Risk consulting firm Kroll has released its 2014 Cyber Security Forecast, highlighting seven trends that indicate a changing tide in cyber standards, both social and legal. If Kroll is reading the trends correctly, organizations will need to take stronger actions to protect themselves from financial and legal risks, as well as risks to their reputation. The trends are as follows:
- Security frameworks such as the National Institute of Standards and Technology (NIST) Cyber Security Framework will become the de facto standard. “This trend will move the United States in the direction of the EU, where there is a greater recognition of privacy as a right,” said Alan Brill, senior managing director at Kroll. Whether compulsory or unstated, these standards will drive decision making in organizations that want to protect themselves from shareholder lawsuits, actions by regulators, and other legal implications.
- The data supply chain will continue to challenge even the most sophisticated organizations. Contracting with third parties to store or process data will continue to be commonplace, making it imperative that companies closely vet their subcontractors and get specific word on how they handle breaches.
- The malicious insider will remain a serious threat but will become more visible. Kroll predicts that in 2014 a significant number – if not almost half – of data breaches will come at the hands of people on the inside. However, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, the hidden nature of insider attacks will become more widely known.
- Corporate board audit committees will take a greater interest in cyber security risks and how the organization plans to address them. Data breaches pose significant threats to the organization’s reputation, compliance efforts, and financial well-being, putting the onus squarely in the lap of corporate audit committees. “As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company's cyber security wasn't at a level that could be reasonably viewed to be ‘commercially reasonable’ and that incident response plans weren't in place to mitigate the risk,” said Brill.
- Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster. Technological progress over the last year will enable companies to unravel events and see with near-real-time clarity what’s happened to their data and how much damage has been done.
- New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response. Credit monitoring will no longer be the gold standard in breach remediation in 2014, as lawmakers, consumer advocates, and the public continue to question the relevance and thoroughness of this as a stand-alone solution. The Federal Trade Commission and states like California and Illinois are already suggesting a risk-based approach to consumer remediation – one that matches remedy to individual risk based on the unique circumstances of a breach.
- As more organizations adopt the cloud and bring your own device (BYOD), they will be held accountable for implementing policies and managing technologies. In 2014, IT leaders will need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the needs of the organization.