High Tech and Low Tech Continue to Bedevil Info Sec and Privacy Practitioners
When looking ahead to what may happen in this new year it is necessary to first look back. Not only to 2011, but when making plans to move forward even further back to help make the best decisions moving forward.
I do a lot of reading, including many mainstream publications written for the general public.
You can see a lot of trends and problems by reading about how the general public is reporting (or not) about them. I also like to read the various publications specific to information security, privacy, compliance and technology to see the backstories and guts of the problems.
Looking at all such reports helps to provide a more comprehensive view necessary for making good decisions.
Looking back to 2011 some of the events that struck me most when reading through these many different sources included the following:
- There are more reported privacy breaches than ever before in all types of publications. And the methods of the breaches are increasing as new technologies and business practices are emerging. And as business is accomplished through more partnerships with multiple organizations, more breaches are caused by business partners (outsourced and contracted entities) than ever before as well.
- Increasingly more mobile computing devices were created and purchased by workers in 2011 than ever before. Tablet sales alone accounted for over 25% of all mobile computing device sales. The use of mobile computers, of all types, is occurring much more quickly within all organizations than the organizations keeping up with finding security controls for them, and in updating their policies and procedures. Add to the mix the overwhelmingly popular move (supported by business managers, not so much by the information security practitioners) to a “bring your own device” (BYOD) attitude in the workplace, it increases the complexity of information security risk by a hundredfold (and that’s a modest estimate).
- At the same time the use of mobile computing devices are increasing, the use of cloud services (yet another type of contracted entity) is also quickly growing. According to some reports and informal polls, tech savvy folks in the general public own 10 to 20 devices they use regularly to connect to business data via the cloud. The number of cloud services used by businesses probably is around 10 to 20 for each organization as well, although I haven’t seen any dependable numbers; this is just my own estimate based upon discussions with business leaders throughout the year.
- As increased cloud services are used, the amount of data is exploding. Super data warehouses are going up in a frantic effort to keep pace. Businesses are starting to put everything into the cloud, including all their backups. Considering data is the most valuable asset a business has, and that it also brings the most risk, the dependence upon these data warehouses accessed through the cloud has become greater than ever. Organizations are putting all their data eggs into a few large cloudy baskets (ooh, sorry, I couldn’t resist the geek tweak to the popular idiom), and are pretty much at the mercy of them to keep their businesses going.
- A significant event occurred when the DoD publically indicated in October that physical attacks could be launched in response to cyber-attacks against military systems. I was surprised there wasn’t more written about this. Think about it; bombs can be deployed and physically destroy facilities, and the people within them, as a response to adverse and/or hostile cyber-activities. This really is a significant landmark in the merging of the physical with the cyber worlds.
- The smart grid got more attention than ever in 2011, especially towards the end of the year. It’s good, because it will be a huge, complex network, more complex in many ways than any other, and we need to proactively think about the security and privacy issues and build in controls now, as deployment occurs. I’ve been leading the NIST CSWG Smart Grid Privacy subgroup since June 2009, and we’ve been working hard since that time on addressing the privacy issues. There are10 other NIST CSWG subgroups that are focusing on the vast number of information security issues, and most have also been since early 2009. I was happy to see other research and academic groups take in interest as well in 2011. In December the MIT Energy Initiative released a report, “The Future of the Electric Grid” but I was disappointed to see no mention of the work done by the NIST CSWG groups for the past three years (perhaps I missed something in those 183 pages?), and nothing new was reported that the NIST groups had not already published.
- A significant common problem that is at the heart of almost every (if not all) data breaches, and within information security and privacy programs in general, is a lack of information security training, non-existent privacy training, and sparse-to-no types of ongoing awareness communications to keep security and privacy at the forefront of employee’s minds as they are doing their day-to-day work responsibilities. I’ve reviewed literally hundreds of information security and privacy training and awareness programs and a large portion of them are ineffective, or downright awful. Business leaders need to understand that they must provide such education to their personnel if they are going to be successful in effectively safeguarding data. 2011 provided many more examples for me to use to point out that human frailties involving lack of knowledge, lack of training, and continuous repeated mistakes are bigger problems than ever before.
Looking ahead to 2012, it is going to be a very busy and diverse year. I see these issues from 2011 continuing to increase in importance and publicity throughout the year, in addition to a few more new topics of information security and privacy concern.
Here is what I see as just some of the significant events, as well as issues that need to be addressed:
- More emphasis needs to be given to information security and privacy awareness training, with more active and effective training and ongoing awareness communications. I’m hopeful this will happen (even though there’s a nagging doubter in my mind that insists on telling me I’m wrong).
- There will be at least one breach, larger than ever before, occur within a business partner / business associate type of organization. I have a feeling it will be within a cloud service.
- More attention needs to be given to business partners, and more oversight and monitoring. Organizations must go beyond just including an information security clause in their contracts. Information security and privacy are people issues; breaches cannot be prevented with a contract that the practitioners, who are actually handling the data and information, never see.
- More breaches will occur as a result of personal devices in 2012 than ever before.
- Organizations need to get off the stick, do risk assessment to determine the extent of personal computing device use within their organizations and then update their policies, create new procedures, and implement new technologies accordingly.
- Many organizations will completely lose track of where their data is as a result of using cloud services. How can you protect your data, and keep bad things from happening, if you don’t even know where that data is located, or who is touching it? You can’t. At least one organization will have a breach with the cloud, with this lack of knowledge at the heart of the problem, which will almost put them out of business.
- Business leaders need to understand cloud services and use them appropriately. Information security and privacy practitioners need to take the initiative and TELL THEM of the ramifications and risks of using cloud services, and then establish the appropriate controls around cloud service use.
- The DoD will use their newly authorized go-ahead to physically attack an enemy for cyber-hacking. I anticipate it will be a small target, hopefully unmanned, but that it will be done to send a message that even though there are fewer boots on the ground, the “leaner and meaner” military is not adverse to taking other such actions to thwart cyber-attacks against military and government networks.
- Smart grid research and concerns will continue. And, more utilities will be proactively doing much more to address consumer concerns with smart meters than ever before, through public service announcement type messages and other types of education and outreach.
- More emphasis needs to be given to information security and privacy awareness and training, with more active training and ongoing awareness communications. Yeah, I already said this. However, it’s so important, and necessary to ALL information security and privacy issues, that it needs to be repeated again. And whenever I have other opportunities to do so, I will continue to say it.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Cross-posted from Privacy Professor