Managing security risks
01 May 2012
Annual report provides organisations with insights into managing risks as security threats collide.
The range and complexity of information security threats is set to rise significantly over the next two years and organisations that fail to prepare now will struggle to handle the challenges later.
This forecast is according to Threat Horizon 2014: Managing Risks When Threats Collide, the latest in a series of Threat Horizon reports from the Information Security Forum (ISF); an independent information security body and authority on cyber security and information risk management.
The report challenges the traditional approach to managing security risks, which has typically fallen to the information security function, and recommends that organisations take a much more strategic and business-based approach to risk management. To take advantage of both technology and cyberspace, organisations must manage new risks beyond those traditionally covered by the information security function, including attacks on reputation and all manner of technology.
“While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organised criminals adopt techniques developed by online activists,” said Steve Durbin, Global Vice President, ISF (pictured). “Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace. While executives recognise the benefits and opportunities cyberspace offers, their organisations must extend risk management to become more resilient, based on a foundation of preparedness. We are advising our members that this is the year of resilience and to be prepared to move at the speed of a Tweet!”
Threat Horizon 2014 provides a practical place for organisations to start by providing a forward-looking view of the increasing threats in today’s interconnected, always-on world. This in turn enables a better-prepared, strategic approach to managing and mitigating security risks.
The report identifies three main drivers and provides organisations with practical guidance on how to deal with increasingly complex threats including:
• External threats that come from the increasing sophistication of cybercrime, state-sponsored espionage, activism moving online, and attacks on systems that have a physical impact in the real world, for example industrial control systems
• Regulatory threats that come as regulators call for greater transparency about incidents and security preparedness, while increasing requirements for data privacy
• Internal threats that come as technology introduces new benefits at a relentless pace and the business adopts them without fully understanding the risks
The report also highlights 10 predictions under each of the three threat groups, along with the potential business impacts, and provides recommended actions at the end of each one:
• Cyber criminality increases as Malspace matures
• The cyber arms race leads to a cyber cold war
• More causes come online; activists get more active
• Cyberspace gets physical
• New requirements shine a light in dark corners exposing weaknesses
• A focus on privacy distracts from other security efforts
• Cost pressures stifle critical investment
• A clouded understanding leads to an outsourced mess
• New technologies overwhelm
• The supply chain springs a leak as the insider threat comes from outside
Durbin adds: “From cyber to insider, organisations have varying degrees of control over evolving security threats. With the speed and complexity of the threat landscape changing on an almost daily basis, we are seeing businesses being left behind, sometimes in the wake of reputational and financial damage – they need to take stock now to ensure they are fully prepared and engaged.”
The ISF Threat Horizon series of reports is aimed at both senior business audiences and information security professionals. These annual reports are designed to help organisations take a proactive stance to security risks by highlighting challenges in the threat landscape and identifying how the confidentiality, integrity and availability of information may be compromised in the future.
Threat Horizon 2014 contains detailed predictions along with trends and other factors that can increase or decrease the probability of the predictions coming true.