Security Gets Messy: Emerging Challenges from Biometrics, New Regulations, Insiders

Over the coming years, the very foundations of today's digital world will shake – violently. Innovative and determined attackers, along with seismic changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments. Only those with robust preparations will stand tall.

Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future – a dangerous attitude to take.

Biometrics Offer a False Sense of Security

Biometric authentication technologies will flood into every part of an organization, driven by consumer demands for convenience and promising added security for corporate information. But organizations will sleepwalk towards a degradation of access controls as this sense of security turns out to be false: biometrics will frequently be compromised by attackers who learn to find increasingly sophisticated ways to overcome them.

Demands for convenience and usability will drive organizations to move to using biometric authentication methods as the default for all forms of computing and communication devices, replacing today's multi-factor approach. However, any misplaced trust in the efficacy of one or more biometrics will leave sensitive information exposed. Attacks on biometrics will affect finances and damage reputations.

The problem will be compounded by the wide and confusing array of proprietary technologies produced by different vendors. As there are no common global security standards for biometrics, it is inevitable that some technologies will be vastly inferior to others. The question then becomes: which are secure today? And will that continue to hold true tomorrow… and the day after?

Existing security policies will fall well short of addressing the issues as new devices infiltrate organizations, from the boardroom down. Failure to plan and prepare for this major change will leave some organizations sleepwalking into a situation where critical or sensitive information is protected by a single biometric factor which proves vulnerable.

New Regulations Increase the Risk and Compliance Burden

Organizations will wrestle with an incredibly burdensome risk environment, with complex, conflicting and confusing regulatory demands overwhelming existing compliance mechanisms. Demands for transparency will lead to information being stored in multiple locations and with third parties, increasing the likelihood of a data breach occurring. At the same time, new data privacy regulations will greatly increase the financial impact of a breach by levying materially significant fines.

By 2020, we expect the number and complexity of new international and regional regulations to which organizations must adhere, combined with those already in place, will stretch compliance resources and mechanisms to breaking point. These new compliance demands will also result in an ever swelling 'attack surface' which must be protected fully while attackers continually scan, probe and seek to penetrate it.

For some organizations, the new compliance requirements will increase the amount of sensitive information – including customer details and business plans – that must be stockpiled and protected. Other organizations will see regulatory demands for data transparency resulting in information being made available to third parties who will transmit, process and store it in multiple locations. Most organizations will see penalties for non-compliance reach material levels.

Balancing potentially conflicting demands, while coping with the sheer volume of regulatory obligations, may either divert essential staff away from critical risk mitigation activities or raise the impact of compliance failure to new levels. Business leaders will be faced with tough decisions. Those that make a wrong call may leave their organization facing extremely heavy fines and damaged reputations.

Trusted Professionals Divulge Organizational Weak Points

Increasing pressure on trusted professionals will lead some to divulge their organization's weak points. Those entrusted with protecting information will be targeted or tempted to abuse their position of trust. Financial temptation, coercion and simple trickery will combine with reduced employee loyalty – taking the insider threat to a new dimension.

The relentless hunt for profits and never-ending change in the workforce will create a constant atmosphere of uncertainty and insecurity that has the effect of reducing loyalty to an organization. This lack of loyalty will be exploited: the temptations and significant rewards from 'cashing-in' corporate secrets will be amplified by the growing market worth of those secrets, which include organizational weak points such as security vulnerabilities. Even trusted professionals will face temptation.

Most organizations recognize that passwords or keys to their mission-critical information assets are handed out sparingly and only to those that have both a need for them and are considered trustworthy. However, employees who pass initial vetting and background checks may now – or in the future – face any number of circumstances that entice them to break that trust: duress through coercion; being passed over for promotion; extortion or blackmail; offers of large amounts of money; or simply a change in personal circumstances.

While the insider threat has always been important, it is not only the organizational crown jewels that are under threat. The establishment of bug bounty and ethical disclosure programs, together with a demand from cybercrime or hackers, puts a very high value on the most secret of secrets – the penetration test results and vulnerability reports that comprise the 'keys to the kingdom'. Organizations reliant on existing mechanisms to ensure the trustworthiness of employees and contracted parties with access to sensitive information will find those mechanisms inadequate.

Preparation Must Begin Now

Information security professionals are facing increasingly complex threats—some new, others familiar but evolving. Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.

In the face of mounting global threats, organization must make methodical and extensive commitments to ensure that practical plans are in place to adapt to major changes in the near future. Employees at all levels of the organization will need to be involved, from board members to managers in non-technical roles.

The threats listed above could impact businesses operating in cyberspace at break-neck speeds, particularly as the use of the Internet and connected devices spreads. Many organizations will struggle to cope as the pace of change intensifies. These threats should stay on the radar of every organization, both small and large, even if they seem distant. The future arrives suddenly, especially when you aren't prepared.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.