While the high profile security breaches and attacks of 2011 are still fresh in mind, Information Security Forum (ISF) global vice-president, Steve Durbin, feels that the key trend of 2012 comes down to "supply chain".
“As I continually move around and talk to people, I’m amazed by this view that is still prevalent and I thought would have gone away by now, that once people have outsourced, they feel it’s not their problem anymore,” he said.
Durbin has increasingly seen the supply chain become a “critical component” in the security chain of a business, and highlights that the chain is only as strong as its weakest link.
“I’m constantly amazed that organisations are not taking a more robust approach to the way that they outsource to the processes they put into place, to the governance that they have around it,” he said.
“I also think organisations that have not really gone down that road and taken a stringent approach to monitoring it on an ongoing basis are pretty much heading for a fall.”
With big data being the buzz word over the last few months, Durbin also sees it causing potential problems for businesses, as he points out that the collection of data is all about whether you are allowed to collect it and where to collect it from.
He also highlights that storage is hugely sensitive and depends on your security processes in place to effectively store it.
As an example, Durbin points to how Megaupload shut down recently and how some people who had their data stored on the site are no longer able to access it and run their business, so they have had to turn to the courts to get their data back.
“No business wants to be in that kind of position, but I think the biggest issue with big data is really about the use of it, as that’s where it becomes a bit of a minefield depending on which jurisdiction you are operating in,” he said.
If a business is in Australia and they happen to be holding onto data on systems in the EU, they will have to abide by EA statutes under the upcoming EU legislation.
“I think most organisations will have to take a long hard look at what they are doing with the information and the implications,” he said.
Durbin admits that there are “massive” business opportunities with big data in a whole range of different sectors, but it also opens up a range of issues that people need to have a look at, particularly at how they use that data, how it is stored, and whether they are allowed to collect it in the first place.
As for what businesses can do to better protect themselves in this year’s threat landscape, Durbin sees things in black and white.
“There are only two types of organisations,” he said.
“Those that have been already hit, and those that will be hit.”
As such, Durbin does not see it about people pretending that it will not happen to them, because the chances are that it will at some point in time, so they are better off considering what they need to do about it.
“You need to make sure that you have reviewed in your business where your critical areas are, you have decided what type of risk profile that you want to carry as a business across the different departments, and you need to have put in place a disaster recovery plan for when and if an attack takes place,” he said.
Durbin adds that vigilance does not just involve a specific business unit and the information security people, but it will also involve legal, HR, and PR.
“That way you will have all of your ducks lined up before the thing hits,” he said.