Information security threats are intensifying every day. Organizations risk becoming disoriented and losing their way in a maze of uncertainty, as they grapple with complex technology, data proliferation, increased regulation, and a debilitating skills shortage.
The year 2020 will dawn on a hyper-connected world where the pace and scale of change — particularly in terms of technology — will have accelerated remarkably. People will find themselves caught in a vortex of economic volatility and political uncertainty far beyond the levels experienced today. The consequences will be job losses, social divisions and civil unrest. While some organizations will find ways to prosper in this new world, many will struggle. The determining factor will be the degree to which organizations are prepared to meet the challenges.
At the Information Security Forum, we recently released Threat Horizon 2020, the latest in an annual series of reports that provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world. In Threat Horizon 2020, we highlighted the top three threats to information security emerging over the next two years, as determined by our research, which should be of significant interest to chief executives.
Let’s take a quick look at these threats and what they mean for your organization:
THREAT #1: CONFLICT LOOMS
Nation states and terrorist groups will increasingly weaponize the cyber domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. With power, communications and logistics systems down, organizations will lose the basic building blocks needed for doing business. Heating, air conditioning, lighting, transport, information, communication and a safe working environment will no longer be taken for granted.
Cyber and Physical Attacks Combine to Shatter Business Resilience: Nation states and terrorists will combine traditional military force with their increasingly sophisticated cyber arsenals to launch attacks that create maximum impact. Organizations will face interruptions to business as cities become no-go zones and vital services are rendered unavailable, with governments, militaries and emergency services struggling to respond effectively to concurrent physical and cyber incidents.
Satellites Cause Chaos on the Ground: As an integral part of almost every walk of life, satellite systems will be targeted. Organizations are more reliant on satellites than ever before, routinely using global positioning systems (GPS) and communications services. Disabling or spoofing signals from GPS will put lives at risk and impact global travel and financial markets. Attackers may also target media, communications, meteorological and military functions to further disrupt operations and trade.
Weaponized Appliances Leave Organizations Powerless: Enemies aiming to inflict damage will take advantage of vulnerabilities in connected appliances such as thermostats, refrigerators, dishwashers and kettles to create power surges strong enough to knock out regional power grids. This relatively unsophisticated attack will bring operations to a grinding halt for organizations in affected areas, as governments prioritise restoring vital services over trade.
THREAT #2: TECHNOLOGY OUTPACES CONTROLS
Technology has advanced at an astonishing rate in the last decade and the pace is only set to accelerate. Capabilities that seemed impossible only a short time ago will develop extremely quickly, aiding those who see them coming and hindering those who don’t. Developments in smart technology will create new possibilities for organizations of all kinds — but they will also create opportunities for attackers and adversaries by reducing the effectiveness of existing controls. Previously well-protected information will become vulnerable.
“Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees.”
Quantum Arms Race Undermines the Digital Economy: The emergence of quantum computing will herald a step change in processing power, shifting perceptions about what computers can achieve. However, the increase in performance will enable those who develop or acquire the technology to break current encryption standards. With a fundamental security mechanism rendered obsolete, information and transactions of all kinds will suddenly become vulnerable.
Artificially Intelligent Malware Amplifies Attackers’ Capabilities: Attackers will also take advantage of breakthroughs in artificial intelligence (AI) to develop malware that can learn from its surrounding environment and adapt to discover new vulnerabilities. Such malware will surpass the performance of human hackers, exposing information including mission-critical information assets and causing financial, operational and reputational damage.
Attacks on Connected Vehicles Put the Brakes on Operations: While advanced computing power will be used to directly target information assets, the prevalence of computers in connected vehicles will create new physical threats. By hacking connected systems, including those that control the vehicle, attackers will cause accidents that threaten human life and disrupt supply chains — not to mention impacting the reputation and revenue of vehicle manufacturers.
THREAT #3: PRESSURE SKEWS JUDGEMENT
Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future — a dangerous attitude to take.
Biometrics Offer a False Sense of Security: Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and promising added security for corporate information. But organizations will sleepwalk towards a degradation of access controls as this sense of security turns out to be false: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.
New Regulations Increase the Risk and Compliance Burden: Organizations will wrestle with an incredibly burdensome risk environment characterized by complex, conflicting and confusing regulatory demands that overwhelm existing compliance mechanisms. Demands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.
Trusted Professionals Divulge Organizational Weak Points: Increasing pressure on trusted professionals will lead some to divulge their organization’s weak points. Those entrusted with protecting information will be targeted or tempted to abuse their position of trust. Financial temptation, coercion and simple trickery will combine with reduced employee loyalty — taking the insider threat to a new dimension.
Preparation Must Begin Now
Information security professionals are facing increasingly complex threats — some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.
The three themes listed above could impact businesses operating in cyberspace at breakneck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren’t prepared.