The capacity for disruptive innovation is a well-regarded quality among technology entrepreneurs, but they are not the only ones known for constantly upsetting established protocol. Hackers and organized criminals continue to hone their capabilities and attacks, hiding their online activity in a flood of data and overwhelming or subverting organizational defenses. Regular and increasingly large disruptions will begin to tear at the integrity of the internet, creating new technical, social, and political divisions.
In response to these mounting risks, organizations must fundamentally re-assess their resilience strategies and fortify their internal business operations.
Supercharged Connectivity Will Overwhelm Defenses
As we look ahead, it is clear that as super-fast gigabit connectivity becomes widely available, it will supercharge cybercrime and enable hackers to develop sophisticated ‘killer apps’ that overwhelm the defenses of organizations around the globe. Organizations that do not strengthen their defenses will be harmed by the severity of these external assaults, internally and through their supply chain.
In response to the growing demands of users and connected devices of all kinds, reasonably priced gigabit connectivity is becoming more widely available. As billions of devices are connected, there will soon be more ‘data in flight’ that must be managed and protected. Over the next two years, malicious use will increase rapidly, resulting in cascading failures. Supercharged connectivity and related data transport will open up new and previously unfeasible avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defenses.
It has never been more important for businesses to assess and understand their critical infrastructure in an increasingly connected environment.
Enter the Era of the Internet of Things... and More
Gigabit connectivity represents a significant overnight leap forward, and we can only begin to imagine the ramifications. It will enable the internet of things (IoT) and a new class of applications to emerge that will combine and magnify many of the capabilities we are still trying to master: big data, GPS, personal devices, connected machines, and more.
As William Schrader claims: “Gigabit bandwidth is one of the few real ‘build it and they will come’ moments for new killer apps.”
Connectivity will be so cheap and prevalent that sensors will be embedded everywhere, increasing the flood of data and creating an ecosystem of devices that is nearly impossible to secure. High bandwidth services that are impractical today will become the norm as download speeds increase exponentially.
When combined with the steady growth of processing power and storage, this increased connectivity will allow cyber-criminals and state-sponsored hackers to launch new attacks that will be even more lucrative and difficult to detect than the threats we are currently defending against. As criminal “killer apps” are developed and deployed, businesses, law enforcement, and the legal profession will struggle to keep up.
For example, highly connected systems will fuel advances in artificial intelligence. When human decisions are delegated to machines, there are more opportunities for ‘moral outsourcing.’ Who will be held liable when accidents ultimately occur? An algorithm? Infrastructure in hyper-connected smart cities will be targeted by botnets and DDoS attacks for a variety of geopolitical or financial motivations.
Given such high levels of interconnectedness, the cascading effects will be felt swiftly throughout all major sectors. For example, attacks on energy or finance infrastructure will also disrupt transportation.
Don’t Forget About Your Supply Chain
As supply chains become increasingly complex and efficiency savings motivate organizations to outsource business processes, service providers will continue to be a primary vector for information security risks. We have not yet developed usable standards for small suppliers, most of which do not have the resources to adequately implement robust cybersecurity measures. This type of third-party vulnerability led to spectacular data breaches at Target in 2013 and Home Depot in 2014, and to many more that didn’t make headlines.
Unfortunately, many suppliers are still complacent about these risks, mistakenly assuming they are too small to make an appealing target, not realizing that they are highly exploitable bridgeheads into their large enterprise partners, the ultimate target. Despite their best efforts to secure intellectual property and other sensitive information, many enterprises have made limited progress in effectively managing supply chain information risk. Too often, data breaches trace back to compromised vendor credentials that were used to access the retailer’s internal networks and supply chain.
To continuously manage information risks, organizations must map the flow of information and keep an eye on key access points. Knowing at all times (in real time) where data is stored, the criticality of that data to the organization, and who is accessing what data will remain a crucial part of building a more resilient organization and more secure supply chain.
The potential impact of a data breach on finances and reputation is significant, and often overlooked until it is too late. Any organization reliant on supply chains must invest in additional security measures and systematically identify the situations where human intervention is a necessity or a liability, and where they need to fully automate their intrusion detection and response capabilities.
"The potential impact of a data breach on finances and reputation is significant, and often overlooked until it is too late"
Being solidly prepared for the future is obviously preferable to being too late or nearly avoiding disaster. However, even organizations that can absorb the financial burden of comprehensive security preparedness may be unable to get executive support, procurement processes, and technology deployment projects moving quickly enough to find secure footing before the next wave of emerging threats hits.
Managing Information Risk
Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach – it no longer provides the required protection. To build cyber-resilience, organizations must prepare now to deal with severe impacts from unpredictable cyber-threats. Organizations must extend risk management to include risk resilience, making in-depth preparations and plans to manage, respond and mitigate any negative impacts of cyberspace activity.
Cyber-resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.
What Can You Do to Better Prepare?
Business leaders recognize the enormous benefits of cyberspace and how the internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. That’s why the Information Security Forum (ISF) has designed its new tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an ‘out of the box’ approach to address a wide range of challenges – whether they be strategic, compliance-driven, or process-related.
For example, the ISF’s Standard of Good Practice for Information Security (the Standard) is the most comprehensive and current source of information security controls available. It enables organizations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organizations, and trends from the ISF Benchmark, along with major external developments including new legislation.
Executing a Supply Chain Information Risk Management Process
Organizations share valuable information along their supply chains but often do not know how – or even if – it is protected by suppliers. Input from our members indicates that many organizations are only addressing the most obvious risks, because beyond the macro level, risks are hard to identify, complicated to quantify and costly to address. But when organizations do not understand how information is shared and what information and assets suppliers can access, risks are greatly amplified, and resilient incident response is hindered.
In order to be better prepared, organizations should consider all aspects of supply chain information risk and ‘follow the information’. The key to managing information risk in the supply chain is an information-led, risk-based approach to determine what information is being shared and assess the probability and impact of a compromise. By considering the nature of their supply chains, determining what information is shared, and assessing the probability and impact of potential compromises, organizations can balance information risk management efforts across each risk aspect.
"The key to managing information risk in the supply chain is an information-led, risk-based approach to determine what information is being shared and assess the probability and impact of a compromise"
Organizations should also adopt a robust, scalable and repeatable process to address information risk in the supply chain – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes, so supply chain information risk management becomes part of regular business operations.
Don’t Find Yourself Left in Financial and Reputational Ruin
With the complex threat landscape changing on a daily basis, we’re seeing many businesses get left behind, sometimes after incurring reputational and financial damage. In preparation for making your organization more cyber-resilient, here is a quick recap of the next steps that I believe businesses should implement to better prepare themselves:
- Re-assess the risks to your organization and its information from the inside out
- Change your thinking about the corporate network boundary; Don’t rely on trends or historical data
- Revise your information security data access and sharing agreements; Question ‘security as usual’
- Focus on the basics: people and technology
- Categorize your information and where it is shared; assess risk across the enterprise and supply chain
- Prepare for the future; be ready to support an evolving network boundary that includes cloud, BYOx, Third Party Providers etc.
Organizations of all sizes need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping themselves to better deal with attacks on their business as well as their reputation. This may seem obvious, but the faster you can respond to these problems, the better your outcomes will be.
About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.