What You Won’t See On All the Other “Top Threats for 2015” Lists, Part I

We wrap up our take on 2015’s threat horizon with a look at another potentially dangerous entity close to your organization—your partners.

Tis the season when everybody seems to be publishing their reports, blogs, predictions, and opinions on the state of information security for the coming year. And that’s a good thing, as they provide an essential reminder of what we’re all up against—and what we might do about it.
These perennial pieces consistently share a few features: a recap of what we saw in the previous year (generally an increase in the number and severity of breaches); a rundown of the usual suspects (e.g., malware, phishing, malicious insiders, zero-day attacks, BYOD exploits, APTs, etc.); and what we can expect going forward (more of the same, only with more sophistication and wider scope of damage).
Unfortunately, none of these reports exaggerate. I’ll cite just one statistic to make the point: The US Securities Commission confirmed that American firms reported a 42 percent hike in successful cyberattacks over just 12 months. That startling reality ought to get anyone’s attention.
But there is something almost all of the posts miss: the culpability of the victims of such cybercrime. That’s right, the victims. To this point, we’ll count down in this three-part series the top ways organizations share responsibility—albeit unwittingly—for the breaches they suffer, the addressing of which would go a long way toward making 2015 show a reduction in cybercrime over previous years. And that’s a resolution we should all feel good about making. Here’s threat No. 1:
Threat No. 1: The Vicious Cycle of Breaches and Regulations
Have you ever wondered why the regulations covering information security and privacy just keep piling up? It’s a real problem. The greater the number and scope of regulations, the greater the exposure to liability. Indeed, regulations covering the collection, storage, and use of information are becoming a tremendous burden on organizations—and they show no signs of letting up. Moreover, the cost of compliance combines with under-investment in information security to deliver a real one-two punch. And it’s a vicious cycle: the greater the number of breaches, the greater the number of regulations; the more regulations, the more costly it all becomes. Consequently, organizations are perpetually playing defense, not only against the bad guys, but the regulatory bodies, as well.
What to Do About It
Start by asking how we got here. The simple fact is that organizational complacency about information security, playing fast and loose with personal data, and the general failure to educate employees and supply chain partners have made for fertile ground for cybercriminals. Heck, they’ve made it so easy that a majority of breaches go undetected—oftentimes for months. If organizations are not going to take it upon themselves to safeguard information, then the government must. And it has.
So why not make 2015 the year that organizations go on the offense? How about we collectively turn the tables on it all? That’ll mean executive management making information security a board-level priority—and acting decisively and aggressively.
Next time, we’ll address the second of 2015’s second greatest threat: untrained employees.

Share this Post