Threat Horizon 2016 - Information Security Forum · 2013-09-16 · Information Security Forum Threat Horizon 2016 1 12345 1 On the edge of trust A common business mantra is “trust…but

Threat Horizon 2016On the edge of trust

Threat Horizon 2016 Information Security Forum

WarningThis document is confi den al and is intended for the a en on of and use by either organisa ons that are Members of the Informa on Security Forum (ISF) or by persons who have purchased it from the ISF direct.

If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on [email protected].

Any storage or use of this document by organisa ons which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permi ed and strictly prohibited.

This document has been produced with care and to the best of our ability. However, both the Informa on Security Forum and the Informa on Security Forum Limited accept no responsibility for any problems or incidents arising from its use.

Classifi ca onRestricted to ISF Members, ISF Service Providers and non-Members who have acquired the report from the ISF.

Published byInforma on Security Forum LimitedTel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4813Email: [email protected]: www.securityforum.org

Project teamVictoria MelvinMathieu Cousin

Review and quality assuranceSteve Thorne

DesignLouise LiuAdam Cheeseman

Threat Horizon 2016Information Security Forum

Contents

1. On the edge of trust 1Ac ons to take NOW 1

2. Communica ng threats to senior management 3

3. How to use this report 4Audience for this report 4

4. What’s on the horizon for 2016? 5No-one le to trust in cyberspace 71. Na on-state backed espionage goes mainstream 82. A Balkanized Internet complicates business 103. Unintended consequences of state interven on 12

Confi dence in accepted solu ons crumbles 144. Service providers become a key vulnerability 155. Big data = big problems 176. Mobile apps become the main route for compromise 197. Encryp on fails 21

Failure to deliver the cyber resilience promise 238. The CEO gets it, now you have to deliver 249. Skills gap becomes a chasm 2610. Informa on security fails to work with new genera ons 28

5. Conclusion 31

Appendix A. Revisi ng predic ons from 2014 and 2015 32

Appendix B. ISF Threat Heat Map 36

Appendix C. ISF Threat Radar 38

Appendix D. About this report 41

Acknowledgements 43


2014 Threats 2015 Threats 2016 Threats

1

2

3

4

5

6

7

8

9

10

1

2

3

4

5

6

7

8

9

10

1

2

3

4

5

6

7

8

9

10

The cyber arms race leads to a cyber cold war

More causes come online;

an outsourced mess

the insider threat comes from outside

Cyber criminality increases as Malspace matures further

A Balkanized Internet complicates business

Unintended consequences of

Mobile apps become the main route for compromise

uncertainty and doubt

exposure

do it for you

2016

Inte

rnal

thre

ats

External threats

Regulatory threats

Cyber risk is challenging

to understand and address

Reputation is a new

target for cyber attacks

Criminals value

your reputation

The changing pace of

technology doesn’t help

The role of governm

ent m

ust not be misunderstood

YourOrganisation

2014

Threat Horizon 2016Information Security Forum 1

1 2 3 4 5

1 On the edge of trust

A common business mantra is “trust…but verify”. However, it’s not possible to verify everyone and everything in cyberspace, so in order to operate successfully organisa ons have had to rely on trust more than they may have wanted. They’ve trusted their governments to hold their ci zens’ best interests at heart; their technical tools to work as described to both underpin and add value to their eff orts; and their people to navigate a safe way through.

Yet by the end of 2013, revela ons about how governments had been surrendering commercial and personal privacy in the name of na onal security – compounded by a number of seismic economic and technical developments – have le that trust very badly shaken.

The outcome? Organisa ons are coming to the realisa on that what they have trusted and taken for granted for so long, must now be re-assessed.

So if this is ‘now’, how will things look by 2016? How will new threats coming over the horizon complicate ma ers even further? Just what will organisa ons be able to trust? And most importantly, are they powerless or can they do something now? A er all, walking away from cyberspace is not an op on.

Ac ons to take NOWThe short answer to the ques ons above is that things will change, and probably for the worse. The good news is that there are ac ons that can be taken now to counter this disintegra on of trust and sustain organisa onal cyber resilience.

The remainder of this report goes on to describe ten threats that organisa ons need to track closely in the period up to 2016. Each threat is described in detail and accompanied by a number of possible ac ons that organisa ons should consider as a minimum. However, there are three over-arching ac ons that organisa ons need to take right now to protect their opera ons and brand, and minimise data leakage.

The fi rst ac on is to re-examine the assump ons the organisa on has made about the Internet and adapt their cyber resilience to this new paradigm. For example, one of the threats describes how a key component of Internet security – encryp on – may fail to hold up. This points to the need to do this now: wai ng for the hammer to fall is not an op on.

US$21bn

Cyber criminals out in frontFinancial losses relating to cybercrime

1 “More than 12 million identity fraud victims in 2012 according to latest Javelin Strategy &Research Report”, 20 Feb, 2013, https://www.javelinstrategy.com/news/1387/92/12 McAfee “The economic impact of cybercrime and cyber espionage”3 Ponemon Insitute, ‘2012 Cost of Cyber Crime study’, http://www.ponemon.org/library/2012-cost-of-cyber-crime-study4 ‘Global State of Information Security 2014’, PwC

Losses related toidentity theft in 2012

in the US1

US$8.9mAverage annualised cost

for 56 benchmarkedorganisations ofcyber breaches3

US$2bnEstimated total annual

losses to phishing2

18%Increase in average

financial losses associatedwith security incidentsfrom 2012 to 20134

https://www.javelinstrategy.com/news/1387/92/1

http://www.ponemon.org/library/2012-cost-of-cyber-crime-study

Threat Horizon 2016 Information Security Forum2

1 2 3 4 5On the edge of trust

Secondly, resilience to ongoing threats of opera ng in cyberspace must be reassessed regularly as:

• Cybercriminals are s ll well ahead of informa on security professionals.1 The bad guys are ge ng be er quicker,while the good guys o en struggle merely to respond. The situa on is made worse by cybercriminals having nobudget restric ons, nor having to conform to legisla on or comply with regula ons – an increasing burden fororganisa ons.

• The cost of inves ga ng, managing and containing incidents will rise1 as they grow more complex and regulators’demands increase.

• The insider threat will con nue to challenge organisa ons, because people will remain the weakest link in informa onsecurity. Whether it is through deliberate or inadvertent ac ons, organisa ons will s ll face threats from within.

Finally, it’s highly unlikely that governments will dy up the mess they have made before 2016 comes round, so organisa ons need to give immediate considera on to addi onal ac ons they may wish to take to counter possible impacts from the recent disclosures.

To succeed, the CISO and the informa on security func on will need support from senior business management. This report – which contains a business-oriented view of threats that may aff ect an organisa on over the next two years – off ers an excellent star ng place for the CISO to win that support.

1 ‘Global State of Informa on Security 2014’, PwC


4 531 2

Informa on risk is an important element of enterprise risk and threats to informa on need to be translated into business risks and dealt with in the same way. ISF research showed that business leaders across industry sectors share many concerns, which have been dis lled into a top ten list of ‘business concerns’ shown below. While the emphasis is likely to change from organisa on to organisa on, informa on security has a role to play in all of them.

Business concerns What does it mean?

Fostering a digital presence

How to gain value from a digital presence while managing related risks to brand and reputa on. This requires safeguarding a posi ve brand image on the Internet.

Managing the supply chain

The planning and control of all processes and informa on across the supply chain.2 The supply chain’s business cri cal elements need strong oversight given the complexity and organisa ons’ ever-growing reliance on external suppliers for core business processes.

Mi ga ng economic uncertainty

Long-term business decisions depend on a reliable economic outlook, something that has been diffi cult to forecast since the global downturn of 2008/9. Economic uncertainty aff ects confi dence thereby delaying investment and growth decisions.3

Behaving ethically The way a company conducts itself and conforms to basic rules of the society they operate in,4 some mes referred to as corporate social responsibility. This is o en diffi cult to defi ne for organisa ons opera ng across diff erent geographies and cultures, as ‘ethical’ behaviour can be subjec ve.

Complying with regula on

Concerns over the increasingly complex regulatory and legisla ve environment, in par cular for those organisa ons that operate across mul ple jurisdic ons. Failure to comply can have serious fi nancial and reputa onal costs.

Narrowing the skills gap

The gap between the skills available in the marketplace and those demanded by organisa ons remains signifi cant. This could be a result of a training and educa on defi cit or that the desired skillsets are undervalued. Failure to get the ‘right’ people can hamper innova on and organisa onal growth.

Going green Sustainability of business prac ces is o en defi ned as managing the triple bo om line a process where companies manage their fi nancial, social and environmental risks, obliga ons and opportuni es. These three impacts are some mes referred to as profi ts, people and planet.5

Exploi ng the consumerisa on of IT

The growing trend for IT innova on to emerge in consumer spaces before shi ing into the workspace is a rela vely new concern for the business.6 There is a need to balance the speed with which new technology can be integrated into daily working prac ces while being sensi ve to users’ needs.

Avoiding corporate espionage

Corporate espionage is conducted for commercial purposes. Organisa ons can suff er monetary losses from stolen corporate secrets and intellectual property. Conversely, those caught spying can face business limi ng fi nes and severe reputa onal damage.

Leveraging emerging vs developed markets

Rela vely cheap input costs in emerging markets are pu ng developed markets and those opera ng in them at a disadvantage. At the same me, emerging markets are facing the pressures of rising input costs, which will eventually be passed on the buyer.

The most impac ul of the above business concerns are matched to the threats in this report with a descrip on of how they relate to each other. CISOs can use these to help understand senior management’s immediate concerns and shape the conversa on from this perspec ve.

Communicating threats to senior management

2

2 Financial Times Lexicon, ‘Defi ni on of supply chain management’, h p://lexicon. .com/Term?term=supply-chain-management3 Federal Reserve Bank of Kansas City, ‘Recession Lesson: Naviga ng the fear of the unknown’, h p://www.kc.frb.org/publicat/educa on/teachingresources/ RecessionLesson-EconomicUncertainty.pdf4 Milton Friedman, ‘The Social Responsibility of Business is to Increase its Profi ts’, The New York Times Magazine, 13 September 1970, h p://www.umich.edu/~thecore/doc/Friedman.pdf5 Financial Times Lexicon, ‘Defi ni on of business sustainability’, h p://lexicon. .com/term?term=business-sustainability6 David Moschella, Doug Neal, Piet Opperman and John Taylor, CSC, ‘The ‘Consumeriza on’ of Informa on Technology’

http://lexicon.ft.com/Term?term=supply-chain-management

http://www.kc.frb.org/publicat/education/teachingresources/

http://www.umich.edu/~thecore/doc/Friedman.pdf

http://lexicon.ft.com/term?term=business-sustainability


2 4 531

The ISF’s annual Threat Horizon report helps organisa ons to be er prepare for the future. It does this by an cipa ng threats to informa on security in an interconnected, always-on world. It lists ten threats, but also adds value by encouraging people to think of other relevant threats for their organisa on. With this insight, organisa ons can be er understand and manage their informa on risk. In this way, organisa ons can get ahead of the compe on.

The Threat Horizon 2016 report is accompanied by supplementary materials to help informa on security professionals evaluate the threats in this report, and translate them into risks for their organisa ons. These are the updates to the 2014 and 2015 threat projec ons, the ISF Threat Heat Map, and the ISF Threat Radar. One way in which these deliverables may be used together is shown below:

LIKELIHOOD

VERY LOW

IMPACT

VERY LOW

VERY HIGH

VERY HIGH

Governments and regulators won’t do it for you

The CEO doesn’t get it

Unintended consequences of state intervention

Cyberspace gets physical

Supply chain springs a leak

Cost pressures stifle critical investment

New technologies overwhelm

Threat Horizon 2014

Key

Threat Horizon 2015

Threat Horizon 2016

ISF Threat Radar

Very

hig

hVe

ry lo

w

Very low Low High Very highMedium

2 18

105

9

4

6

7

3

Ability to manage

Impa

ct


January 2014

Threat Horizon

Threat Heat Map, in

Threat Heat Map

This tool, in Threat Heat MapISF Threat Radar

ISF Threat Heat Map

Threat Horizon 2016

Audience for this reportThis report is aimed at the Chief Informa on Security Offi cer (CISO) or equivalent. It helps the CISO to inform senior business execu ves of the cyber threats that could have an impact on their organisa on.

It will also be of interest to anyone who has a strong desire to link business risk to cyber risk, including informa on security professionals, business managers, risk managers and internal auditors.

The CISO is also recommended to:

• iden fy and evaluate applicable threats to their organisa on in the context of the organisa on’s most valuable assets• prepare the organisa on to manage tomorrow’s risks today• consider the recommenda ons suggested in this report along with their own approaches to trea ng risks• share the Threat Horizon 2016 report with senior management, and with other func ons including risk management

professionals, risk commi ees and business con nuity planning teams• seek guidance in the ISF Standard of Good Prac ce for Informa on Security for standards that can help build a solid

security baseline, and use the ISF Benchmark tool to assess the extent to which the Standard has been applied• join the ac ve Threat Horizon community on ISF Live to share thoughts, informa on, ar cles and to debate the

fi ndings in this report.

How to use this report3


2 3 51 4

This report sets out the top 10 threats to informa on through 2016. Primary analysis of data gathered for this report resulted in an overarching theme of trust that increasingly concerns ISF Members: trust in governments to protect ci zens’ interests, trust in accepted solu ons to deliver what is promised, and trust in people to do the right thing.

Further analysis led to a categorisa on of threats based on an assessed level of ability to mi gate: the remainder of the report refers to these categories as themes, which are:

Theme

1. No-one left to trust in cyberspace

2. Confidence in accepted solutions crumbles

3. Failure to deliver the cyber resilience promise

Marginal

Moderate

High

Ability to mitigate

Although organisa ons may have li le control over threats related to the fi rst theme it is important to have an understanding of global developments as they can have very real impacts on the way organisa ons operate.

This report is laid out with a short explana on of each theme and related threats. Each threat is presented in the format on the next page:

What’s on the horizon for 2016?4


2 3 5


2 3 5


2 3 5What’s on the horizon for 2016?What’s on the horizon for 2016?

4141

Why does this threat ma er?

Revela ons about the extent of governmental inter on in the Internet has fundamentally changed percep ons of cybersecurity for everyone. The workings behind what once was a secr ve industry, apparently conforming to democr c checks and balances, are out in the open. Disclosures of the US Na onal Security Agency (NSA)’s ac v es signalled that large-scale state-sponsored espionage is acceptable. Governments and non-governmental org ons will deepen their espionage c es and those that hav ve in this space will be incen vised to invest.

Organisa ons will be targeted by n on-state backed actors with large budgets and varying agendas le legal recourse. The result will be an even more unruly cyberspace trading environment,

characterised by more actors, more a e v es and, likely, the and exploita on of these new tools by criminal org ons.

The r onale

The list of states funding armies of hackers to spy on domes c and foreign targets has expanded beyond the usual suspects. It is no longer limited to China, Iran, North Korea and Syria, but now includes democr c states such as the US, UK, France and Japan. What became clear in 2013 is that states

v es were doing so.

The Verizon Data Breach Inves on Report showed that “stat liated actors ed to China are the biggest mover in 2012” with 21% of breaches ributed to government-sponsored actors.7 The list of stat liated actors will nue to expand over the coming years as more governments invest in espionage es. The US and Russia are already bigger hosts of malware than China and it is likely governments will get more involved in this game.8

Source: Verizon Data Breach Investigation Report

0

10

20

30

40

50

60

70

80

90

100

Organized

criminal group

State-affiliated Unaffiliated

person(s)

Unknown

2011

2012

2013

% o

f dat

a br

each

es p

erpe

trat

ed b

y ex

tern

al a

ctor

s

State-affiliated actors set to become more prominent actorsData breaches by categorised external actors

7 Verizon, ‘Data Breach In g ons Report’, 20138 Dennis Fisher, ‘U.S. and Russia–Not China–Lead List of Malicious Hos ng Providers’, Threat Post, 27 March 2013, h p://threatpost.com/us-and-russia-not-china-lead-list-malicious-hos ng-

providers-032713

Nation-state backed espionage goes mainstream1

What’s more, organisa ons that hold vast amounts of customer info on will ll play a key role in governments’ espionage a v es, whether they are coerced openly through ve and regulatory oblig ons, or whether es use ulterior methods to gain access to these org ons’ info on stores. The reput onal damage and gma of cooper on could impact their ability to a ract new business, while it will also become increasingly d cult for organisa ons to build and manage a credible digital agenda.

cula ng this threat for senior management

Behaving ethically Oper ng ‘responsibly’ in such an unruly enviro cult. Organisa ons will have to maintain cus dence in the business’s oper ng prac ces whils ack from an increasingly varied set of actors.


The regulatory landscape will become more complex as governments a empt to calm public concerns over their ac v es in cyberspace.


Compe tors will make use of the burgeoning priva sed espionage industry, out of reach of legal fra ng oper ons and damaging trust between organisa ons, partners and customers.

Recommenda ons and ps

Organisa ons should reinforce basic info on security arrangement. This means understanding what and where the most cri cal informa on assets are and their key vulner es and the main threats against them. Standards and controls should be in place to m gate the associated risks to these assets. Going up against a na on-state backed adversary is not a fair ght.

Make sure the org on is up-to-date with government a v es in all jurisdic ons in which it operates – and those in other, import ons (eg markets and outsourcing loca ons).

Pa cipate in threat intelligence sharing forums and build r onships with other organisa ons within and across industry sectors.

Reinforce background checks on people in key posi ons. Cul vate a culture of informa on risk to build informa on security c es within the

organisa on. Ensure appropriate info on security knowledge and awareness is in place across the

organisa on.

Review the following ISF material

Cyber Security Strategies: Achieving Cyber ResilienceYou Could Be Next: Learning From Incidents To Improve ResilienceSecurity Awareness (Coming soon)

What’s on the horizon for 2016?

41


Providing a short overview of what the threat is and why it is important.

The ra onale

Off ering an in-depth descrip on and ra onale behind why this threat ma ers and why it will be relevant for informa on security by 2016, with suppor ng evidence.

Ar cula ng this threat for senior management

Linking business concerns to the threat, describing why a senior business leader might be interested.


References relevant ISF materials that can provide guidance for the reader.


Sugges ng how informa on security professionals can prepare for the threat.


2 3 5What’s on the horizon for 2016?

41

Theme 1: No-one left to trust in cyberspace

Revela ons that governments and their agencies are monitoring voice and data communica ons, and cracking encryp on algorithms through ‘backdoors’ has fundamentally undermined trust in cyberspace. The assump on that governments would keep ci zens’ best interests in mind when balancing na onal security against privacy concerns turned out to be misplaced.

Na on states and governmental organisa ons are a emp ng to counteract the repercussions from the Snowden revela ons while at the same me showing li le signs of winding down espionage ac vi es. In order to demonstrate they are in control, they will swing the pendulum between over-reac ng and pu ng in place excessively restric ve rules and regula ons, and taking a series of watered down ac ons to ease public anxiety. Whichever way the pendulum swings, doing business on the Internet is likely to be more complicated and result in increased transac on costs.

Threats associated with this theme

These threats merit par cular considera on as early a en on will enable an organisa on to strengthen its resilience. The threats associated with this theme are highlighted below.

Earlier threats that will compound the pressure in 2016

Threat Horizon 2014 highlighted that the cyber arms race would lead to a cold war. Rather than cold, this ‘war’ has turned hot with more governments developing off ensive cyber capabili es. Threat Horizon 2015 predicted that governments and regulators will demand more of organisa ons in preparing for cyber threats, yet will off er li le direct guidance. In this report, government ac vi es will further complicate the way organisa ons operate in cyberspace.


1

2

3

4

4

5

6

10

1

2

3


More causes come online;


complicates business

Unintended consequences of

uncertainty and doubt

do it for you

2016

Inte

rnal

thre

ats

External threats

Regulatory threats



Reputation is a new


Criminals value

your reputation



The role of governm

ent m


YourOrganisation

2014



41


Revela ons about the extent of governmental interven on in the Internet has fundamentally changed percep ons of cybersecurity for everyone. The workings behind what once was a secre ve industry, apparently conforming to democra c checks and balances, are out in the open. Disclosures of the US Na onal Security Agency (NSA)’s ac vi es signalled that large-scale state-sponsored espionage is acceptable. Governments and non-governmental organisa ons will deepen their espionage capabili es and those that haven’t been ac ve in this space will be incen vised to invest.

Organisa ons will be targeted by na on-state backed actors with large budgets and varying agendas – all with li le legal recourse. The result will be an even more unruly cyberspace trading environment,characterised by more actors, more a empts at espionage or other malicious ac vi es and, likely, thethe and exploita on of these new tools by criminal organisa ons.

The ra onale

The list of states funding armies of hackers to spy on domes c and foreign targets has expanded beyond the usual suspects. It is no longer limited to China, Iran, North Korea and Syria, but now includes democra c states such as the US, UK, France and Japan. What became clear in 2013 is that states capable of funding espionage ac vi es were doing so.

The Verizon Data Breach Inves ga on Report showed that “state-affi liated actors ed to China are the biggest mover in 2012” with 21% of breaches a ributed to government-sponsored actors.7 The list of state-affi liated actors will con nue to expand over the coming years as more governments invest in espionage capabili es. The US and Russia are already bigger hosts of malware than China and it is likely governments will get more involved in this game.8

Source: Verizon Data Breach Investigation Report

0

10

20

30

40

50

60

70

80

90

100

Organized

criminal group

State-affiliated Unaffiliated

person(s)

Unknown

2011

2012

2013

% o

f dat

a br

each

es p

erpe

trat

ed b

y ex

tern

al a

ctor

s

State-affiliated actors set to become more prominent actorsData breaches by categorised external actors

7 Verizon, ‘Data Breach Inves ga ons Report’, 20138 Dennis Fisher, ‘U.S. and Russia–Not China–Lead List of Malicious Hos ng Providers’, Threat Post, 27 March 2013, h p://threatpost.com/us-and-russia-not-china-lead-list-malicious-hos ng-

providers-032713

Nation-state backed espionage goes mainstream1

http://threatpost.com/us-and-russia-not-china-lead-list-malicious-hosting-providers-032713



41

What’s more, organisa ons that hold vast amounts of customer informa on will s ll play a key role in governments’ espionage ac vi es, whether they are coerced openly through legisla ve and regulatory obliga ons, or whether authori es use ulterior methods to gain access to these organisa ons’ informa on stores. The reputa onal damage and s gma of coopera on could impact their ability to a ract new business, while it will also become increasingly diffi cult for organisa ons to build and manage a credible digital agenda.


Behaving ethically Opera ng ‘responsibly’ in such an unruly environment will be diffi cult. Organisa ons will have to maintain customers’ confi dence in the business’s opera ng prac ces whilst under a ack from an increasingly varied set of actors.


The regulatory landscape will become more complex as governments a empt to calm public concerns over their ac vi es in cyberspace.


Compe tors will make use of the burgeoning priva sed espionage industry, out of reach of legal frameworks, complica ng opera ons and damaging trust between organisa ons, partners and customers.


Organisa ons should reinforce basic informa on security arrangement. This means understanding what and where the most cri cal informa on assets are and their key vulnerabili es and the main threats against them. Standards and controls should be in place to mi gate the associated risks to these assets. Going up against a na on-state backed adversary is not a fair fi ght.

Make sure the organisa on is up-to-date with government ac vi es in all jurisdic ons in which it operates – and those in other, important, jurisdic ons (eg markets and outsourcing loca ons).

Par cipate in threat intelligence sharing forums and build rela onships with other organisa ons within and across industry sectors.

Reinforce background checks on people in key posi ons. Cul vate a culture of informa on risk to build informa on security capabili es within the

organisa on. Ensure appropriate informa on security knowledge and awareness is in place across the

organisa on.


Cyber Security Strategies: Achieving Cyber ResilienceYou Could Be Next: Learning From Incidents To Improve ResilienceSecurity Awareness (Coming soon)


2 3 541


Organisa ons will no longer be able to depend on a free and open Internet as governments a empt to govern their corners of the Internet. Na on-states have already a empted to introduce governance of the Internet via the Interna onal Telecommunica ons Union (ITU), the United Na ons and Internet Governance Forum, to name a few. This will prove unsuccessful and in its place governments and regional blocs will a empt to standardise these norms at na onal and regional levels.

This increased government involvement will undermine the percep on of a free and open Internet, resul ng in a less predictable Internet for conduc ng business, a more complex regulatory and legisla ve environment, and reduced access to markets.

The ra onale

Certain elements of the Internet are governed by consent (ie domain names), but there is currently no agreement on how or whether to take Internet governance forward. Na onal governments and regional power blocs, frustrated by this lack of global progress and seeking to calm public anxiety, will a empt unilateral ac on to impose rules and regula ons on their own parts of the Internet.

Governments aff ected by the 2013 espionage disclosures have called for an agreed upon approach to Internet governance. The Center for Interna onal Governance Innova on (CIGI) views the current approach to global Internet governance as unsustainable. CIGI stated in 2013: “coherent strategies are needed to ensure that diffi cult trade-off s between compe ng interests, as well as between dis nct public values, are managed in a consistent, transparent and accountable manner that accurately refl ects public priori es.”9

Fractured governance threatens the open Internet

9 Leila Abboud and Peter Maushagen, Centre for Interna onal Governance Innova on, ‘Organized Chaos: Reimagining the Internet’, h p://www.cigionline.org/ac vity/organized-chaos-reimagining-Internet

A Balkanized Internet complicates business2


http://www.cigionline.org/activity/organized-chaos-reimagining-Internet


2 3 541

World leaders will use the rhetoric of ‘local’ or ‘closed’ Internets to bolster public trust, but this will further erode organisa ons’ confi dence in a free and open Internet. For example, an increasing number of democra c states are calling for either local Internets or formal Internet governance: Germany has stated its desire for a local Internet shielded from foreign intelligence services;10 Brazil has led the rally for the United Na ons to take a more ac ve role in Internet governance.11

Organisa ons need to give regular considera on to what they can rely on and what they can’t. In prac ce, organisa ons will face higher transac on costs (ie regulatory, legisla ve and legal) especially where ac vi es cross na onal boundaries.



Building and sustaining an online presence in a cost-eff ec ve way while governments take a fractured approach to Internet governance will become more diffi cult. Recurring rhetoric around ‘local’ Internets will also raise uncertainty about opera ng in cyberspace – whether they are followed through or not.

Behaving ethically Opera ng across jurisdic ons without falling foul of public opinion will become increasingly diffi cult as varying local authori es begin to dictate, and the public start to develop diff ering expecta ons to corporate social responsibility in their corners of the Internet.


Organisa ons will have to operate in an increasingly complex regulatory landscape, par cularly across borders, as na onal governments put in place legisla on and regula on to control their perceived corners of the Internet.


It is important to stay up-to-date with regulatory and legisla ve developments related to cyberspace across the jurisdic ons the organisa on operates in. This is no easy feat as these approaches become more localised. However, some ps for CISOs to prepare are:

Carry out a risk assessment to iden fy the organisa on’s most important assets, where the informa on is held and other relevant threats to these assets.

Coordinate and maintain partnerships for informa on sharing across industry sectors to support cyber resilience.

Par cipate in government-sponsored ini a ves to infl uence current and future cyber security regula on and associated ac vi es.

Engage in current mul -stakeholder governance processes, for example through Internet Corpora on for Assigned Names and Numbers (ICANN), the Internet Engineering Task Force (IETF), or the Internet Governance Forum (IGF).


Cyber Security Strategies: Achieving Cyber ResilienceYou Could Be Next: Learning From Incidents To Improve Resilience

10 Leila Abboud and Peter Maushagen, ‘Germany wants a German Internet as spying scandal rankles’, Reuters, 25 October 2013, h p://www.reuters.com/ar cle/2013/10/25/us-usa-spying-germany-idUSBRE99O09S20131025

11 Brian Winter, ‘Brazil’s Rousseff targets Internet companies a er NSA spying’, Reuters, 12 September 2013, h p://www.reuters.com/ar cle/2013/09/12/net-us-usa-security-snowden-brazil-idUSBRE98B14R20130912


http://www.reuters.com/article/2013/10/25/us-usa-spying-germany-idUSBRE99O09S20131025

http://www.reuters.com/article/2013/09/12/net-us-usa-security-snowden-brazil-idUSBRE98B14R20130912


2 3 541


Confl ic ng offi cial involvement in cyberspace will create the threat of collateral damage and have unforeseen implica ons and consequences for all organisa ons reliant on it. Varying regula on and legisla on will restrict ac vi es whether or not an organisa on is the intended target.

Governments’ Draconian implementa on of these varying regula ons and legisla on will lead to opera onal disrup ons in organisa ons’ supply chains. Those aff ected will have li le recourse because of a lack of legal clarity in cyberspace.

The ra onale

Expanding connec vity will keep governments concerned over cyberspace. Malspace, the dark side of cyberspace persists and many actors are stepping up Internet policing ac vi es in response to rising public awareness. Legal authori es will struggle to keep pace with the rapidly changing landscape and will impose backwards looking legal frameworks.

In this situa on, the lowest common denominator of harsh regula ons and legisla on will impact everybody, not just those at whom the changes are targeted. The overzealous implementa on of these measures will directly aff ect organisa ons and/or their suppliers, restric ng opera onal ac vi es.

Below are some high-profi le examples where legi mate businesses were taken offl ine or the availability of their informa on seriously compromised as a result of offi cial interven on:

• Pakistan blocked access to YouTube for more than two-thirds of users globally in 2008 a er a emp ng to block na onal use.12 This situa on highlights how diffi cult it is for governments to implement stricter control over the Internet and how the level of hyperconnec vity causes unknown knock-on eff ects.

• Popular social websites Pinboard and Eater were taken offl ine in June 2011 when the FBI raided the datacentre owned by Swiss company DigitalOne. The company claimed that services were disrupted as a result of the FBI taking ‘more server racks than required’ in their search that involved a single client.13

• The 2012 US government shutdown of fi le sharing site MegaUpload meant that almost 11 million legi mate fi les were blocked.14

• Groklaw halted opera ons in August 2013 ci ng the mere poten al for government pressure as making the Internet a less desirable place to do business.15

Random hazard will disrupt business

12 Peter Svensson, ‘Pakistan causes YouTube outage for two-thirds of world’, ABC News, 25 February 2008, h p://abcnews.go.com/Technology/story?id=4344105&page=1&singlePage=true13 Adrian Covert, ‘F.B.I. Raids Data Center, Seizes Servers, Knocks Big Sites Offl ine’, Gizmodo, 21 June 2011, h p://gizmodo.com/5814238/ i-raids-data-center-seizes-servers-knocks-big-sites-offl ine14 ‘Megaupload fi le-sharing site shut down’, BBC News, 19 January 2012, h p://www.bbc.co.uk/news/technology-1664236915 Pamela Jones, ‘Forced Exposure’, Groklaw, 20 August 2013, h p://www.groklaw.net/ar cle.php?story=20130818120421175

Unintended consequences of state intervention3


http://abcnews.go.com/Technology/story?id=4344105&page=1&singlePage=true

http://gizmodo.com/5814238/fbi-raids-data-center-seizes-servers-knocks-big-sites-offline

http://www.bbc.co.uk/news/technology-16642369

http://www.groklaw.net/article.php?story=20130818120421175


2 3 541

The lack of legal clarity in this space leaves li le recourse for impacted organisa ons: for instance, an organisa on that has its headquarters in Frankfurt, the bulk of opera ons in Mexico and data centres spread over Nigeria, Indonesia and India will need to be con nually up-to-date on the regulatory environments in all of these loca ons – backed by a sound understanding of their poli cal, economic and business environment climates.

Even if an organisa on is fully aware of these developments, it will not necessarily protect it against shutdowns of suppliers’ opera ons. An outsourced data centre may be closed down on suspicion of hos ng malicious sites, compromising informa on availability. The organisa on would be le with li le clarity around the circumstances, or indeed the expecta on of a quick resump on of service.



Maximising value from cyberspace could be more challenging with the looming threat of collateral damage.


Organisa ons opera ng across mul ple jurisdic ons must be a uned to changing poli cal and economic environments and how these could aff ect the laws and regula ons covering their opera onal ac vi es.


It is diffi cult to know where services are provided from, which legal and regulatory environment is applicable, and which service providers may be the poten al weak points or a rac ve targets for cybercriminals.


This threat is inherently random. There is no way to know when this might aff ect an organisa on, if at all. This randomness underlines the need for organisa ons to build their resilience and implement propor onal security measures in the event that it materialises. Some ac ons organisa ons could do today include:

Know where the most valuable informa on assets are and how long it will take to get back full opera onal capacity in the event of disrupted access to them.

Formulate and test business con nuity and disaster recovery plans in place. Duplicate cri cal processes across providers to remove single points of failure. Con nually assess service providers and be clear what is contracted for and the level of recourse, if

any, the organisa on will have with the provider in the case of service disrup on. Work closely with public rela ons and marke ng func ons to prepare a message for customers in

the event that customer-facing interfaces are taken offl ine.


Cyber Security Strategies: Achieving Cyber ResilienceYou Could Be Next: Learning From Incidents To Improve ResilienceSecuring The Supply Chain: Preven ng Your Suppliers’ Vulnerabili es From Becoming Your OwnSupply Chain Assurance Framework (SCAF) (coming soon)



2 3 541

Theme 2: Confidence in accepted solutions crumbles

Virtually every organisa on relies on a standard set of solu ons to enable day-to-day opera ons. These include outsourcing and cloud off erings. It’s right they should – there’s no point re-inven ng the wheel every me – and it’s also only normal to expect that the drive to cut costs and increase value will push non-core business processes out of the organisa on.

Growing hyperconnec vity will lead many organisa ons to increase their dependence on these accepted solu ons. However, they will become increasingly unreliable. So are you prepared with alterna ves if the things you’ve built your trust around come crashing down?


The four threats grouped in this theme all relate to solu ons organisa ons rely on to deliver goods and services. It ques ons whether that reliance is well-placed.


The Threat Horizon 2014 report explained how an ever-greater infl ow of new technologies and solu ons, and a fundamental lack of understanding about the implica ons of these, would overwhelm informa on security professionals. This matures in Threat Horizon 2015 as even more technologies and usages lead to an increased dependence on security solu ons and outsourcing to manage the associated risk. By 2016 those service solu ons that informa on security specialists and organisa ons have come to rely on for many cri cal business processes will be less helpful than an cipated.


8

9

10

3

8

9

4

5

6

7

A clouded understanding leads to an outsourced mess

The supply chain springs a leak as the insider threat comes from outside


Service providers become a key vulnerability

Big data = big problems

Mobile apps become the main route for compromise

BYOC (bring your own cloud) adds unmanaged risk

Bring your own device further

exposure

2016

Inte

rnal

thre

ats

External threats

Regulatory threats



Reputation is a new


Criminals value

your reputation



The role of governm

ent m


YourOrganisation

2014



2 3 51 4What’s on the horizon for 2016?


Service providers will come under pressure from targeted a acks and are unlikely to be able to provide assurance of data confi den ality, integrity and/or availability. What’s more, the ra onale behind effi ciencies gained from outsourcing business processes will come into ques on as popular off shoring loca ons become more expensive and/or poli cally unstable. At the same me, it may be prohibi vely expensive for some organisa ons to consider ‘reshoring’.

The ra onale

Organisa ons have deepened their dependency on external par es for business cri cal processes. But the underlying drive for cost reduc on will come into ques on as direct and indirect input costs in perceived ‘cheaper’ countries increase in line with higher income expecta ons in these preferred loca ons. Rising poli cal risk in some of these loca ons will compound the problem – India’s star is already fading as a popular IT off shoring des na on for both these reasons.16

Source: HfS Research 2013, KPMG

Many business critical services still outsourced

Responses to the question “are you likely to increase or decrease your outsourcing activity across the following areas in the next 12 months?”

Application developmentand maintenance

IT infrastructureoutsourcing

Document and printoperations outsourcing

Procurement andsourcing outsourcing

Industry specificprocesses

Knowledge processoutsourcing

Analytics

First time Increase scopeStay the same No plans Decrease scopeKey

9% 39% 37% 6% 9%

10% 29% 40% 6% 15%

10% 19% 47% 21%

9% 17% 30% 5% 39%

4% 17% 30% 4% 45%

8% 16% 26% 48%

6% 15% 26% 52%

3%

2%

1%

While the threats from outsourcing have been around for a while, it is senior management’s awareness of the degree of exposure that will increase. This awareness – along with visibly rising costs for these off shore arrangements – could result in increased a en on on reshoring. In many cases, organisa ons may fi nd themselves trapped in contracts or unable to source the right skills and exper se to move processes back in-house.

16 Narendar Pani, ‘India too expensive for business’, The Hindu Business Line, 6 February 2013, h p://www.thehindubusinessline.com/opinion/columns/narendar-pani/india-too-expensive-for-business/ar cle4386597.ece

Service providers become a key vulnerability4

http://www.thehindubusinessline.com/opinion/columns/narendar-pani/india-too-expensive-for-business/article4386597.ece


2 3 541

Cybercriminals and hack vists will increasingly target managed service providers, par cularly those off ering cloud services, as an indirect way to access an organisa on’s informa on.17 Finally, the contrac ng organisa on may fi nd themselves in crisis if the business con nuity plans, par cularly for off shore providers, aren’t as robust as they claim.



Supply chain management is more diffi cult when service providers are key targets for cybercriminals. It requires more stringent due diligence and explicit contracts. Otherwise expect disrup ons and informa on loss.


Economic uncertainty in off shored loca ons could lead to sudden changes in legal, regulatory, tax and poli cal environments, aff ec ng both strategic business decisions and informa on security obliga ons.

Behaving ethically Organisa ons may fi nd themselves held accountable for opera onal failure of suppliers, including managed service providers.


Informa on security specialists should work closely with those in charge of contrac ng for services to conduct thorough due diligence on poten al arrangements. It is impera ve that organisa ons have robust business con nuity plans in place to boost both resilience and senior management’s confi dence in the func ons’ abili es. Tips to build this resilience are:

Iden fy cri cal informa on assets and where they are located. Iden fy cri cal suppliers and ensure the ability to con nue is in place in the event their opera ons

are disrupted. Foster strong working rela onships with service providers with the aim of becoming partners. Be clear on what contracts are in place for what services. Understand clearly which legal jurisdic ons govern the organisa ons’ informa on. Work with procurement or other business units responsible for contract management to ensure

informa on security arrangements are included in the contract.


Securing The Supply Chain: Preven ng Your Suppliers’ Vulnerabili es From Becoming Your OwnSupply Chain Assurance Framework (SCAF) (coming soon)

17 European Union Agency for Network and Informa on Security, ‘Interim report: Top Cyber Threats - smarter targeted a acks, mobile threats, and social media iden ty the s by cyber-criminals using Cloud services’, 19 September 2013, h p://www.enisa.europa.eu/media/press-releases/interim-report-top-cyber-threats-smarter-targeted-a acks-mobile-threats-and-social-media-iden ty-the s-by-cyber-criminals-using-cloud-services


http://www.enisa.europa.eu/media/press-releases/interim-report-top-cyber-threats-smarter-targeted-attacks-mobile-threats-and-social-media-identity-thefts-by-cyber-criminals-using-cloud-services




Organisa ons will make important business decisions based on fl awed or poorly analysed data analy cs. Their failure to respect the human element of data analy cs will put the organisa on at risk of overvaluing big data output. Poor integrity of the informa on sets used can mean their analysis leads to bad business decisions, missed opportuni es, brand damage and lost profi ts.

The ra onale

Big data has gone beyond a buzzword for businesses and is rapidly becoming embedded in the way organisa ons operate and make decisions. One example of this is how organisa ons are using social media sites to gather informa on on people’s percep ons of their products in order to be er market to diff erent demographics. However, according to Useful Social Media, a business intelligence company devoted to social media, western sites Facebook, Twi er and LinkedIn represent the top three social media sites that corporates use to source this data.18 Yet, these sites are not necessarily the top sites in emerging markets, where the greatest growth opportuni es o en lie.

Rough es mates from the Financial Times put the majority of Twi er users in the US, Japan and Brazil; na onal social networking sites such as China’s Baidu and Sina Weibo, or Orkut in Brazil for instance, are far more popular in certain emerging markets. What’s more, it’s impossible to ensure that the informa on and profi les on these sites haven’t been falsifi ed. The WEF highlighted this as a key risk in its Global Risks 2013 report.19

Big data analy cs can also mislead when decisions are based on faulty, skewed, incomplete or poorly analysed data sets, resul ng in missed opportuni es as organisa ons enter the wrong markets, or enter the right markets with the wrong products. It’s also possible that the same data sets can lead to diff erent conclusions in diff erent parts of the world as a result of cultural bias.

Big data gaining groundResponses to the question “is your organisation focusing on big data solutions?”

Source: ISF Live poll - Member responses

71%Are using or considering

adopting big data techniques

21%Do not seethe value

Further complica ng ma ers, a ackers will target data analy cs tools to ensure decisions are skewed. For example, compe tors may seek to compromise the informa on used as input to these tools, or alter the underlying algorithms that analyse it. The more advanced a acker may fi nd a way to skew the results of data analy cs without leaving a trace ensuring strategic decisions are based on fl awed data.

18 Cynthia Boris, ‘Small Business Owners Name LinkedIn as the Most Useful Social Network’, Marke ng Pilgrim, 31 January 2013, h p://www.marke ngpilgrim.com/2013/01/small-business-owners-name-linkedin-as-the-most-useful-social-network.html

19 World Economic Forum, ‘Global Risks 2013’

Big data = big problems5

http://www.marketingpilgrim.com/2013/01/small-business-owners-name-linkedin-as-the-most-useful-social-network.html


2 3 51 4

Misjudging the value, analysis and integrity of big data can have a very real impact on organisa on’s profi ts: entering new markets is expensive and ge ng out of them even more so, not to men on the poten al brand and stock price damage for the perceived failure to properly consider business decisions. As a result, big data analysts and their skills will be at a premium and organisa ons will have to assess what they are prepared to pay to a ract the requisite skills.


Going green The volumes of informa on being collected for analysis require storage solu ons which are o en not environmentally friendly. The energy used to gather, store and analyse the informa on can be huge and can raise the risk of brand damage or hack vists ac on in the event that costlier ‘green’ solu ons aren’t used.


More data from consumer mobiles and usage within organisa ons as well as for personal use create bigger data sets, possibly complica ng analysis.

Narrowing the skills gap The growing data sets and evolving uses of big data require deeper analysis skills that are o en diffi cult to source because of the exis ng skills gap and the rela ve newness of the fi eld.


Big data off ers opportuni es for organisa ons when the risks and rewards are well considered. Organisa ons should keep in mind that the human aspect of data analy cs is required to properly analyse and vet datasets. Some ac ons to consider are:

Understand that informa on has a diff erent value and level of protec on requirements when combined as opposed to when it is in silos.

Ensure the organisa on has adequate skillsets to analyse big data. Outline a process for applying big data analy cs to informa on security problems. Validate fi ndings using mul ple data types to test results.


Cyber Security Strategies: Achieving Cyber ResilienceData Analy cs For Informa on Security: From Hindsight To InsightBig Data Special Interest Group (on ISF Live)Data Privacy In The Cloud





Smartphones will be the motherboard for the Internet of things, crea ng a prime target for malicious actors. Unauthorised users will target and siphon sensi ve informa on from these devices via insecure mobile applica ons. The level of hyperconnec vity means that access to one app on the smartphone can mean access to all of a user’s connected devices.

The ra onale

The rapid uptake of ‘bring your own device’ (BYOD) and the introduc on of wearable technologies to the workplace will increase an already high demand for mobile applica ons for work and home. To meet this increased demand, developers working under intense pressure and on wafer-thin profi t margins will sacrifi ce security and thorough tes ng in favour of speed of delivery and low cost, resul ng in poor quality products more easily hijacked by criminals or hack vists.20

Organisa ons are also ge ng into the app game, releasing mobile apps that meet customer demands but are inherently insecure. According to a survey by IOAc ve Labs in January 2014, many of the “top 60 most infl uen al banks in the world … failed to implement basic security protec ons to their applica ons … even a er being no fi ed of vulnerabili es”.21

Source: Juniper mobile threat reports, 2011 & 2013

App attack maturingGrowth of mobile malware

0

50,000

100,000

150,000

200,000

250,000

300,000

2010 2011 2012 2013

# of

mob

ile m

alw

are

sam

ples

The informa on that individuals and organisa ons store on mobile devices already makes them a rac ve targets for hackers and criminals. These devices will also become the prime way for people to manage connected devices: warming cars on a frosty morning, regula ng thermostats in houses and determining what’s missing from the fridge, will all be carried out from mobile devices. At the same me the amount of apps people download to their devices will con nue to grow. But do the apps

access more informa on than necessary and perform as expected?

20 UTest So ware Tes ng Blog, ‘8 Biggest Security Threats of 2013’, 24 December 2013, h p://blog.utest.com/8-biggest-security-threats-of-2013/2013/12/ 21 Darlene Storm, ‘Mobile iOS banking apps are miserably insecure leaky messes’, Computerworld Blogs, 13 January 2014, h p://blogs.computerworld.com/applica on-security/23386/mobile-ios-

banking-apps-are-miserably-insecure-leaky-messes

Mobile apps become the main route for compromise6

http://blog.utest.com/8-biggest-security-threats-of-2013/2013/12/

http://blogs.computerworld.com/application-security/23386/mobile-ios-banking-apps-are-miserably-insecure-leaky-messes


2 3 541

In the worst case, apps can be infected with malware that steals the user’s informa on – tens of thousands of smartphones are thought to be infected with one par cular type of malware alone.22 This will only worsen as hackers and malware providers switch their a en on to the hyperconnected landscape of mobile devices.

But that’s not all: just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the mobile environment. Fines for data breaches will increase. EU data privacy fi nes could be huge – up to €100m or 2% of global turnover at last reading – should they pass parliament,23 the UK Informa on Commissioner’s offi ce has called for the government to impose heavier fi nes,24 and some La n American states such as Peru and Chile have been progressively introducing fi nes for data breaches.25

As more regulators wake up to the poten al for insecure storage and processing of informa on, they will demand more transparency from organisa ons and impose even bigger fi nes. The organisa ons that get on the front foot now and prepare for stricter data breach laws with bigger fi nes for non-compliance will fi nd themselves ahead of the curve and in customers’ good graces. They’ll also make be er business decisions along the way.



BYOx (Bring your own anything) means that organisa ons sensi ve informa on o en unknowingly resides on employees’ personal devices.


Being able to gain value from the digital economy will be more challenging when mobile apps are not reliable and may increase an organisa on’s vulnerability.


Mobile apps on smart devices off er malicious actors another way to gain unauthorised access to company informa on.


Organisa ons should be prepared to embrace the increasingly complex Internet of things and understand what it means for them. CISOs should be proac ve in preparing the organisa on for the inevitable by:

Ensuring that apps developed ‘in-house’ follow the tes ng steps in a recognised systems development lifecycle approach.

Managing user devices in line with exis ng asset management policies and processes. Incorpora ng user devices into exis ng standards for access management. Promo ng educa on and awareness of BYOD risk in innova ve ways.


Managing BYOD Risk: Staying Ahead of Your Mobile WorkforceSecurity Awareness (coming soon)

22 Tim Ring, ‘Thousands of smartphones infected with ‘spy’ malware’, SC Magazine, 7 January 2014, h p://www.scmagazineuk.com/thousands-of-smartphones-infected-with-spy-malware/ar cle/328207/?DCMP=EMC-SCUK_Newswire

23 EurAc v, ‘EU lawmakers vote stricter data privacy rules’, 22 October 2013, h p://www.eurac v.com/infosociety/eu-lawmakers-vote-stricter-data-news-53121724 Daniel Milnes, ‘Informa on Commissioner prosecutes proba on offi cer for data protec on breach’, 23 August 2013, h p://www.forbessolicitors.co.uk/blog/2013/08/informa on-commissioner-

prosecutes-proba on-offi cer-for-data-protec on-breach/25 Hunton and Williams LLP, ‘Peru Issues Data Protec on Regula ons’, Privacy and Informa on Security Law Blog, 26 March 2013, h ps://www.huntonprivacyblog.com/2013/03/ar cles/peru-issues-

data-protec on-regula ons/; BakerHostetler, ‘Interna onal Compendium of Data Privacy Laws’, 26 February 2013, h p://www.bakerlaw.com/alerts/Interna onal-Compendium-of-Data-Privacy-Laws-2-26-2013


http://www.scmagazineuk.com/thousands-of-smartphones-infected-with-spy-malware/article/328207/?DCMP=EMC-SCUK_Newswire

http://www.euractiv.com/infosociety/eu-lawmakers-vote-stricter-data-news-531217

http://www.forbessolicitors.co.uk/blog/2013/08/information-commissioner-prosecutes-probation-officer-for-data-protection-breach/

https://www.huntonprivacyblog.com/2013/03/articles/peru-issues-data-protection-regulations/

https://www.huntonprivacyblog.com/2013/03/articles/peru-issues-data-protection-regulations/

http://www.bakerlaw.com/alerts/International-Compendium-of-Data-Privacy-Laws-2-26-2013

http://www.bakerlaw.com/alerts/International-Compendium-of-Data-Privacy-Laws-2-26-2013




Ironically, the reac on to NSA revela ons has been to boost reliance on encryp on – the default approach to Internet security. But encryp on will fail to live up to expecta ons due to weak implementa on prac ces and government a empts to undermine it via backdoors in so ware. Huge compu ng power being developed to bear to crack all but the toughest algorithms will further complicate ma ers.

Combined with threats from the fi rst theme, no-one le to trust in cyberspace, the failure of encryp on substan ally raises the risks of opera ng in cyberspace. Organisa ons will need to examine how and where they use encryp on and decide what other protec ve measures need to be used to provide the security both they and their transac on partners require.

The ra onale

Internet transac ons rely on encryp on to provide confi den ality of informa on and non-repudia on. However, encryp on will prove not to be the security panacea previously assumed. The cracks are already visible with revela ons that US and UK intelligence agencies can break many forms of encryp on algorithms and rumours that backdoors exist in widely used systems and so ware.

It’s generally accepted that given enough me and/or compu ng power, all encryp on is breakable. However, that me has always been years (if not decades) and compu ng power has always been a limi ng factor. Yet mathema cian Yitang Zhang’s breakthrough with twin primes (fundamental to public-key encryp on) in 2013 showed that cracking the maths is no longer out of reach26 and it is no surprise to learn that the NSA is developing quantum compu ng specifi cally for this purpose.27

ENCRYPTION ERROR

It begs the ques on of who else is able to get around encryp on. All it takes is one individual or group to make the workarounds and back doors open knowledge to further erode one of the cornerstones of secure business on the Internet.

26 Maggie McKee, ‘First proof that infi nitely many prime numbers come in pairs’, Nature, 14 May 2013, h p://www.nature.com/news/fi rst-proof-that-infi nitely-many-prime-numbers-come-in-pairs-1.12989

27 BBC News, ‘NSA ‘developing code-cracking quantum computer”, 3 January 2014, h p://www.bbc.co.uk/news/technology-25588605

Encryption fails7

http://www.nature.com/news/first-proof-that-infinitely-many-prime-numbers-come-in-pairs-1.12989

http://www.bbc.co.uk/news/technology-25588605


2 3 541

Another way to ‘break’ encryp on is to target its implementa on through the organisa on’s IT infrastructure. Given that people are most o en the weak link in informa on security it should come as no surprise that encryp on’s implementa on is o en fl awed. Targe ng implementa on eff orts off ers a more effi cient way to compromise an organisa on’s en re encryp on system because it is the way in which encryp on keys are generated, exchanged, stored, used and replaced.

While most a en on is paid to data fl owing across the Internet and stored on contemporary devices, legacy data is o en encrypted and archived. Organisa ons should be aware that this informa on may not remain safe as long as expected.



The risks associated with the digital agenda will become more diffi cult and expensive to mi gate. That’s not to say that it’s impossible, but that the business will need to make conscious decisions to invest in prac cal solu ons.


The failure of encryp on eases the path for those involved in corporate espionage. The poten al that organisa ons will fail to invest in more eff ec ve encryp on solu ons could mo vate compe tors and compe tor na on states to increase espionage ac vi es.


The inability to obscure or verify informa on in the supply chain using encryp on will raise the cost of doing business as other more me-consuming methods must be employed. Even then, in some instances it’s likely that organisa ons would need to adopt a level of blind trust with partners to maintain opera ons.


The failure of encryp on is important as all organisa ons rely on it in cyberspace. It is therefore important to understand that this threat is there on the horizon and no organisa on is immune. However, the informa on security func on can prepare by taking the following ac ons:

Classify informa on and know where the sensi ve informa on assets are to understand where the organisa on faces the most risk consider the full informa on life cycle.

Iden fy current cryptographic solu ons used across the organisa on. Determine a strategy for improving their implementa on.

Work under the assump on that the poten al exists for all encryp on to be broken and assess risks to assets under this scenario.

Cri cally assess commercial encryp on so ware and hardware, in par cular given revela ons of back doors.


You Could Be Next: Learning From Incidents To Improve Resilience




Theme 3: Failure to deliver the cyber resilience promise

The deepening level of connec vity and more advanced technologies will challenge the CISO to keep up with the demands of the organisa on. Pressures to perform will come from all sides: the gap between what skills organisa ons need and are willing to pay for, and what’s on the market will widen; meanwhile genera ons Y and Z will fundamentally challenge the tradi onal informa on security model. In this context, an organisa on needs to leverage the abili es of its exis ng employees, work to retain talent, and cul vate sustainable recruitment and development plans to be able to foster cyber resilience.


This theme addresses the people aspect of organisa ons’ cyber resilience. Given there will be nobody le to trust in cyberspace and trusted security solu ons will prove unreliable, organisa ons must leverage the abili es of exis ng employees and embrace the new genera ons to stay ahead of the compe on.


In Threat Horizon 2014 threats related to this report’s theme were squarely focused on organisa onal issues; compliance, regula on and investment. This shi ed in Threat Horizon 2015 to a more people-based approach to informa on security; namely the CEO’s lack of understanding of informa on risk and the inability to source the right people. Looking forward to 2016, adop ng an approach that is sensi ve to the mo va ons and needs of younger genera ons will enable the CISO to get the support and people needed to tackle an increasingly challenging landscape. The threat is that CISOs aren’t prepared to view these changes as opportuni es and they fail to adapt and take advantage of them.


5

6

7

1

2

7

8

9

10

New requirements shine a light in dark corners, exposing weaknesses

investment; an undervalued

A focus on privacy distracts from

The CEO gets it, now you have to deliver

Skills gap becomes a chasmright people

2016

Inte

rnal

thre

ats

External threats

Regulatory threats



Reputation is a new


Criminals value

your reputation



The role of governm

ent m


YourOrganisation

2014


2 3 541


Cyber will no longer be a buzzword confi ned to tech savvy people. Developments in cyberspace and related disasters are already in the news, are talked about within the boardroom, and reported in some organisa ons’ annual reports. By 2016, the CEO will understand cyber risk and expect the CISO to manage it while delivering the value so long promised.

The CISO needs to mature the security func on to be able to sa sfy the CEO’s ques ons, par cularly ‘are we ready?’ and ‘are we secure?’.

The ra onale

The C-suite is already waking up to cyber risk. By 2016, the CEO will fully understand the risks associated with cyberspace and will ask the CISO whether the organisa on is secure. However, a er focusing for so long on trying to get the CEO’s a en on, the CISO may not be able to deliver the value the CEO demands to the melines imposed. Whether this is because there are other constraints on the CISO’s me, or they lack the necessary funding or skillsets to deliver strategic value is irrelevant. The organisa on will view informa on security as unable to deliver value and as a blocker of strategic business ini a ves.

It is li le surprise that the C-suite is waking up to cyber risk so quickly because they’ve been inundated by major news coverage, public hype, and stakeholder pressure. Recent surveys indicate that:

• Concern over cyberspace has risen up risk indices, coming in third in Lloyd’s Risk Index, up from 12th in 2011.28

• IBM’s 2012 global CEO study showed that 71% of Global CEOs view technology as the top factor aff ec ng business over a three-year me horizon.29

• The Ponemon Ins tute reported in August 2013 that 41% of large organisa ons now consider cyber risk more important than other insurable business risks.30

At the same me, in spite of a rapidly developing threat landscape and a pervasively reac ve approach to informa on security, board-level execu ves generally believe they are well-equipped to face the challenge (see the following page).1

28 Lloyd’s, ‘Lloyd’s Risk Index 2013’, 10 July 2013, h p://www.lloyds.com/~/media/Files/News%20and%20Insight/Risk%20Insight/Risk%20Index%202013/Report/Lloyds%20Risk%20Index%202013report100713.pdf

29 IBM Ins tute for Business Value, ‘Reinven ng the rules of engagement: CEO insights from the Global C-suite Study’, November 2013, h p://public.dhe.ibm.com/common/ssi/ecm/en/gbe03579usen/GBE03579USEN.PDF

30 h p://assets.fi ercemarkets.com/public/newsle er/fi ercehealthit/experian-ponemonreport.pdf1 ‘Global State of Informa on Security 2014’, PwC

The CEO gets it, now you have to deliver8


http://www.lloyds.com/~/media/Files/News%20and%20Insight/Risk%20Insight/Risk%20Index%202013/Report/Lloyds%20Risk%20Index%202013report100713.pdf

http://public.dhe.ibm.com/common/ssi/ecm/en/gbe03579usen/GBE03579USEN.PDF

http://assets.fiercemarkets.com/public/newsletter/fiercehealthit/experian-ponemonreport.pdf



The C-suite believe they’re secureConfidence in security activities, somewhat or very confident

Source: ‘Global State of Information Security 2014’, PwC

74% 84%All respondents

76%CFOsCEOs

77%COOs

The forward-looking CISO is ready to react to these rapidly changing expecta ons at the board level and meet the CEO’s expecta ons. Unless CISOs evolve their skillset to ensure that they can an cipate the CEO’s needs and deliver on an increasingly demanding digital agenda, they will fail.



Eff ec vely enabling the digital agenda cannot safely be done without managing informa on risks.

Narrowing the skills gap The informa on security func on must have the requisite skillset to be able to deliver what the business is expec ng of them.


The board may be interested to know how informa on security can manage this concern while at the same me leveraging it for growth.


Successful CISOs will an cipate the shi ing understanding and demands within the organisa on around cyberspace and senior management’s expecta ons. They must engage with key stakeholders to be able to an cipate their changing needs and build organisa onal resilience to cyber risk. To do all this, CISOs must develop their own skillsets to ensure they can transi on into a world where cyber ini a ves are mainstream and not solely le to technical people. They should consider the following:

Ensure that the func on is able to deliver the value the CISO has been promising to senior management.

Build strong credibility for the CISO and the func on by posi oning the security func on as a ‘centre of excellence’.

Align with the organisa on’s approach to risk management, including risk appe te and repor ng methodologies.

Communicate with other business units to strategise how informa on security can help enable business ini a ves.


Engaging With The Board: Balancing Cyber Risk And RewardThe Modern CISO: Managing Risk And Delivering ValueInforma on Security Strategy (coming soon)


2 3 541


A maturing informa on security fi eld and more sophis cated cyber a ack capabili es will demand skilled informa on security professionals who are increasingly scarce. Cybercriminals and hack vists are increasing in number and deepening their skillsets and the ‘good guys’ are struggling to keep pace.1

Where will these resources and skillsets come from? CISOs need to build sustainable recrui ng prac ces as well as develop and retain the talent they already have to boost the organisa on’s cyber resilience.

The ra onale

Failure to get the right people severely hampers aspira ons of excellence. Specialist informa on security skills needed to address rapidly evolving threats and manage day-to-day opera ons will con nue to evade those organisa ons that don’t begin the process of evolving their recruitment and training programmes now. It will also become increasingly diffi cult to defi ne the required competency profi les as hyperconnec vity accelerates, demanding rapidly evolving skillsets.

The problem may go deeper than the supply and demand story with the qualifi ca ons required unavailable, viewed as unnecessary, or not promoted early enough in schools. The pictograph below shows that only 8% of those who gain a degree in science, technology, engineering and mathema cs (STEM) in the US remain in the fi eld a er 10 years. This suggests that perhaps these skillsets are undervalued, a situa on organisa ons need to address. Where unskilled people move in to fi ll this gap, the pressure will increase to fi nd adaptable people and then invest in their training and development.

Gap on the market only partly down to educationData on people who earn a science, technology, engineering and mathematics (STEM) degree and their presence in related fields

Source: Adecco, USA

100% 19%Students who earn

a BA

10%STEM BA graduates working in a related

field after university

8%STEM BA graduates working in a related

field after 10 years

Students with a BA in a STEM

major

For organisa ons that rely heavily on legacy systems, the threat is more imminent as the baby boomer genera on (born between 1946 and 1964) moves out of the workforce. At the same me, the global economic downturn has had a severe impact on the skillsets of many, leaving a large pool of people who failed to fi nd work that would enable them to develop appropriate skills. Those in work were spread thin in an eff ort to cut costs, some mes resul ng in broad skillsets rather than the specialisms needed going forward.

1 ‘Global State of Informa on Security 2014’, PwC

Skills gap becomes a chasm9




An inability to fi nd or retain the right people with the required skills and mo vate them to perform has very real consequences for an organisa on’s capacity to innovate safely and quickly. As well as evolving recruitment prac ces and developing talent within the organisa on, organisa ons should invest in funding external training and development opportuni es and reward those who a ain them both fi nancially and with opportuni es to develop further.



Organisa ons will struggle to leverage Internet opportuni es if they lack people with the ability to do so eff ec vely and securely.

Narrowing the skills gap The skills gap in informa on security is another piece of the organisa onal skills gap challenge and should have the same level of a en on as others given the signifi cant informa on risks to business ini a ves.

Leveraging emerging vs developed markets

Some emerging na ons are already addressing the skills gap by promo ng degree programmes and training ahead of many developed na ons, providing trained informa on security professionals for local markets.31 Some developed markets are beginning to address the skills gap, though more will need to be done and the eff ects will take considerable me to fi lter through the system.


The skills gap will deepen as the level of hyperconnec vity increases. CISOs should prepare to build informa on security capabili es across the organisa on and posi on the organisa on to recognise and retain talent. Some sugges ons for how to do this are:

Create a sustainable recruitment plan that emphasises recrui ng and developing talent from a wide range of sources.

Develop talent within the organisa on and create incen ves to retain exis ng talent. This could involve pu ng in place mentoring programmes, external coaching opportuni es, and promo ng from within. Work with the human resources func on to develop sustainable plans to do this.

Empower the people already in the organisa on. Support external ini a ves to develop and source new talent. Implement architectural solu ons to tackle the shor all in legacy systems skills, such as inves ng in

trusted monitoring systems, isola ng these systems where possible, or inves ng in upgrades where the budget allows.


The Modern CISO: Managing Risk And Delivering ValueSecuring The Supply Chain: Preven ng Your Suppliers’ Vulnerabili es From Becoming Your OwnSupply Chain Assurance Framework (SCAF) (coming soon)

31 HP, ‘Closing the skills gap in informa on security’, Inform security emagazine, Issue 10, 2013, h p://h41085.www4.hp.com/uk/en/campaign/inform-emagazine/ar cles/closing-the-skills-gap-in-security.html

http://h41085.www4.hp.com/uk/en/campaign/inform-emagazine/articles/closing-the-skills-gap-in-security.html


2 3 51 4


As they move into the workplace, the so-called Genera ons Y and Z will off er fresh and innova ve ideas that will change ways of working and conduc ng business. Their approaches to informa on security and privacy will certainly challenge tradi onal models. The ques on for organisa ons is: fi ght or embrace?

The ra onale

Concern about a new genera on and what they bring with them, especially into the workplace, isn’t new: the La n saying Tempora mutantur, nos et mutamur in illis cleverly pinned down the fact that ‘Times change, and we change with them’. Genera ons Y and Z (born a er 1981) are no diff erent: they off er an opportunity for innova ve approaches to working which organisa ons can take advantage of, or a empt to resist.

Most of the hype around Genera ons Y and Z is founded in them being the fi rst genera ons raised in the digital age to enter the workplace: so far, they’ve lived their lives on the Internet, sharing vast amounts of personal informa on in cyberspace, and communica ng with friends and colleagues via social media and networking outlets rather than email. Unchallenged, these genera ons approach informa on security and privacy in a way that is starkly at odds with tradi onal models.

Source: CISCO

Gen Y & Z flagrantly disregard IT policiesAdherence to IT policies

Source: CISCO70% 61% 80%Regularly break policy believe they are not

responsible for protectinginformation on devices

Don’t like their company’s IT policy

CISCO’s Annual Security Report (ASR) stated that 91% of genera on Y surveyed believed the age of privacy was over.32 Even those who are more wary of their privacy are ac vely involved in this space, op ng for outlets that off er a perceived sense of privacy: one example is the popularity of Snapchat, an applica on that makes photos ‘disappear’ within an allo ed me period.

32 Cisco, ’Cisco Annual Security Report: Threats Step Out of the Shadows’, 30 January 2013, h p://newsroom.cisco.com/release/1133334

Information security fails to work with new generations10


http://newsroom.cisco.com/release/1133334



At the same me genera ons Y and Z are unlikely to ‘follow the rules’ as the older genera ons tend to; they were brought up to ques on authority and expect to see fairness as part of any deal to conform.33 Within the workspace this translates into a fl agrant disregard for company policies, par cularly in the IT realm. According to CISCO’s ASR, 70% of employees admi ed to breaking IT policies while 50% of IT professionals believe policies are adhered to.32 Resolving this confl ict poses substan al challenges for CISOs relying on policies for security controls, and speaks to the need for a more people-centric approach to informa on security.

This may well be a fi ght that the organisa on doesn’t want or can’t win. How can informa on security arrangements be adapted to work with Genera ons Y and Z – realising opportuni es rather than was ng energy and talent by trying to bring them into line?



Genera ons Y and Z have the digital agenda ingrained. They grew up with e-commerce and are well versed in how to op mise online and social media presence.

Narrowing the skills gap Genera ons Y and Z approach work in a way that is diff erent to the older genera ons and they bring a varied skillset, which can be professionalised given the right training. What may appear to be a skills gap in some circumstances may simply be a diff erent skillset or approach to work that the organisa on should consider co-op ng.


These genera ons are coming of age at a me of severe economic disrup on: they have seen the eff ects of the global downturn of 2009 and as a result have li le loyalty to organisa ons that don’t off er them the work-life balance and working environment they demand.


Organisa ons that are proac ve in understanding how the newer genera ons work will be be er placed to get ahead of the curve and the compe on. The ISF recommends that CISOs consider the following ac ons to prepare for this threat:

Understand that the new genera ons’ approach to work, socialising and privacy are vastly diff erent from previous genera ons’ and that they won’t fi t with tradi onal security models.

Adapt exis ng policies and procedures to engage with genera ons Y and Z. Foster an informa on security culture in the organisa on to promote awareness.


Role Of Informa on Security In The EnterpriseSecurity Awareness (coming soon)

33 United Na ons Joint Staff Pension Fund, ‘Tradi onalists, Baby Boomers, Genera on X, Genera on Y (and Genera on Z) Working Together’32 Cisco, ’Cisco Annual Security Report: Threats Step Out of the Shadows’, 30 January 2013, h p://newsroom.cisco.com/release/1133334

http://newsroom.cisco.com/release/1133334



2 3 4 51

Conclusion5

Organisa ons need to prepare for threats to their cybersecurity and resilience to come from some previously thought ‘safe’ enclaves, such as governments and even the CEO. Informa on security will become more complex as governments complicate business by taking a more ac ve role in governing cyberspace. At the same me, the CEO demands more of the informa on security func on as security solu ons are increasingly unreliable. The ques on is this: are you as ready as you could be?

The evidence tends to show that many organisa ons are far from ready. The Global State of Informa on Security 2014 illustrates this in no uncertain terms with the key fi nding that “many rely on yesterday’s security prac ces to combat today’s threats.”1 Another survey found that companies are not as secure as they think, with 80% of respondents sa sfi ed with the current level of security despite only 13% having “made dras c changes to their security approach over the last two years”.34

However, all is not lost. As the threats grow, so do the opportuni es. Building cyber resilience requires informa on security professionals to step outside their comfort zones and fashion a strategy rooted in engagement, an cipa on, and resilience. The ul mate threat, no ma er the me horizon, is that you’re not ready and you can’t get ready. By following the guidance provided in the Threat Horizon series in conjunc on with other ISF tools and research deliverables, ISF Members can posi on themselves to build the cyber resilience capacity necessary to embrace and leverage cyberspace.

1 ‘Global State of Informa on Security 2014’, PwC34 Antone Gonsalves, ‘Study: Companies are not as secure as they think’,CSO Online, 25 November 2013, h p://www.csoonline.com/ar cle/743749/study-companies-are-not-as-secure-as-they-

think?source=CSONLE_nlt_salted_hash_2013-11-26

http://www.csoonline.com/article/743749/study-companies-are-not-as-secure-as-they-think?source=CSONLE_nlt_salted_hash_2013-11-26


This Appendix looks at the 20 threats iden fi ed in the 2014 and 2015 reports, providing a general view on how they have changed or morphed. Of those 20 threats, only three have reduced, nine have remained broadly the same but eight have increased in cri cality. This is, to some extent, why the key diagram for this report is in the form of an arrow showing 30 total threats. The threats from previous reports have not gone away: in fact, many of the 2016 threats will act as mul pliers to those in the previous reports, while threats from the 2014 and 2015 reports will form the founda on for some of the 2016 threats to take root and fl ourish. As a result, these 20 threats have been categorised according to the themes in this year’s report.

It is important to note that this assessment of threats is the result of discussions and debates in the ISF Global Team and should be revisited by each Member organisa on taking into considera on their individual circumstances.

Theme 1: No-one left to trust in cyberspace

Threat Horizon 2014


The evolu on of Malspace con nues to outpace security professionals’ ability to adapt defences to it. As the ISF warned in Threat Horizon 2014 (wri en in 2011-12) Malspace tools are increasingly available at lower costs to wider audiences: for example, a 17-year old security researcher in India became the fi rst to develop malware for mobile Firefox OS in October 2013. 35

A ackers no longer spam at will, but are increasingly focused, learning the habits and preferences of targets to be er tailor malware to the intended audience. This threat will increase in cri cality over the coming years as na on states become more involved in developing sophis cated malware. The US government admi ed in 2012 it worked with Israel to develop cyber weapons to use against Iran.36 More targeted a acks will also carry the nega ve impact of having a lower volume of malware a acks making them diffi cult to track, analyse, and protect against.


The cyber cold war appears to be hea ng up with governments worldwide in 2013 publicly acknowledging they are building military cyber capabili es. This is closely linked to the above point with na on states backing development of malware. The countries that have strong cyber capabili es will con nue to develop these while the few that don’t will invest in them.

The Syrian Electronic Army (SEA), a group that supports the Syrian government, launches regular a acks on targets seen as aligned with viewpoints against the Syrian government. In November 2013, the group hacked unaffi liated interna onal magazine Vice following its pos ng an ar cle claiming to reveal the leaders of the SEA.37 The SEA also hacked a number of Microso ’s customer-facing communica ons sites in January 2014, twee ng that “changing the [content management system] will not help if your employees are hacked and they don’t know about it”.38

Revisiting predictions from 2014 and 2015

Appendix A

35 Adam Greenberd, ‘Teenage researcher develops fi rst malware for mobile Firefox OS’, SC Magazine, 21 October 2013, h p://www.scmagazine.com/teenage-researcher-develops-fi rst-malware-for-mobile-fi refox-os/ar cle/317129/

36 h p://www.ny mes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cybera acks-against-iran.html?pagewanted=4&_r=2&hp&37 Adam Greenberg, ‘Vice.com hacked by Syrian Electronic Army’, SC Magazine, 11 November 2013, h p://www.scmagazine.com/vicecom-hacked-by-syrian-electronic-army/ar cle/320466/38 h p://www.telegraph.co.uk/technology/microso /10587443/Microso -blog-hacked-by-Syrian-Electronic-Army.html

1

2

http://www.scmagazine.com/teenage-researcher-develops-first-malware-for-mobile-firefox-os/article/317129/

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=4&_r=2&hp&

http://www.scmagazine.com/vicecom-hacked-by-syrian-electronic-army/article/320466/

http://www.telegraph.co.uk/technology/microsoft/10587443/Microsoft-blog-hacked-by-Syrian-Electronic-Army.html


Appendix A

Threat Horizon 2015

Crime as a Service (Caas) upgrades to v2.0

An interes ng development in this space is the applica on of crowd-funding to crime as a service: an online community raised a bounty of more than US$15k to hack the biometric code on the iPhone 5S. Within days of its release the German Chaos Computer Club posted a video detailing how to hack the device.39 But there are also far more nefarious uses of crowd-funding, such as crowd-funded bit coin boun es on world leaders’ heads.40 With a vast pool of disgruntled employees and cyber tools for crime available to wide audiences at rela vely low cost, the opportunity for similar developments in the Crime as a Service space is high.

Insiders fuel corporate ac vism

The insider threat will not go away. With the weapons more widely available and easier to adopt, the barriers to entry will con nue to fall. Even in cases where informa on loss is not for malicious reasons, organisa ons remain ill-equipped when it comes to ‘monitoring and detec ng unusual or suspicious employee behaviour’.41 The Verizon Data Breach Inves ga on Report (DBIR) report shows that between their 2012 and 2013 reports, the percentage of data breaches perpetrated by insiders rose from 4% to 21%.42

Threat Horizon 2014

More causes come online; ac vists get more ac ve

It is now a business impera ve to be online; it is also a mainstay of modern social interac ons. The Internet will remain the vector through which individuals voice their dissa sfac on. Organisa ons need to be aware and sensi ve to this. A telling example is the individual who bought a promoted Tweet to rail against a large airline’s customer service in 2013.


Vulnerabili es in cri cal public infrastructure’s industrial control systems (also known as SCADA) off er an a rac ve a ack opportunity for criminals. It also off ers governmental off ensive cyber forces a debilita ng target against other na on states, poten ally taking out food delivery or transporta on systems with the click of a mouse.

Threat Horizon 2015

Hack vists create fear, uncertainty and doubt

The plane of hack vist targets has widened substan ally in recent years and it is no longer enough to be in middle of the pack. Even those organisa ons that think they are doing all the right things could fall foul of public opinion and become a target of a hack vism campaign.

Government and regulators won’t do it for you

Governments will impose strict legisla on and regula on in an a empt to soothe public anger over the 2013 NSA revela ons. Some governments are star ng to provide guidance on cyber issues – the US government off ers industry sector-specifi c guidance on cyber security;43 the UK publishes reports for businesses on key points of cyber security;44 and the Singaporean government has an annual Cyber Security Awareness Day and mobile applica on to help promote cyber awareness.45 However, beyond limited guidance, the onus of responsibility will s ll fall on organisa ons to build and sustain their own cyber resilience.

39 Charles Arthur, ‘iPhone 5S fi ngerprint sensor hacked by Germany’s Chaos Computer Club’, Guardian, 23 September 2013, h p://www.theguardian.com/technology/2013/sep/22/apple-iphone-fi ngerprint-scanner-hacked

40 Charles Luzar, ‘Crowdfunded Bitcoin Boun es Off ered For Murder Of World Leaders On “Assassina on Market”’, Crowdfund Insider, 19 November 2013, h p://www.crowdfundinsider.com/2013/11/26808-crowdfunded-bitcoin-boun es-off ered-murder-world-leaders-assassina on-market/

41 Dan Raywood, ‘Danger within: The inside threat’, SC Magazine, 1 October 2013, h p://www.scmagazine.com/danger-within-the-inside-threat/ar cle/311629/42 Verizon, ‘Data Breach Inves ga on Report 2012’ and ‘2013’43 Miles Keogh and Chris na Cody, ‘Cybersecurity for State Regulators, The Na onal Associa on of Regulatory U lity Commissioners, February 2013, h p://www.naruc.org/grants/Documents/

NARUC%20Cybersecurity%20Primer%202.0.pdf44 UK Department for Business, Innova on and Skills, ‘Small businesses: What you need to know about cyber security’, 23 April 2013, h ps://www.gov.uk/government/publica ons/cyber-security-

what-small-businesses-need-to-know45 Infocomm Development Authority of Singapore, ‘Annex B: Factsheet on Cyber Security Awareness Day & New Mobile Applica on’, 24 July 2013, h ps://www.ida.gov.sg/~/media/Files/About%20

Us/Newsroom/Media%20Releases/2013/0724_ncsm/AnnexB.pdf

6

4

3

5

4

10

http://www.theguardian.com/technology/2013/sep/22/apple-iphone-fingerprint-scanner-hacked

http://www.crowdfundinsider.com/2013/11/26808-crowdfunded-bitcoin-bounties-offered-murder-world-leaders-assassination-market/

http://www.scmagazine.com/danger-within-the-inside-threat/article/311629/

http://www.naruc.org/grants/Documents/NARUC%20Cybersecurity%20Primer%202.0.pdf

https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know

https://www.ida.gov.sg/~/media/Files/About%20Us/Newsroom/Media%20Releases/2013/0724_ncsm/AnnexB.pdf


Appendix A

Theme 2: Confidence in accepted solutions crumbles

Threat Horizon 2014

The supply chain springs a leak as the insider threat comes from outside

Organisa ons rely heavily on complex global supply chains for opera ons. Awareness of the problem has increased somewhat in recent years, but the supply chain is s ll viewed as the best a ack route for any organisa on. This threat will increase in cri cality over the coming years as bad actors increasingly target weak points in the supply chain rather than directly a acking the intended target.

Threat Horizon 2015

Bring your own device further increases informa on risk exposure

In the Threat Horizon 2015 report, the ISF said that 2012 marked the year of BYOD pilot programmes, that 2013 would see mass adop on and that 2014 would be the year of the disaster. So far, the predic on has played out well in 2012 and 2013 and we hold to our expecta on for a disaster in 2014 that will cause a reconsidera on of how to adapt now widely adopted BYOD policies.

Threat Horizon 2014


Organisa ons are generally managing the deluge of new technologies and new usages for old technologies well. That said the widening scope of technology changes s ll to come could yet overwhelm security professionals. The introduc on of wearable technologies into the workspace could require updates to exis ng bring your own device policies or new policies.

Threat Horizon 2015

Outsourcing security backfi res

The tendency to outsource security perhaps due to the inability to source these skills internally will persist as a threat, in par cular as the skills gap widens. In doing so the organisa on loses control over how the service provider manages their informa on. It could be the case that the service provider employs a one-size-fi ts-all model, which in reality is completely unsuited to the organisa on’s needs.

Threat Horizon 2014


The popularity of cloud outsourcing in recent years has meant that organisa ons have improved their understanding of the risks involved. As a result the gap the ISF an cipated to widen has largely held steady and not led to the scale of nega ve events expected. This gap should narrow as organisa ons become more adept at managing the risks involved with cloud outsourcing.

Threat Horizon 2015

BYOC (bring your own cloud) adds unmanaged risk

With the explosion of BYOD adop on across organisa ons, bring your own cloud has become an inevitable associated risk. However, organisa ons have generally adopted policies to mi gate this risk and accepted the residual risk, leading to the downgrading of the cri cality of this threat.

10

9

8

8

9

3


Appendix A

Theme 3: Failure to deliver the cyber resilience promise

Threat Horizon 2014


The global public is waking up to privacy and security partly thanks to the ongoing NSA scandal. As governments and inter-governmental organisa ons a empt to calm public concern and gain perceived control over the unwieldy Internet, more regula on is in the pipeline.46 Informa on security professionals could fi nd themselves caught out in such a rapidly changing regulatory landscape.

Threat Horizon 2015

Organisa ons can’t get the right people

In spite of some governmental eff orts to tackle the widening skills gaps, the onus of responsibility falls on organisa ons. The lack of specialist skills in informa on risk and technology will not be tackled quickly, as it takes me for these ini a ves to fi lter through educa on, training, and workplace environments. Indeed, the UK Commission for Employment and Skills (UKCES) es mates that the ‘digital sector will require about 300,000 new recruits by 2020’ in the UK alone.47

Threat Horizon 2014

A focus on privacy distracts from other security eff orts

Given the high likelihood of stricter privacy regula on over the coming years, there remains a risk that the informa on security func on spends a dispropor onate amount of me preparing to meet these requirements. In the mean me, other concerns that remain cri cal to the organisa on’s opera ons may fall down the list of the CISO’s priori es leaving the organisa on exposed.

Threat Horizon 2015


In spite of media coverage around cyber issues, some organisa ons’ senior management s ll fail to understand the risks involved with cyberspace.48 Though this is changing, the threat remains that some CEOs won’t grasp the risk involved when considering cyberspace opportuni es and their organisa ons will suff er as a result.

Informa on leaks all the me

Malevolent actors will increasingly target organisa ons’ weak spots while employees will fail to follow the correct policies and procedures resul ng in informa on leakages. As we an cipated in the 2015 report, released in January 2013, a acks are becoming more targeted with a ackers conduc ng extensive reconnaissance on targets and assets.49

Threat Horizon 2014

Cost pressures s fl e cri cal investment; an undervalued func on can’t keep up

A er years of frozen or shrinking informa on security budgets due to the global fi nancial crisis and subsequent economic malaise, most respondents (92%) to the Global State of Informa on Security 2013 survey ‘expect to spend at least the same on security next year’ while 47% expect to spend more.50 More granular data confi rms this trend with Gartner repor ng in June 2013 that worldwide security so ware spending had increased by 7.9% to US$19.2bn in 2012.51

46 Craig Newman and Daniel Stein, ‘Talking heads: why regulators are looking at cyber security’, Financial Times, 1 September 2013, h p://www. .com/cms/s/0/53125dc0-00ec-11e3-8918-00144feab7de.html#axzz2gNc4H9mP

47 Jonathan Brandon, ‘Mobile, cloud and security skill gap may hamper innova on’, Business Cloud News, 16 September, 2013, h p://www.businesscloudnews.com/2013/09/16/mobile-cloud-and-security-skill-gap-may-hamper-innova on/

48 Julie Strickland, ‘The Biggest Threat to Cyber Security--Your CEO’, Inc., 14 June 2013, h p://www.inc.com/julie-strickland/ceo-cybera acks-hacking.html49 Sophos, ‘Security Threat Report 2013’, December 2013, h p://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf50 ‘2013 Informa on Security Breaches Survey Execu ve Summary’, Department for Business Innova on and skills, PwC & InfoSecurity, h p://www.pwc.co.uk/assets/pdf/Cyber-security-2013-exec-

summary.pdf51 Saroj Kor, “’Gartner: Worldwide Security So ware Spending Reached $19.2 Billion in 2012’, Cloud Times, June 14 2013 h p://cloud mes.org/2013/06/14/gartner-worldwide-security-so ware-

spending-reached-19-2-billion-in-2012/

6

1

5

2

7

7

http://www.ft.com/cms/s/0/53125dc0-00ec-11e3-8918-00144feab7de.html#axzz2gNc4H9mP

http://www.businesscloudnews.com/2013/09/16/mobile-cloud-and-security-skill-gap-may-hamper-innovation/

http://www.inc.com/julie-strickland/ceo-cyberattacks-hacking.html

http://www.sophos.com/en-us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf

http://www.pwc.co.uk/assets/pdf/Cyber-security-2013-exec-summary.pdf

http://cloudtimes.org/2013/06/14/gartner-worldwide-security-software-spending-reached-19-2-billion-in-2012/


Appendix B

One of the Threat Horizon supplementary materials men oned in the body of the report is the ISF Treat Heat Map. Typically, a Heat Map plots likelihood and impact and thus off ers a pictorial view based on those factors. This provides a basis for discussion between senior management, informa on security and other interested par es on where a en on should be focused. For example, while high likelihood/high impact threats are an obvious target for ac on

ISF Threat Heat Map

LIKELIHOOD

VERY LOW

IMPACT

VERY LOW

VERY HIGH

BYOC adds unmanaged risk

BYOD further increasesinformation risk exposure

Cost pressures stifle critical investment


Threat Horizon 2014

Key

Threat Horizon 2015

Threat Horizon 2016


Appendix B

VERY HIGH

More causes come online;activists get more active

Cyber arms race leadsto cyber cold war

Mobile apps become themain route for compromise

Nation-state backed espionagegoes mainstream

Organisations can’t get the right people

A Balkanized Internet complicates business

Hacktivists create FUD

A focus on privacy distracts from other security efforts


Cyber criminality increasesas Malspace matures further

Governments and regulators won’t do it for you


Unintended consequences of state intervention

Skills gap becomes a chasm

Outsourcing security backfires

Encryption fails


Information security fails towork with new generations

Big data = big problems

Insiders fuel corporate activism

e;e;e;e;;;

The CEO gets it, now you have to deliver

Service providers become a key vulnerability


Supply chain springs a leak

Information leaks all the time

Crime as a Service upgrades to v2.0

and investment, organisa ons should also consider which risk treatments to apply to threats that are customer-focused with a low likelihood/high impact because of the poten al impact on the organisa on’s reputa on for excellent service.

The ISF Threat Heat Map, shown below, plots the threats from the 2014, 2015 and 2016 Threat Horizon reports, based on a combina on of views and input from Chapter mee ngs, Congress sessions and Global Team discussions. As such, it is presented here merely to demonstrate how a Heat Map could be laid out. Each ISF Member is strongly advised to produce their own Heat Map which:

• includes threats specifi c to their sector, geography, or size• takes into account specifi c vulnerabili es that they may face• has involved others in its compila on, as the exercise of building a Heat Map informs, helps align thinking, raises

issues, and promotes awareness and understanding between groups such as senior management and informa on security.


Appendix C

ISF Threat Radar

Another Threat Horizon 2016 supplementary material men oned in the body of this report is the ISF Threat Radar. It plots the ability to manage a threat against its poten al level of impact, thus helping to determine its rela ve importance for an individual organisa on. It can also demonstrate any likely change that may happen over the period in discussion using arrows.

It is important to remember that it is neither possible – nor feasible – to defend against all threats. An organisa on therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimise impact, speed recovery and learn from incidents, in order to further minimise impact in the future. Further detail on cyber resilience is available from the ISF report Cyber security strategies: Achieving cyber resilience.

The illustra on below shows how the ten threats in this report may be plo ed for a fi c onal organisa on. A short descrip on is shown for each which explains the ra onale along with if, and how, the threat may move on the Threat Radar.

ISF Threat Radar

Very

hig

hVe

ry lo

w

Very low Low High Very highMedium

2 18

105

9

4

6

7

3

Ability to manage

Impa

ct

The organisa on in our example designs and manufactures high-end consumer goods. It is a rela vely young organisa on that has developed a limited number of innova ve technology products. It relies on external suppliers for most ac vi es outside of its core business func ons, such as IT, HR and Legal. It has outsourced the manufacture and assembly of its product to a partner in Vietnam, while it mostly distributes its product through well-known Internet retailers.

Threat 1: Na on-state backed espionage goes mainstream (High Impact – Low Ability to manage)

The organisa on uses cloud services for messaging (emails, instant messenger and calendars), fi le storage as well as computer power for simula on and prototyping. Its dependency on its providers’ capability to protect its informa on is cri cal. While its head offi ce is in Europe, most of its cloud storage relies on US-based partners.


Appendix C

In 2013, following the PRISM scandal, the organisa on became more concerned about unauthorised access to their IP, par cularly from its US-based cloud suppliers. They realise that this situa on remains vola le and it is diffi cult to plot where this threat is headed – thus no arrow on the diagram.

Threat 2: A Balkanized Internet complicates business (Very high Impact – Very low Ability to manage)

The organisa on is dependent on the Internet for all of its business processes. It has loca ons on both sides of the Atlan c, relies on the Internet for communica ons with partners as well as for distribu on of its products around the world. A segmenta on of the Internet would severely impact its capabili es to operate.

Senior management remains watchful of the evolu on of this situa on, but it recognises it has no ability to manage this threat.

Threat 3: Unintended consequences of state interven on (Medium Impact – Medium Ability to manage)

The organisa on’s opera ons make use of partners and suppliers in a number of geographic loca ons. Changes to legisla on and regula ons in more than one jurisdic on can therefore have a severe impact on opera ons, and thus profi tability.

The organisa on expects to face a high degree of change in this space – the higher the level of fl ux, the greater the diffi culty to manage. This threat is likely to shi as shown on the radar.

Threat 4: Service providers become a key vulnerability (Very High Impact – Medium Ability to manage)

The organisa on is cri cally dependent on its service providers as most ac vi es outside of core business func ons are outsourced. This includes all IT services, HR and Legal.

During the contract review period, the organisa on demanded and received the assurance from providers that they have the required informa on security arrangements and cyber resilience plans and processes in place. Conscience of the unmi gated risk, the organisa on is planning to develop disengagement strategies for the most cri cal processes. However, this will not be without cost and the situa on may worsen if changes are necessary before plans are in place.

Threat 5: Big data = big problems (High Impact – High Ability to manage)

The organisa on is making strategic decisions based on the analysis of big data collected from various sources. The validity and integrity of the informa on is essen al considering the niche market the organisa on is targe ng with each of its products.

The organisa on has introduced a valida on process for each data source, but it needs to rely on social networks to gather feedback on its products, without the ability to validate users’ profi les.

Threat 6: Mobile apps become the main route for compromise (Medium Impact – Medium Ability to manage)

The organisa on has recently allowed employees’ devices on its network, applying limited controls to apps installed on these devices.

The organisa on urges its employees to use standard apps delivered with their devices and to avoid storing any of the organisa on’s informa on locally on their device. But it does not apply any technical controls. There is a general recogni on however, that this situa on may require ghter control.

Threat 7: Encryp on fails (Very high Impact – Very low Ability to manage)

The organisa on relies on Internet transac ons. Whether it is for payment or communica on with its partners, it uses encryp on to secure these transac ons. It complies with regula ons and uses a commercially available encryp on solu on.

The organisa on has no informa on classifi ca on in place and has no true understanding of the solu ons being used.


Appendix C

Threat 8: The CEO gets it, now you have to deliver (Very high Impact – Very high Ability to manage)

The Internet is essen al to the organisa on’s business, so senior management and the board are fully aware of cyber risks.

These risks feature high on the board’s agenda and have been a central focus of senior management since the company started.

Threat 9: Skills gap becomes a chasm (Medium Impact – Very high Ability to manage)

The organisa on has built its reputa on on young, talented individuals who have grown the business. That talent remains essen al to the development of the organisa on’s business. The organisa on has a very fl exible working model with several employees able to take over key tasks at a moment’s no ce.

Plans are in place to con nue to a ract and retain talent by posi oning the organisa on as a leader in its fi eld.

Threat 10: Informa on security fails to work with new genera ons (High Impact – Very high Ability to manage)

The organisa on has always considered new genera ons as an opportunity to develop the business further and move into new markets.

The organisa on has plans to con nue to develop its working environment to promote collabora ve and fl exible working. It has also developed a tailored awareness programme that takes into account each employee’s role, responsibili es and profi le.


MethodologyEach year the Threat Horizon series iden fi es the top threats to cyber resilience over an 18-24 month me horizon. We recommend Members review and discuss the threats in this report to assess the relevance for Members’ individual organisa on. The ISF believes that this report can be used as a tool for not only developing a forward-looking cyber resilience strategy, but also to enable communica on with senior management.


January 2014

Political

Legal and Regulatory

Economic

Socio-cultural

Technological

P

L

E

S

T

Threat Horizon Report

ThreOn the e

ThreatDataset

This report is based on:

• Discussion at global ISF Chapter mee ngs • Council input• Advisory Board input• Threat Horizon workshops at the ISF Annual World Congress in Paris• Interviews and discussions with ISF Members around the world and on ISF Live• Input from business leaders across industry sectors• News, ar cles, conference presenta ons, blogs and online research.

About this report

Appendix D


Appendix D

Further ac onsWe recommend that Members review and discuss the threats contained in this report in the context of their organisa on; Which are more likely to apply to your industry or geography? What is their poten al impact? How should you respond? Doing so should prompt other threats – this is important because it’s not possible for anyone to predict the future with 100% accuracy.

Members can use Threat Horizon in ways other than threat brainstorming and determining risk treatment. ISF Members have told us that they use Threat Horizon reports in the following ways:

As a communica ons and awareness tool, to:

• help frame future thinking and discussion• assist strategic planning• form a basis for awareness ac vi es• create an opportunity to engage with diff erent audiences.

As an input to informa on risk management ac vi es, to:

• understand impact• prepare responses to an cipated threats• determine future changes to business cri cal systems• help build a credible business case to enhance the informa on security func on (which is cheaper to do up-front

than a er an incident).


Founded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profi t associa on of leading organisa ons from around the world. It is dedicated to inves ga ng, clarifying and resolving key issues in cyber, informa on security and risk management by developing best prac ce methodologies, processes and solu ons that meet the business needs of its Members.

ISF Members benefi t from harnessing and sharing in-depth knowledge and prac cal experience drawn from within their organisa ons and developed through an extensive research and work programme. The ISF provides a confi den al forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

For further informa on contact:Informa on Security ForumTel: +44 (0)20 7213 1745Fax: +44 (0)20 7213 4813Email: [email protected] Web: www.securityforum.org

Reference: ISF 14 01 01 Copyright © 2014 Information Security Forum Limited. All rights reserved.