Is your supply chain security at risk? Are you missing out on potential partners, customers or collaborative partners because they don’t trust your IT systems?
If you answered ‘yes’ to either of these questions then you need to continue reading this article! Set out below is our top 10 predictions for e-crime and cyber security in 2012 which can help your organisation prioritise and plan a security risk strategy.
We don’t claim to be mystics or Nostradamus so won’t give any warranties for the information we’ve provided. But we do think our top 10 IT security predictions are important considerations for your online business.
Today’s e-crime climate
In 2012, the eyes of the world will turn towards the United Kingdom as we celebrate the Queen’s Diamond Jubilee and host both the Olympic Games and the Summer Paralympics.
The security accompanying these single events will be unprecedented as we showcase the very best of Britain. Not only will ground to air missiles be on standby ready to repel any physical terrorist attacks, but cyber security specialists will be working around the clock to protect the UK’s information and communications networks.
But, despite all these measures, cyber criminals will still try to push their luck!
The big events in 2012 highlight the daily threats facing organisations every day. Criminals are preying upon the organisation’s failure to get a deep understanding of online crime and cyber security, and strike when they least expect! The Government estimates that cyber crime costs the UK economy £27bn a year, made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens. That’s why ministers launched the Cyber Security Strategy in November 2011 which sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
Organisations do need to get smarter on how to deal with spyware, phishing attacks, internal hacking, viruses, and other potential threats! So, this is what we are thinking for 2012…
Prediction 1. More attacks on mobile technology
Threats to mobile technology, not just from stolen or misplaced devices, but from a new breed of malware optimized to attack tablets and smartphones will increase.
More employees are now using their own personal devices at work. This change in how we are using technology requires organisations to tighten up on policies in order to control staff behaviour and ring fence business critical data and information.
- E RADAR Members Briefing: Mobile ‘M’ Commerce
Prediction 2. Social media engineering
Just when you thought your organisation was dealing with phishing via regular email, it will now need to address increasing bad behaviour from within social networks.
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public as well as employees.
- E RADAR Members Briefing: Writing a Web 2.0 Policy
Prediction 3. Small businesses will become more visible targets
Research by the University of Worcester suggests that 60 per cent of small and medium-sized enterprises (SMEs) do not have a security policy in place.
Most small businesses now have digital information systems. Many are online, and taken together, SMEs form a large part of the UK’s national information infrastructure. However, the limited resources of smaller companies mean that they are often unable to focus as closely as they may wish on what may be perceived as peripheral activities, including information assurance.
Prediction 4. Cloud security incidents will start to occur
Cloud computing describes computation, software, data access, and storage services not requiring end-user knowledge of the physical location and configuration of the system that delivers the services. Cloud security incidents will give us all a better insight into what threats we are up against.
Though all cloud vendors try their best to fend off hackers, no security setting is assumed to be foolproof. Rogue cloud service providers based in countries with lax cybercrime laws can also provide confidential hosting and data storage services. This will facilitate the storage and distribution of criminal data, avoiding detection by law enforcement agencies.
- E RADAR Members Briefing: Legal risks in cloud computing
Prediction 5. Increased sharing of best practice between private and public sectors
More public-private sharing of best practices will (or should) start happening as public bodies become more frequent targets for cyber attacks.
Public sector organisations will always need to consider whether they have the legal power to share information with another organisation if they so wish, or the ability to do so. The legal framework that applies to private and third sector organisations differs from that which applies to public sector organisations, which may only act within their statutory powers.
However, all organisations must comply fully with the data protection principles. Most private and third sector
organisations have a general ability to share information provided this does not breach the DPA or any other law. The starting point in deciding whether any data sharing initiative may proceed should be to identify the legislation that is relevant to your organisation. Even if this does not mention data sharing explicitly, and usually it will not do so, it is likely to lead you to the answer to this question.
- Read: ICO Data Sharing Code of Practice (external link)
- Read: Information and ID Governance Working Group (Information Society Alliance)
Prediction 6. Growing privacy concerns over geolocation services
Privacy concerns will challenge the use of geolocation services, such as targeted mobile marketing. This will prompt the need for more consumer privacy discussions.
The recently published opinion of the ‘Article 29 Data Protection Working Party’ on ‘Geolocation services on smart mobile devices’ concludes that generally specific opt-in user consent will be required to collect and use geolocation information for information society services.
- E RADAR Members Briefing: Mobile ‘M’ Commerce
Prediction 7. More focus on security management and monitoring
Security management and monitoring will become more important, as threats become sneakier.
The purpose of security management and monitoring is to protect the organisation and its staff from violence and abuse, taking appropriate action against those who abuse, or attempt to abuse them. Property, facilities, equipment and other resources, including data and information all need protecting too.
- E RADAR Members Briefing: Monitoring @ Work – 11 years on
Prediction 8. More formal security incident response policies
Security incident response policies (and teams) will become more formal as the threats to data and information security continue to increase and may give rise to corporate liability.
The term security incident and suspected incidents is very broad and includes, but is not limited to, incidents that effect disclosure, denial of access to, destruction or modification of the organisation’s data and information.
Examples of security incidents can include:
- Using another user’s login id
- Unauthorised disclosure of information
- Leaving confidential / sensitive files out
- Theft of IT equipment
- Accessing a person’s records inappropriately e.g. viewing a colleague’s personnel file without authorisation.
- Writing down passwords
Diligent employees should question procedures, protocols and events that they consider could cause damage, harm, distress, break of compliance or bring the organisation’s name into disrepute.
Prediction 9. More adhoc security compliance
By focusing on ad hoc compliance, organisations will overlook the bigger picture as well as key vulnerabilities. When budgets are tight and resources are stretched it is easy to become complacent about things that really matter.
Compliance is bottom-up, governance top-down. The organisation needs to mesh together these two concepts in all aspects of risk management using a well-developed strategy that sets out a ‘plan do check act’ approach to removing any threats identified.
Prediction 10. Breach notification laws will become more widespread
Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office.
The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the Data Protection Act 1998. For serious breaches of data protection the maximum fine is now £500,000.
- Read: Notification of Data Security Breaches to the Information Commissioner’s Office (external website)