10 Cyber Security Predictions SMEs Cannot Ignore

Is the security of your online business operations at risk? Are you missing out on potential customers or collaborative partners because they don't trust your IT or information systems?

If you answered 'yes' to either of these questions then you need to continue reading this article! Set out below is our top 10 predictions for cybercrime, cyber security, and data protection over the next decade. The predictions can help you and your organisation prioritise and plan a security risk strategy.

We don't claim to be mystics or Nostradamus so won't give any warranties for the information we've provided. But we do think our top 10 IT security predictions are important considerations for SMEs looking to do better business online over the next decade.

Today's cyber security climate

In 2012, the eyes of the world turned towards the United Kingdom as we hosted both the Olympic Games and the Summer Paralympics.

The security accompanying these two single events was unprecedented. Not only was ground to air missiles ready on standby to repel any physical terrorist attacks, but cyber security specialists were also quietly working around the clock to protect the UK's information and communications networks.

The big events in 2012 did highlight the daily threats facing organisations every day. Criminals are preying upon the organisation's failure to get a deep understanding of online crime and cyber security, and strike when they least expect! The Government estimates that cyber crime costs the UK economy £27bn a year, made up of £21bn of costs to businesses, £2.2bn to government and £3.1bn to citizens. That's why ministers launched the Cyber Security Strategy in November 2011 which sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.

Organisations do need to get smarter on how to deal with spyware, phishing attacks, internal hacking, viruses, and other potential threats! Here are E RADAR's 10 security challenges everyone needs to consider over the next decade

Prediction 1. More attacks on mobile technology

Threats to mobile technology, not just from stolen or misplaced devices, but from a new breed of malware optimized to attack tablets and smartphones will increase.

More employees are now using their own personal devices at work. This change in how we are using technology requires organisations to tighten up on policies in order to control staff behaviour and ring fence business critical data and information.

Suggested Reading: Mobile 'M' Commerce

Prediction 2. Social media engineering

Just when you thought your organisation was dealing with phishing via regular email, it will now need to address increasing bad behaviour from within social networks.

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public as well as employees.

Suggested Reading: How to write a Web 2.0 Policy

Prediction 3.  SMEs will become more visible targets

Research by the University of Worcester suggests that 60 per cent of small and medium-sized enterprises (SMEs) do not have a security policy in place.

Most small businesses now have digital information systems. Many are online, and taken together, SMEs form a large part of the UK's national information infrastructure. However, the limited resources of smaller companies mean that they are often unable to focus as closely as they may wish on what may be perceived as peripheral activities, including information assurance.

Suggested Reading: IASME Information Assurance Certification

Prediction 4. Cloud security incidents will occur

Cloud computing describes computation, software, data access, and storage services not requiring end-user knowledge of the physical location and configuration of the system that delivers the services. Cloud security incidents will give us all a better insight into what threats we are up against.

Though all cloud vendors try their best to fend off hackers, no security setting is assumed to be foolproof. Rogue cloud service providers based in countries with lax cybercrime laws can also provide confidential hosting and data storage services. This will facilitate the storage and distribution of criminal data, avoiding detection by law enforcement agencies.

Suggested Reading: Legal risks in cloud computing

Prediction 5. Increased sharing of best practice

More sharing of best practice between the private and public sectors will take place as public bodies become more frequent targets for cyber attacks.

Public sector organisations will always need to consider whether they have the legal power to share information with another organisation if they so wish, or the ability to do so. The legal framework that applies to private and third sector organisations differs from that which applies to public sector organisations, which may only act within their statutory powers.

However, all organisations must comply fully with the data protection principles. Most private and third sector organisations have a general ability to share information provided this does not breach the DPA or any other law. The starting point in deciding whether any data sharing initiative may proceed should be to identify the legislation that is relevant to your organisation. Even if this does not mention data sharing explicitly, and usually it will not do so, it is likely to lead you to the answer to this question.

Prediction 6. More privacy concerns over geolocation

Privacy concerns will challenge the use of geolocation services, such as targeted mobile marketing. This will prompt the need for more consumer privacy discussions.

The recently published opinion of the ‘Article 29 Data Protection Working Party’ on ‘Geolocation services on smart mobile devices’ concludes that generally specific opt-in user consent will be required to collect and use geolocation information for information society services.

Prediction 7.  Focus on security management

Security management and monitoring will become more important, as threats become sneakier.

The purpose of security management and monitoring is to protect the organisation and its staff from violence and abuse, taking appropriate action against those who abuse, or attempt to abuse them. Property, facilities, equipment and other resources, including data and information all need protecting too.

Suggested Reading: Monitoring at Work

Prediction 8. More incident response policies

Security incident response policies (and teams) will become more formal as the threats to data and information security continue to increase and may give rise to corporate liability.

The term security incident and suspected incidents is very broad and includes, but is not limited to, incidents that affect disclosure, denial of access to, destruction or modification of the organisation's data and information.

Examples of security incidents can include:

  • Using another user’s login id
  • Unauthorised disclosure of information
  • Leaving confidential / sensitive files out
  • Theft of IT equipment
  • Accessing a person's records inappropriately e.g. viewing a colleague's personnel file without authorisation.
  • Writing down passwords

Diligent employees should question procedures, protocols and events that they consider could cause damage, harm, distress, break of compliance or bring the organisation's name into disrepute.

Prediction 9. More ad hoc security compliance

By focusing on ad hoc compliance, organisations will overlook the bigger picture as well as key vulnerabilities. When budgets are tight and resources are stretched it is easy to become complacent about things that really matter.

Compliance is bottom-up, governance top-down. The organisation needs to mesh together these two concepts in all aspects of risk management using a well-developed strategy that sets out a 'plan do check act' approach to removing any threats identified.

Prediction 10. Notification laws more widespread

Although there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office. This situation is likely to change with the new EU data protection regulation expected in late 2015.

There is, however a duty on service providers to notify the ICO if a ‘personal data breach’ occurs. Service providers must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.

What is a personal data breach?

A breach of personal data is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the Data Protection Act 1998. For serious breaches of data protection the maximum fine is now £500,000. This penalty is likely to increase significantly with the new data protection regulation.

E RADAR Seminars / Workshops

E RADAR University

Want to find out more about e crime, cyber security, data protection or how to protect your business?

E RADAR runs several courses for business owners as well as IT/digital professionals. Contact Will Roebuck for further information