THREAT HORIZON 2022DIGITAL AND PHYSICAL WORLDS COLLIDEThe digital and physical worlds are on an irreversible collision course. By 2022, organisations will be plunged into crisis as ruthless attackers exploit weaknesses in immature technologies and take advantage of an unprepared workforce. At the same time, natural forces will ravage infrastructure.

Invasive technologies will be adopted across both industry and consumer markets, creating an increasingly turbulent and unpredictable security environment. The impact of threats will be felt on an unprecedented scale as aging and neglected infrastructure is attacked and disrupted due to vulnerabilities in the underlying technology. A failure to understand the next generation of workers, the concerns of consumers and the risk posed by deceptive technology, will erode the trust between organisations, consumers and investors.

Organisations will be unable to disentangle the digital from physical and will be forced to respond to a growing blend of threats from new technologies, people and nature. Whilst the prospects of commercial success will be enticing, this hybrid world will bring with it increasing dangers that have devastating consequences for businesses, employees and consumers alike. When digital and physical worlds collide, only organisations that take decisive action will prosper.

Threat Horizon 2022 presents nine potential threats driven by global events and major developments. The report can be used to stimulate discussion and debate with business leaders and stakeholders, analyse the possible impact of future threats and formulate responses. It offers a basis for developing a forward-looking cyber resilience strategy.

T H R E A T H O R I Z O N 2 0 2 0 – 2 0 2 2 2

02

1

2 0 2 2

2 0 2 0

Invasive technology disrupts the everyday

A crisis of trust undermines digital business

Digital connectivity exposes hidden dangers

Neglected infrastructure cripples operations

Digital cold war engulfs business

Digital competitors rip up the rulebook

Conflict looms

Technology outpacescontrols

Pressure skewsjudgement

20201.1 Cyber and physical attacks combine

to shatter business resilience1.2 Satellites cause chaos on the ground1.3 Weaponised appliances leave

organisations powerless

2.1 Quantum arms race undermines the digital economy

2.2 Artificially intelligent malware amplifies attackers’ capabilities

2.3 Attacks on connected vehicles put the brakes on operations

3.1 Biometrics offer a false sense of security

3.2 New regulations increase the risk and compliance burden

3.3 Trusted professionals divulge organisational weak points

20211.1 5G technologies broaden

attack surfaces1.2 Manipulated machine learning

sows confusion1.3 Parasitic malware feasts on critical

infrastructure

2.1 State-backed espionage targets next gen tech

2.2 Sabotaged cloud services freeze operations

2.3 Drones become both predator and prey

3.1 Digital vigilantes weaponise vulnerability disclosure

3.2 Big tech break up fractures business models

3.3 Rushed digital transformations destroy trust

20221.1 Augmented attacks distort reality1.2 Behavioural analytics trigger

a consumer backlash1.3 Robo-helpers help themselves to data

2.1 Edge computing pushes security to the brink

2.2 Extreme weather wreaks havoc on infrastructure

2.3 The internet of forgotten things bites back

3.1 Deepfakes tell true lies3.2 The digital generation become the

scammer’s dream3.3 Activists expose digital ethics abuse

THREAT HORIZON 2022DIGITAL AND PHYSICAL WORLDS COLLIDE

The themes and threats included in Threat Horizon 2022 are summarised below, along with recommendations arising from the full report.

THEME 1: INVASIVE TECHNOLOGY DISRUPTS THE EVERYDAY Recommendations

1.1 Augmented attacks distort realityAugmented reality (AR) technologies will usher in new immersive opportunities for business, but attackers will be able to compromise the privacy and safety of individuals when systems and devices are exploited.

Risk assess AR devices and software, providing work-arounds in the case of compromise.

1.2 Behavioural analytics trigger a consumer backlashOrganisations using a connected nexus of devices to develop behavioural analytics will face intensifying scrutiny as the practice is deemed invasive and unethical.

Create transparency over data gathering practices and understand legal and contractual exposures on harvesting, re-purposing and selling data.

1.3 Robo-helpers help themselves to dataPoorly secured, network connected, and sensor-rich semi-autonomous robots used in the workplace will be weaponised by attackers, committing acts of espionage and stealing intellectual property.

Segregate access between robo-helpers and the corporate network, monitoring specific robo-helpers for signs of fraudulent or dangerous activities.

THEME 2: NEGLECTED INFRASTRUCTURE CRIPPLES OPERATIONS Recommendations

2.1 Edge computing pushes security to the brinkEdge computing for IoT-enabled industrial processes will be a natural architectural choice for organisations but will also become a key target for attackers, creating numerous points of failure and losing many benefits of traditional security approaches.

Generate a hybrid security approach incorporating both cloud and edge computing, reviewing physical security for edge computing environments in the context of operational resilience.

2.2 Extreme weather wreaks havoc on infrastructureExtreme weather events will increase in frequency and severity, with organisations feeling the impact on their digital and physical assets, pushing business continuity and disaster recovery plans to breaking point.

Review risk exposure to extreme weather events, considering the location and relocation of strategic assets and transferring risk to cloud or outsourced service providers.

2.3 The Internet of Forgotten Things bites backThe risks posed by multiple forgotten or abandoned Internet of Things (IoT) devices will emerge across all areas of the business as attackers discover and exploit poorly secured, unpatched, network-connected devices.

Incorporate IoT into the IT sourcing strategy, ensuring a rigorous procurement procedure; create an IoT asset inventory and run an active decommissioning programme.

THEME 3: A CRISIS OF TRUST UNDERMINES DIGITAL BUSINESS Recommendations

3.1 Deepfakes tell true liesDigital content that has been manipulated by artificial intelligence will be used by malicious parties to create hyper-realistic digital clones of senior executives, spreading mis-information and undermining trust in digital business.

Incorporate an understanding of deepfakes into security awareness programmes and protect against related scams such as CEO fraud.

3.2 The digital generation become the scammer’s dreamThe next generation of employees will start to enter the workplace, introducing radically different attitudes to information security and undermining investments in security education.

Review and update social media policy to reflect changing generational attitudes to information protection, creating tailored training and awareness materials.

3.3 Activists expose digital ethics abuseActivists will begin targeting organisations they consider to be failing to demonstrate an ethical digital stance, exposing abusive behaviours regarding the technologies they develop and who they are sold to.

Formulate a code of ethics relating to information and technology use and incorporate ethical dimensions into information risk assessments.

WHERE NEXT?

CONTACTFor further information contact:

Steve Durbin, Managing Director US: +1 (347) 767 6772UK: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953800steve.durbin@securityforum.orgsecurityforum.org

ABOUT THE ISFFounded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

DISCLAIMERThis document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you make of the information contained in this document.

REFERENCE: ISF 20 01 02 | CLASSIFICATION: Public, no restrictions ©2020 Information Security Forum Limited

We recommend that ISF Members:

‒ review the threats in Threat Horizon 2022, identifying those that are of high priority

‒ use ISF Live to become familiar with the techniques ISF Members have used to implement Threat Horizon

‒ consider how the contents of Threat Horizon can be adapted to work best within your organisational culture, for example to: develop a forward-looking cyber resilience strategy; enable threat analysis and formulation of potential impacts and responses; brainstorm risk treatments.

‒ use the ISF Threat Radar with business leaders to help categorise and prioritise threats and actions: particularly when time and budgets are limited

‒ work with other organisations to collaborate on threat intelligence and strategies

‒ give careful consideration to the ISF resources in this report including: Delivering an Effective Cyber Security Exercise – Briefing Paper, The Standard of Good Practice for Information Security 2018, Protecting the Crown Jewels: How to secure mission-critical information assets, IRAM2, Industrial Control Systems: Securing the systems that control physical environments, Using Cloud Services Securely: Harnessing core controls, Human-Centred Security – Briefing Paper, Securing the IoT – Briefing Paper, Demystifying Artificial Intelligence in Information Security – Briefing Paper, Establishing a Business-Focused Security Assurance Programme: Confidence in controls.

ISF Consultancy offers customised Threat Horizon services for your organisation, helping to: make a detailed assessment of business objectives, opportunities and constraints; analyse threats and manage information risk; improve engagement across the business. For further details contact: info@securityforum.org