Information Security Forum releases 2018 Global Security Threat Outlook

Nov. 28, 2017
Crime-as-a-Service, privacy regulations and unmet board expectations top list of key threats to businesses

The Information Security Forum (ISF), a global, independent information security body considered the world's leading authority on cyber security and information risk management, has announced the organization’s outlook for the top five global security threats that businesses will face in 2018. Key threats for the coming year include:

  •  Crime-As-A-Service (CaaS) Expands Tools and Services
  • The Internet of Things (IoT) Adds Unmanaged Risks
  • Supply Chain Remains the Weakest Link in Risk Management
  • Regulation Adds to Complexity of Critical Asset Management
  • Unmet Board Expectations Exposed by Major Incidents

In the coming year, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas, such as network clean-up and customer notification, as well as newer areas such as litigation involving a growing number of parties. Angry customers will pressure governments to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers. Not only will the number of data breaches grow, the scale of data breaches will also grow and individuals around the world will wearily expect their personal data to be compromised. In some cases, sophisticated defenses will be circumvented by persistent criminal organizations that swiftly exploit stolen data. The significant cost of the resulting cyber-crimes will rise steeply.

“The scope and pace of information security threats is jeopardizing the veracity and reputation of today’s most reliable organizations. In 2018, we will see increased sophistication in the threat landscape with threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place,” said Steve Durbin, Managing Director of the ISF. “These days, the stakes are higher than ever before. High level corporate secrets and critical infrastructure are regularly under attack and organizations of all sizes need to be aware of the significant trends that we forecast in the year to come.”

The top five threats identified by the ISF for 2018 are not mutually exclusive and can combine to create even greater threat profiles. The most prevalent threats include:

Crime-As-A-Service (CaaS) Expands Tools and Services

Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide, with cryptoware in particular becoming the leading malware of choice for its threat and impact value. The resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls.

The Internet of Things (IoT) Adds Unmanaged Risks

Organizations will adopt IoT devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices such as smartphones and smart TVs. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection. In a worst-case scenario, when IoT devices are embedded in industrial control systems, security compromises could result in harm to individuals or even loss of life.

Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised. In the coming year, organizations must focus on the weakest spots in their supply chains. Not every security compromise can be prevented beforehand, but being proactive now means that you— and your suppliers—will be better able to react quickly and intelligently when something does happen. To address information risk in the supply chain, organizations should adopt strong, scalable and repeatable processes — obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes. This readiness may determine competitiveness, financial health, share price, or even business survival in the aftermath of a breach.

Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection Regulation (GDPR), will add another layer of complexity to the issue of critical information asset management that many organizations are already struggling with. The GDPR aims to establish the same data protection levels for all EU residents and will focus on how organizations handle personal data. Businesses face several challenges in preparing for the reform, including a widespread lack of awareness among internal stakeholders. The additional resources required to address the obligations are likely to increase compliance and data management costs while pulling attention and investment away from other important initiatives. In the longer term, organizations will benefit from the uniformity introduced by the reform. But it is not just in the area of privacy where legislation will bite.  The increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

Unmet Board Expectations Exposed by Major Incidents

Boards will expect that their approval of increased information security budgets will have enabled the Chief Information Security Officer (CISO) and the information security function to produce immediate results. However, a fully secure organization is an unattainable goal, and many boards are unaware that making substantial improvements to information security will take time – even when the organization has the correct skills and capabilities. Consequently, the expectations of boards will quickly accelerate beyond their information security functions’ ability to deliver. Misalignment between a board’s expectations and the reality of the security function’s ability to deliver will be most cruelly exposed when a major incident occurs. Not only will the organization face substantial impact, the repercussions will also reflect badly on the individuals and collective reputations of the board members.

ISF Threat Horizon Reports

The threats outlined above are included in the annual ISF Threat Horizon series of reports, aimed at both senior business executives and information security professionals. These reports are designed to help organizations take a proactive stance to security risks by highlighting challenges in the threat landscape and identifying how the confidentiality, integrity and availability of information may be compromised in the future.  For more information, please visit the ISF website and register for Mr. Durbin’s presentation detailing these threats via this link.

About the Information Security Forum

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. The organization is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. By working together, ISF Members avoid the major expenditure required to reach the same goals on their own. Consultancy services are available and provide ISF Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.

For more information on ISF membership, please visit https://www.securityforum.org/.