[BreachExchange] A False Sense of Security

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/insider-threats/a-false-sense-of-security-/a/d-id/1332636

Emerging threats over the next two years stem from biometrics,
regulations, and insiders.

Over the coming years, the foundations of today's digital world will
shake — violently. Innovative and determined attackers, along with big
changes to the way organizations conduct their operations, will
combine to threaten even the strongest establishments.

At the Information Security Forum, we recently released "Threat
Horizon 2020," the latest in an annual series of reports that provide
businesses a forward-looking view of the increasing threats in today's
always-on, interconnected world. In this report, we highlight the top
threats to information security emerging over the next two years, as
determined by our research.

Let's take a look at a few of our predictions and what they mean for
your organization.

Biometrics Offer a False Sense of Security
Biometric authentication technologies will flood into every part of an
organization, driven by consumer demands for convenience and the
promise of added security for corporate information. However,
organizations will quickly realize that they are not as protected as
they thought as this sense of security turns out to be unfounded.
Attackers will learn to find increasingly sophisticated ways to
overcome biometric safeguards.

Demands for convenience and usability will drive organizations to move
to biometric authentication methods as the default for all forms of
computing and communication devices, replacing today's multifactor
approach. However, any misplaced trust in the efficacy of one or more
biometric methods will leave sensitive information exposed. Attacks on
biometrics will affect finances and damage reputations.

Existing security policies will fall well short of addressing this
issue as organizations — from the boardroom down — use new devices
that depend on biometric technology. Failure to plan and prepare for
this change will leave some organizations unwittingly using a single,
vulnerable biometric factor to protect critical or sensitive
information.

New Regulations Increase the Risk and Compliance Burden
By 2020, the number and complexity of new international and regional
regulations to which organizations must adhere, combined with those
already in place, will stretch compliance resources and mechanisms to
breaking point. These new compliance demands will also result in an
ever swelling "attack surface" that must be protected fully while
attackers continually scan, probe, and seek to penetrate it.

For some organizations, the new compliance requirements will increase
the amount of sensitive information — including customer details and
business plans — that must be stockpiled and protected. Other
organizations will see regulatory demands for data transparency
resulting in information being made available to third parties that
will transmit, process, and store it in multiple locations.

Balancing potentially conflicting demands while coping with the sheer
volume of regulatory obligations, some companies may either divert
essential staff away from critical risk mitigation activities or raise
the impact of compliance failure to new levels. Business leaders will
be faced with tough decisions. Those that make a wrong call may leave
their organization facing extremely heavy fines and damaged
reputations.

Trusted Professionals Divulge Organizational Weak Points
The relentless hunt for profits and never-ending changes in the
workforce will create a constant atmosphere of uncertainty and
insecurity that reduces loyalty to an organization. This lack of
loyalty will be exploited: the temptations and significant rewards
from leaking corporate secrets will be amplified by the growing market
worth of those secrets, which include organizational weak points such
as security vulnerabilities. Even trusted professionals will face
temptation.

Most organizations recognize that passwords or keys to their
mission-critical information assets are handed out sparingly and only
to those that have both a need for them and are considered
trustworthy. However, employees who pass initial vetting and
background checks may now — or in the future — face any number of
circumstances that entice them to break that trust: duress through
coercion; being passed over for promotion; extortion or blackmail;
offers of large amounts of money; or simply a change in personal
circumstances.

While the insider threat has always been important, more than the
organizational crown jewels are under threat. The establishment of bug
bounty and ethical disclosure programs, together with a demand from
cybercriminals and hackers, means the most secret of secrets
(essential penetration test results and vulnerability reports, for
example) are extremely valuable. Organizations that rely on existing
mechanisms to ensure the trustworthiness of employees and contracted
parties with access to sensitive information will find existing
mechanisms inadequate.

Preparation Must Begin Now
To face mounting global threats, organizations must make methodical
and extensive commitments to ensure that practical plans are in place
to adapt to major changes in the near future. Employees at all levels
of the organization will need to be involved, from board members to
managers in nontechnical roles.

The themes listed above could affect businesses operating in
cyberspace at breakneck speeds, particularly as the use of the
Internet and connected devices spreads. Many organizations will
struggle to cope as the pace of change intensifies. These threats
should stay on the radar of every organization, both small and large,
even if they seem distant. The future arrives suddenly, especially
when you aren't prepared.