A: You’re right, this is the first time that the ISF has released such a report into the public domain and the timing of this is by no means haphazard. Globally we are in the midst of continually sophisticated cyber threats that governments are only now beginning to openly admit as being amongst the most serious to national security. And that is at the macro level. At the level of the individual or indeed the enterprise, we are faced with daily opportunities for cybercrime to take hold and impact us personally. It is against this backdrop that the ISF has decided to share some of its world-leading research into the threat trends that we and our members see as being critical. I would draw your attention to three major findings or drivers if you like that make the threats we detail in the report so real. The first is a fundamental weakness in infrastructure. Under-investment in both organisational and national critical infrastructure has weakened the underlying IT platforms. They are poorly placed to support new and evolving business technologies such as e-commerce, cloud computing and mobile working all of which are everyday realities. Secondly, the rise of the Internet generation coupled with high levels of personal technology adoption has caused an irreversible change in attitudes to protecting information. Thirdly, increasing globalisation means that organisations of all kinds are subject to greater threats as a result of being seen as an attractive target, having to meet the needs of multiple legal jurisdictions and becoming a more complex organisation.  Clearly these three drivers will impact different businesses in different ways but if the vast majority of businesses examine the impact of these three drivers on their business today and put in place policies, procedures and training of their employees to help mitigate the risks they face, the impact would not be insignificant.

A: Two words – Contingency and Integrity. As I mentioned before, the under-investment in critical infrastructure has led to poor resilience at pinch points with the risk of complete loss of communications, data and the associated impact this has on the business. The sheer scale of information, its life in multiple locations and the lack of detailed management of that information has led to a toxic information wasteland where organisations are unsure as to which of the multiple copies is right and true or who is qualified to make that judgment. Inadequate integrity checking leads to unforeseen effects from changes to business information and potential compliance failures; poor records management opens up opportunities for fraud. Attackers have adopted strategies based on a combination of threats such as these that can lead to them obtaining authentication details, gaining access to systems or networks, misusing systems to commit fraud, stealing proprietary information and introducing malware. Businesses can better equip themselves to deal with these threats by following these steps:

1. Evaluate contingency arrangements

2. Undertake business impact assessments for failure of critical applications and processes

3. Review adequacy of security, integrity and version controls

4. Establish records management and compliance monitoring procedures

5. Introduce common risk language and understanding of threats across the organisation, whilst seeking pragmatic ways to assess and manage risk holistically.

A: I think your term 'creating a balance' is absolutely spot on here. Clearly this is a challenging issue, especially for multi-national organisations that need to juggle on a daily basis the different demands of the various jurisdictions in which they operate. But how do you create the balance? Well I think enterprises need to start from a position that there is no perfect solution so pragmatism will need to prevail. Ensure privacy policies are clear and meet the needs of the jurisdictions in which the enterprise operates. Gain the input of legal advisors and industry colleagues who are grappling with the very same issues. Finally create a forum for discussing changes in the law both within and across jurisdictions. But how can we square this with needs of national security and terror threats? In my personal opinion, it is an impossible ask. Sadly, I do believe that the right to privacy has probably reached a point of no return when it comes to matters of national security. We live in an increasingly dangerous world where access to information is the lifeblood not just of an enterprise but also of the criminals and terrorists. The only way to combat this effectively is, I believe, for us to give up some of our rights to privacy – but that places a huge onus on our elected governments to behave in an appropriate and accountable manner.

A: This is an essential component in any effective approach to security and risk management. To manage risk you need to plan for it – identify, plan, protect. Security teams need to identify the information risk management procedures that need to be in place to meet the requirements of the business. With organisations needing to look much more closely at their internal security structures and how they can meet compliance regulations there is a need to make use of tools such as those used by ISF members to manage and control information risk throughout the enterprise. In particular:

1. Good practice – establish policy and procedures that are in line with current regulatory and compliance requirements and establish means of monitoring their effectiveness

2. Benchmark – monitor your security posture and compare your results with those of other organisations

3. Tools and standards – make use of tools that exist to meet regulatory requirements such as Sarbanes-Oxley and Basel II and to measure and achieve compliance against world standards such as ISO/IEC 27002 and COBIT

A: Mobile and remote working, outsourcing and cloud computing have combined to all but remove an organisation's network boundary that, coupled with the increasing penetration of smartphones and laptops, has blurred the lines between business and personal usage – the trader who wants to use an iPhone for securities trading, the salesman who updates his orders from his Android phone or chats on Facebook whilst completing a proposal for a new client, these are all the realities of life today. Boundaries have all but disappeared so security professionals need to adapt and enterprises need to change to cope with a new world. How can they do these things?

1. Consider the architectural options available for working without a network boundary – if the boundary hasn’t gone already it soon will, so time will be well spent considering the options!

2. Investigate the feasibility within the enterprise of trusted zones and the niche application of products such as digital rights management.

3. Establish policies for the use of personal devices and access management across devices.

4. Establish asset management for smartphones and assess the security implications of their use.

5. Educate users through communication and awareness programmes that are supportive of the work day reality as opposed to seeking to prevent or restrict usage of these devices.

A: Cybercrime is big business. Cyber criminals are clever, sophisticated and have resources at their disposal that many enterprises would only dream of. That is the reality. And I do believe that the trend is set to continue. So what can organisations do? Well the threat is clear: there is an increased risk of loss of proprietary information through targeted hacking and other cyber attacks that have the potential to lead to a loss of reputation and trust in addition to the financial cost of the theft of proprietary information and IP. In the face of such threat organisations must identify the sources of high-value information and evaluate niche solutions such as data loss prevention. Here it really is a case of planning for the worst and hoping for the best.

A: What does an ideal plan look like? I’ll let you know when I see one! Each plan needs to be mapped to the needs of the individual organisation and to address the business critical issues that affect the successful day to day running of the enterprise. A full blown plan should address the six key components of information security and risk management good practice:

1. Governance: the framework by which policy and direction is set providing senior management with assurances that security management activities are being performed correctly and consistently.

2. Risk: the potential business impact and likelihood of particular threats materialising – and the application of controls to mitigate risk to acceptable levels.

3. Compliance: the policy, statutory and contractual obligations relevant to information security which must be met to operate in today’s business world to avoid civil or criminal penalties and mitigate risk.

4. People: the executives staff and third parties with access to information who need to be aware of their information security responsibilities and whose access to systems and data needs to be managed.

5. Process: business processes, applications and data that support the operations and decision making.

6. Technology: the physical and technical infrastructure, including networks and end points, required to support the successful deployment of secure processes.

And once you have created the plan, review it, test it, monitor it and do not be afraid to make changes to it. An effective plan changes with the needs of the business – and that can be a pretty full-on task for even the best security teams.