Key information security trends to be on the lookout for in 2014 include new types of attacks, an increased mobile security threat and greater government pressure for standards compliance, according to experts.
Global IT governance association ISACA believes cybersecurity professionals should be prepared for fast-paced change and more complexity in 2014.
“The pace of change expected in 2014 will put incredible pressure on technology professionals in the workplace with a focus on keeping IT risk in check while at the same time delivering value to the business,” said Bhavesh Bhagat, CEO of risk & technology solutions company EnCrisp, and member of ISACA’s business and technology committee.
Rick Dakin, the chief security strategist for IT security firm Coalfire, predicts we’ll see emerging security challenges for which many businesses are not prepared.
And Malcolm Marshall, the U.K. and global leader of the information protection and business resilience team at professional services consultancy KPMG, believes governments will focus more on business compliance with cybersecurity regulations over the next year.
“As governments worry about the scale of the cybersecurity threat, we can expect to see more national standards emerge, and greater pressure for ‘voluntary’ compliance,” he said, giving the proposed U.S. cybersecurity framework and the U.K. government’s “kitemark standard” as examples.
Marshall also foresees growth in the cyberinsurance market as insurance companies develop and begin to provide market incentives for compliance. “Noncompliance will also lead to a legal debate over liability for incidents,” he said.
Predictions and trends in cybersecurity to look out for in 2014 include:
*A significant security breach at a cloud service provider. “This should be a big concern since a single cloud provider may house sensitive information on tens, if not hundreds of thousands of individuals,” said Dakin. Business owners should recognize the increased necessity of evaluating risk within their third-party provider systems and in provider/vendor relationships to keep trade secrets secret and prevent intellectual property from becoming the property of others, he said.
*The acceleration of the migration from compliance to IT risk management. “This migration from the data center to the boardroom marks the end of cyber evangelism,” said Dakin. “If you manage security for a medium to large enterprise and are not providing a comprehensive risk assessment and risk mitigation strategy to your executive team and board, you may be behind the times.”
*The shift in security from static boundary protection to proactive monitoring and response. Dakin explained that emerging threats that use malware to conduct extensive reconnaissance prior to executing an attack make relying solely on the static firewall an obsolete strategy. “We are already seeing a shift at our forward-thinking clients where they have implemented larger and more focused monitoring teams to collect and consolidate information that lets them analyze, report on, and react to new threats,” he said.
Smart leaders are enabling their security experts to become hunters instead of just defenders, agreed Bhagat. “This allows them to proactively seek out the most hard-to-detect threats, build internal intelligence capabilities, construct better metrics and invest in operational risk analysis.”
*A significant increase of malware on mobile applications. According to a recent Juniper Research report, more than 80 percent of all enterprise and consumer-owned smartphones still aren’t protected from malware. Malware creation will reach a record high in 2014 and Android devices will be the most vulnerable to potential threats, according to cloud security company Panda Security, which predicts Java exploits and social media attacks will pose the most damaging threats.
“Security holes in Java have been responsible for most infections detected throughout 2013, and this is not likely to change during 2014,” PandaLabs Technical Director Luis Corrons wrote in a blog post. “The fact that Java is installed on billions of computers and is apparently affected by countless security flaws has made it a favorite target of cyber-criminals.”
“We can also expect more targeted attacks as criminals tailor their e-mail campaigns and carefully choose … unsuspecting users,” said Marshall, adding that distributed denial-of-service attacks could potentially be the biggest threat to businesses and infrastructure during 2014.
“If your organization is thinking of developing or deploying mobile applications, you should consider integrating a mobile security specialist in the design and deployment of that application before sensitive data is collected, processed or stored,” advised Dakin.
*Slimming down big data. Explosive data volumes were the No. 1 issue chosen by more than 25 percent of respondents in ISACA’s 2013 IT Risk/Reward Barometer. Bhagat recommended eliminating excess data and consolidating what remains. “Unmanageable data creates redundancies and is difficult to secure,” he said.
*Competing for cybersecurity and data analytics experts. The need for these professionals is only going to grow in 2014, said Bhagat. “If you plan to hire, make sure your compensation package and job descriptions are competitive.”
And finally, not so much a prediction but a certainty, according to cybersecurity experts: If your enterprise is still using unsupported software such as Java 6 or Windows XP after April 8, 2014, when Microsoft officially ends support for the system, you will be attacked. Running Windows XP and Office 2003 in your environment after their end-of-support date will expose your company to security risks, Microsoft cautioned.
Roy Maurer is an online editor/manager for SHRM.
Follow him on Twitter @SHRMRoy.
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news