A summary of Information Security trends 2/3
Updated: Aug 16, 2019
Continuing our discussion on a few trends within Information Security, here are trend 2, 3 and 4.
You are free to use this information as you wish, but please mention Innovate Security as the source, please refer to Creative Commons CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)
2. More incidents, the attackers gets more clever
The list of companies and organizations that have been successfully hacked gets longer each year. Worth mentioning is the attack on Norsk Hydro (ransomware attack with a cost of €40 million). All organizations need to acknowledge that everyone is a potential target.
With the continuing speed of digitalisation and Time To Market requirements, security is still not sufficiently prioritised. This will have significant impacts in the cost when a breach hits; it is very expensive to fix things after a breach.
What to do:
Work with Information Security Awareness.
Implement Information Security requirements in the purchase process.
Introduce standardised IT-solutions and security patterns and use them...always.
Involve IT-architects early in business development.
Work with Disaster Recovery and Business Continuity.
3. More focus on Data Protection, i.e. Privacy
The work done with GDPR during 2018 is starting to show need for a second wave of activities. Most companies (note that many companies didn’t do anything) is starting to understand that GDPR is here to stay – we need to have an effective way of working with data repositories, incident processes etc. The need to involve IT, Information Security and the Business is evident; you need to have control of the Crown Jewels, i.e. Your important/valuable data, within the company. Where do we store important data? What systems are managing the data? What is the connection between the data, the processes and the IT-systems? The companies that will evolve an efficient Data centric architecture will also be more successful in protecting their Data and comply with specific regulations, e.g. GDPR.
What to do:
Identify your organization’s Crown Jewels
Identify ownership of information, processes and IT-systems
Connect Privacy, IT-architecture and Information Security
4. ”Artificial Intelligence” will be used both by attackers and defenders
Today ”true” implementations of AI are still rare; AI is a ”suitcase term”, which can be used to describe a large variety of things ranging from advanced statistical analysis to Natural Language Processing and Deep Learning algorithms. Many implementations of AI will focus on the identification of anomalies and patterns that is hard for a person to do, e.g. Log analysis, identifying patterns within network traffic, anomalies in usage of a specific application etc.
Of course, attackers may also use AI in order to perform even more advanced attacks. The ”dark side” will always be one step ahead. In order to be prepared for this, the organizations ought to have a broad knowledge of what AI is, how it may be used in the organization and how to adapt the current business and IT architecture. It is hard to give any specific advice.
What to do:
Include ”AI” in the business development
Create a forum where IT-architects and business architects may discuss the impact of a future AI program for the organization.
Include the GRC-team in the discussions.
In the next post we discuss trends 5 and 6.