The results are far from shocking: cybersecurity, supply chain security, big data, data security in the cloud and mobile devices in the workplace will be the top threats going forward, ISF predicts.
“Organizations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high-impact events,” said Steve Durbin, global vice president of the ISF. “We recommend thinking about threats in the context of the most valuable resources in your organization, consider which threats are most likely to create significant risk and which could have considerable impact.”
He also pointed out that the top five threats identified by the ISF for 2013 are not mutually exclusive. They can combine to create even greater threat profiles and they are most certainly “not the only threats that will emerge over the course of the next twelve months”.
Cybersecurity – including cyber espionage and cyber terrorism – has become somewhat of a meme this year thanks to high-profile malware attacks on various Mideast targets, increased hacktivism from the likes of Anonymous and the increasing focus of the US and UK governments on cyberspace and potential threats to critical infrastructure. ISF said that targets for espionage in 2013 will grow to increasingly include anyone whose intellectual property can turn a profit or confer an advantage, while full-blown attacks could yield a doomsday scenario. It is the specter of the latter that for instance prompted US Defense Secretary to warn against a "cyber Pearl Harbor."
“An extremely important aspect of cybersecurity will continue to be the protection of critical national infrastructure,” ISF noted. “A real cybersecurity concern however could be a full internet or telecommunications blackout in the eventuality of a sophisticated cyber-attack aimed at the internet infrastructure. Whilst unlikely, it remains a possibility.”
Supply-chain security, while not nearly as high profile as cyber spying and cyber war, will come increasingly into focus next year as businesses continue to house sensitive data in ever-larger volumes offsite at either other companies’ premises or in data centers. Businesses are also sharing more information with partners via the cloud, which could be another growth vector for attacks.
“More organizations will fall victim to information security incidents at their suppliers,” said ISF. “From bank account details held by payroll providers, to product plans being shared with creative agencies, today’s organization’s data is increasingly spread across many parties. While the IT function can provide an inventory of all data they hold, it is difficult to do that throughout the supply chain.”
Related threats to supply-chain security in the top five are Big Data and the cloud. The Big Data revolution, spurred by technologies that allow companies to collect, manage and analyze very large data sets thanks to cluster-based computing architectures – is creating vast repositories of mission-critical information that are, in turn, creating new security concerns. From structured and unstructured data within the network of enterprise PCs and servers to consumer-friendly smartphones, laptops and storage devices that introduce new data management challenges, businesses can be easily overwhelmed by the risks posed by simply the sheer volume of bits and bytes floating around out there.
Unfortunately, recent reports find that most enterprises are relying solely on passwords to protect their data. “Securing both the data inputs and big data outputs present a key challenge that can impact not just potential business campaigns and opportunities, but also have far reaching legal implications,” ISF noted.
Meanwhile, cloud computing and the use of cloud applications are maturing, driving corporate mandates and security initiatives to embrace the model. As such, the rising costs that are associated with proving cloud computing compliance and external attacks on the cloud will increase in 2013, the group predicts. “While a number of organizations are now implementing strategies for cloud computing security and compliance, businesses still have a way to go in certain areas, mainly because a lot of organizations still do not know where they have cloud implemented across their business.”
And finally, the consumerization of the workplace in the form of the bring-your-own-device (BYOD) phenomenon will continue to keep security personnel up at night, the ISF predicts. The fact remains that BYOD security policies remain a scattershot affair for many enterprises – but if implemented poorly, a personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held in unprotected manner on consumer devices. “An additional security concern is related to location information which could be used for criminal purposes,” ISF noted. “The popularity of sharing or disclosing location online and the proliferation of GPS enabled devices will increase all types of crime exploiting location information.”
In any event, enterprises looking to stay ahead of the dizzying array of potential threats aimed at their organizations in 2013 will do well to stop crystal-ball gazing, instead putting plan into action, the ISF noted. “Share these threats and resilience-based approaches to mitigating risk with senior management and other functions such as risk management, risk committees and business continuity planning teams,” urged Durbin.