In the year ahead, organizations must prepare for the unknown. They can do so by ensuring they have the flexibility to endure unexpected and high-impact cybersecurity events. Businesses will need to manage security risks in ways beyond those traditionally handled by the information security function, as well. Increasingly innovative attacks will most certainly impact both business reputation and shareholder value. And for some organizations, these attacks will come from well-funded and technologically advanced actors.
Based on comprehensive assessments of the threat landscape, we believe businesses must focus on the following security areas in 2020: the race for technology dominance among nation-states; third parties, the internet of things (IoT), and the cloud; and cybercrime, from both internal and external sources.
Evidence of fracturing geopolitical relationships started to emerge in 2018 demonstrated by the United States and China trade war and the United Kingdom’s increasing desire to exit the European Union. In 2020, the United States and China will increase restrictions and protectionist measures in pursuit of technology leadership. That will lead to a heightened digital “cold war” in which the prize is data.
This race to develop strategically important next-generation technology will drive a rise in nation-state-backed espionage. The ensuing knee-jerk reaction of a global retreat into protectionism, increased trade tariffs, and trade embargoes will dramatically reduce the opportunity to collaborate on the development of new technologies. The U.K.’s exclusion from the EU Galileo satellite system as a result of Brexit is one example.
At the same time, new regulations and international agreements will come up short in an attempt to address the issues raised by technology’s impact on society. Regulatory tit-for-tat battles will manifest across nation-states and, rather than encourage innovation, are likely to stifle and constrain it. At the same time, they will push up costs and increase the complexity of cross-border trade.
Digitally connected devices and superfast networks will prove to be a security concern as modern life becomes entirely dependent on these devices and their software. Highly sophisticated and extended supply chains present new risks to corporate data as it is necessarily shared with third-party providers.
Few devices exist in isolation, and it is the internet component of the IoT that reflects that dependency. For a home or a commercial office to be truly “smart,” multiple devices need to work in cooperation. For a factory to be “smart,” multiple devices need to operate and function as an intelligent whole. However, this interconnectivity presents several security challenges, not least in the overlap of consumer and industrial technologies.
Finally, since so much critical data is held in the cloud, cyber criminals and nation-states will have new opportunities to disrupt economies and take down critical infrastructure and entire companies.
Criminal organizations have a massive resource pool available to them in the form of nation-states outsourcing cyberattacks as a means of establishing deniability.
Nation-states have fought for supremacy throughout history, and more recently, this has involved espionage targeted at nuclear, space, information, and now smart technologies. Commercial organizations developing strategically important technologies will be systematically targeted as national and commercial interests blur. Targeted organizations should expect to see sustained and well-funded attacks involving a range of techniques, such as zero-day exploits, distributed denial-of-service, and advanced persistent threats.
Additionally, the insider threat is one of the greatest drivers of security risks that organizations face and will remain so in 2020. Malicious insiders will continue to utilize their credentials to gain access to an organization’s critical assets. Many organizations are challenged to detect internal nefarious acts, often due to limited access controls and the ability to detect unusual activity once someone is already inside the network.
Involving the Board
The executive team sitting at the top of an organization has the clearest, broadest view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cybersecurity will be unmanageable.
Covering all the bases — defense, risk management, prevention, detection, remediation, and incident response — is better achieved when leaders contribute their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.
Given the rapid pace of business and technology and the countless elements beyond the C-suite’s control, traditional risk management simply isn’t nimble enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience, and responsiveness is the surest way to secure assets and protect people.
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security, digitalization and the emerging security threat landscape across both the corporate and personal environments.