EMERGING CYBER SECURITY THREATS: A FUTURE OUTLOOKLeonard Ong, CISA, CISM, CRISC, CGEIT, CoBIT 5 Implementer & Asse ssor14 February 2016

AGENDA

1. The present state of Cybersecurity

2. Threat horizon 2018

3. Way forward

4. Key takeaways

THE STATE OF CYBERSECURITY

CYBER INCIDENTS CONTRIBUTE TO SIGNIFICANT ECONOMIC LOSSES

Ponemon Institute

IP Theft in United States

>$ 300 BillionIP Commission Report

Singapore

$ 1 BillionSymantec

Losses from Cybercrime

$ 575 BillionMcAfee

2015 GLOBAL CYBERSECURITY STATUS REPORT

3,400+ RESPONDENTS WORLDWIDE

2015 GLOBAL CYBERSECURITY STATUS REPORT

3,400+ RESPONDENTS WORLDWIDE

CYBERSECURITY FROM DIRECTORS’ POINT OF VIEW

>65% of board of director respondents indicated that the cybersecurity risks were at a high level or had increased.

Only 14% were actively involved while 58% said they should have been more involved.

THREAT HORIZON 2018(ISF)

PESTLE MODEL

Figure 1: The

PESTLE model P

P

OL IT IC

A

L

PP

OL I T I C

A

L

TTECH

NO L O

G

ICAL

EE

CON O M

IC

SSO C I A

L

LL E G A L

EENVIR

O NME

NTAL

Threat 1.1The Internet of Things leaks sensitive information

Impact : • Growing regulatory fines and legal expenses as breaches occur

• Increased regulatory burden

• Reputational risk

Recommendations:• Prior to IoT deployment, seek consent and apply data protection principles

• Ensure policies, terms & conditions are transparent and compliant

• Look IoT holistically instead of a category of device

• Update policies, standards, guidelines, processes

Source: PerfectCloud.io

Threat 1.2Opaque algorithms compromise integrity

Impact : • Poorly maintained algorithm lead to loss of revenue and delays

• Disruption to critical systems is heightened due to lack of specialised skill

• Reputation is questioned after an incident

Recommendations:• Identify exposure to algorithm controlled systems, understand liability

• Update code maintenance policies

• Identify alternative ways of treating risks from algorithm-related incidents

• Conduct robust business continuity and resiliency planning

Source: The Hacker News

Threat 1.3Rogue governments use terrorist groups to launch cyber attacksImpact : • Brand damage, loss of revenue or even bankruptcy

• Severe business disruption as SIEM systems are evaded by persistent attackers

Recommendations:• Adapt risk management processes to account for threats actors with new

capabilities

• Review existing controls and focus on increasing resiliency

• Explore possibilities for threat intelligence collaboration with governments and organisations facing similar threats.

Source: Security Intelligence

Threat 2.1Unmet board expectations exposed by major incidents

Impact : • Costly incidents due to incomplete risk assessment,

• Inability to deal with threats and incidents, inhibiting decision making

Recommendations:• Engage with the board regularly to provide credible view of cyber risks

• Align the board’s expectation of security improvements based on current and future capability of CISO and information security function

• Initiate talent program to transform CISO and Information Security function from specialists to trusted business partner

• Learn from others

Source: Slash Gear

Threat 2.2Researchers silenced to hide security vulnerabiliti es

Impact : • Business disruption due to insecure software that could have been fixed

• Lost of sales for manufacturers when their actions to suppress vulnerabilities made public

• Damage to manufacturers that surpress vulnerabilities resulting in loss of life

Recommendations:• Consider financial reward for responsible researchers

• Use mediation services to agree satisfactory disclosure practices

• Insist greater transparency during procurement process

Source: LinkedIn

Threat 2.3Cyber Insurance safety net is pulled away

Impact : • Organisations are exposed as there lose access to transfer risks

• High cost of alternative treatment

• Credit ratings may slow down cyber insurance market

Recommendations:• Reassess risk management strategy in advance, and identify risks to be

transferred through cyber insurance

• Examine cyber insurance for potential costly exclusions

Source: Business Insider

Threat 3.1Disruptive companies provoke government

Impact : • Large fines for organisations that resist, rather than, engage with

governments

• Companies (in technology sectors) are subjected to higher scrutiny.

Recommendations:• Avoid political opposition by understanding local context of product &

services delivery

• Develop a clear strategy for political influence and engagement, focusing on principle-based system of regulation.

• Explore possibilities for collective influence

Source: Euractiv

Threat 3.2Regulations fragment the cloud

Impact : • Disruptions to operation and production as cloud services are divided to

multiple countries

• Additional resources to deal with cloud compliance required

• Organisation forced to comply with data protection requirements

Recommendations:• Understand current and proposed regulation will evolve.

• Be proactive and devise strategy before it is too late.

Source: Security Intelligence

Threat 3.3Criminal capabilities and gaps in international pol icing

Impact : • Brand damage as organisations’ technical capabilities are surpassed by

cyber criminals

• Incurred losses compounded by growing e-commerce and inadequate international law enforcement cooperation.

• Degraded ability to conduct business abroad

Recommendations:• Improve threat intelligence and increase resiliency

• Proactively work and influence government to cooperate and build international framework

WAYFORWARD

SECURE-BY-DESIGN AND PRIVACY-BY-DESIGN

1. Technology should have adequate security feature and configured securely before reaching the customer.

2. Personal data protection principles should be bui lt-in with the product features and operation.

3. Customers should be able to secure any products with reasonable effort and without requiring specialisedskills .

4. The burden of securing products should be less on the consumer side.

ETHICAL TECHNOLOGY DEVELOPMENT

1. Pharmaceutical, medical and legal industries have intensive testing and certification. Reduction of accidents, bad medicine, and less than desirable professionals

2. Technology development should go through proper testing from social, safety, and privacy issues.

3. Secure-by-design and Privacy-by-design should be independently tested .

KEY TAKE -AWAYS

1. Cost & frequency of cyber attacks will continue to increase

2. Total losses from Intellectual Property theft is far greater than the cost of cybercrime

3. Cybercrime is a ‘tax’ to business and innovators

4. Disruptive technologies missing robust security and privacy protection.

5. The need to implement code of ethics in technology developments

DISCUSSIONS