This is one of the main findings in the new Information Security Forum (ISF) Threat Horizon 2015 report. The purpose of the annual report is to help ISF members take a forward looking view of the threats they need to plan for and counter. For the main part, ISF finds that most threats have been around for some time, and are well understood – but they are simply getting more sophisticated: hacks are more skilled, DDoS attacks are more severe.
The threat vector, however, changes with technology. Increasing use of cloud computing and storage, BYOD and social networking are all providing criminals with new opportunities to steal data. The problem for many companies is that this growing and more sophisticated threat coincides with an increasing worldwide shortage of skilled security staff able to combat it. Steve Durbin, ISF’s global vice president, believes that this will lead to more companies outsourcing their security to MSS providers – but warns that companies will still need capable security staff to manage and prioritize the relationship.
One thing that does concern him, he told Infosecurity, is a potential negative side-effect from the increasing activity of government. He sees two problems. Firstly, he fears that business “may be lulled into a false sense of security, believing that government will protect them.” This is a misunderstanding of what government is doing: government may help security, but it doesn’t do security. The second side-effect that concerns him is that increasing regulation and compliance requirements may divert energies away from proper security to cope with compliance.
Government activity exacerbates the genuinely new threat: reputation and reputation management. “To a degree,” he told Infosecurity, “we have become anesthetized to hacks. We know they’re going to happen; so what we really look for is how they are handled.” Business can no longer hide behind silence. Increasing breach notification laws, including within the proposed EU Data Protection Regulation, mean that companies will need to go public soon or very soon after discovering a breach. This will require a new cyber reputation management capability with particular social networking skills. While large organizations have always had crisis management departments, managing reputation after a breach will become a major problem for SMBs.