There are a number of trends that lie behind these increases in threats to information security, which, when taken together, suggest that things will continue to get worse, not better:
- Better hacker tools are available every day, on hacker websites that, themselves, proliferate. These tools are improved regularly and, increasingly technologically proficient criminals – and computer literate terrorists – are thus enabled to cause more and more damage to target networks and systems.
- Widespread computer literacy. While most people today have computer skills, the next generation is growing up with a level of familiarity with computers that will enable them to develop and deploy an entirely new range of threats. Instant messaging is an example of a new technology that is better than e-mail, because it is faster and more immediate, but which has many more security vulnerabilities than e-mail. We will see many more such technologies emerging.
- Wireless technology -- whether WiFi or Bluetooth -- makes information and the internet available cheaply and easily from virtually anywhere, thereby potentially reducing the perceived value and importance of information and, certainly, exposing confidential and sensitive information more and more to casual access.
- The falling price of computers has brought computing within most people's reach. The result is that most people now have enough computer experience to pose a threat to an organization, if they are prepared to apply themselves just a little to take advantage of the opportunities identified above.
Increasingly, hackers, virus writers and spam operators are cooperating to find ways of spreading more spam: not just because it's fun, but because direct e-mail marketing of dodgy products is lucrative. Phishing and other internet fraud activity will continue evolving and will become an ever bigger problem. This will lead, inevitably, to an increase in blended threats that can only be countered with a combination of technologies and processes.
Increasingly sophisticated technology defences, particularly around user authorization and authentication, will drive an increase in social engineering-derived hacker attacks.
What does this all mean, in real terms, to individuals and to individual organizations?
- No organization is immune.
- Every organization, at some time, will suffer one or more of the abuses or attacks identified in these pages.
- Individual and business activity will be disrupted. Downtime in business critical systems (such as ERP, enterprise resource planning, systems) can be catastrophic for an organization. However quickly service is restored, there will be an unwanted and unnecessary cost in doing so. At other times, lost data may have to be painstakingly reconstructed and, sometimes, it will be lost forever.
- Privacy will be violated. Organizations have to protect the personal information of employees and customers. If this privacy is violated, there may – under data protection and privacy legislation -- be legal action and penalties, including against directors individually.
- Organizations and individuals will suffer direct financial loss. Protection in particular of commercial information and customers' credit card details is essential. Loss or theft of commercial information, ranging from business plans and customer contracts, to intellectual property and product designs, and industrial know-how, can all cause long-term financial damage to the victim organization. Computer fraud, conducted by staff with or without third-party involvement, has an immediate direct financial impact.
- Reputations will be damaged. Organizations that are unable to protect the privacy of information about staff and customers, and which consequently attract penalties and fines, will find their corporate credibility and business relationships severely damaged and their expensively developed brand and brand image dented.
The statistics are compelling. The threats are evident. No one can afford to ignore the need for information security. The fact that the threats are so widespread and the sources of danger so diverse means that it is insufficient simply to implement an anti-virus policy, or a business continuity policy, or any other standalone solution. A conclusion of the CBI Cybercrime Survey 2001 was that 'deployment of technologies such as firewalls may provide false levels of comfort unless organizations have performed a formal risk analysis and configured firewalls and security mechanisms to reflect their overall risk strategy'. Nothing has changed.
Read the rest of Chapter 1 from A Business Guide to Information Security.
This was first published in January 2006