Not Track feature with IE 10 is a prime example of this trend which is already under fire from the online advertising industry. This is being reinforced by the EU currently looking at revamping the EU Data Protection Directive to bring it into line with modern technologies.
So given the aforementioned trends, I see 2013 as being an interesting year where privacy concerns and issues will drive a lot of our security decisions. A well-focused and thought out privacy policy as part of your information security program could be a key element in how you manage security over the coming year.