Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list

Crimeware, cloud computing and an erosion of network boundaries are just a few of the security threats that corporate members of the Information Security Forum fear the most.

Falling budgets, rising cybercrime attacks, strong compliance regulations and mobile users will all make life difficult for information security professionals over the next couple of years.

Those are the main conclusions in a new report from the Information Security Forum, an independent group harnessing expertise from a pool of companies, including some Fortune 100 businesses. The forum asked 200 of its corporate members, all major organisations, to list what they thought would be the biggest threats facing them in 2011.

The top five threats (see sidebar) range from the increased threat of Internet attacks from organised crime groups, to the loss of control resulting from outsourcing and cloud computing.

ISF's Top Five Threats

Criminal attacks
* Crimeware as a service
* Disgruntled employees
* Infiltration of organisations

Weakness in infrastructure
* Reduced investment
* Increased complexity and integration
* Increase in zero-day attacks
* Reliance on third parties for upgrades

Tougher regulation

*Increased emphasis on privacy * Incompatible laws
*Harsher punishment for non-compliance

* Drive to outsource more business operations and security
* Hard to meet compliance requirements
*Instability of providers

Eroding network boundaries

* Adoption of cloud computing
* Proliferation of connections
* Bypass of defences by new malware
Nick Frost, senior research consultant at the ISF, said the rise of cybercrime attacks is a particular worry. "The criminals are taking a very professional approach, and because they work as very loosely connected groups in different jurisdictions, it is very difficult to prosecute them," he said. He added that there was good evidence to show that some foreign students at U.K. universities had been sponsored by cybercriminal gangs, and had then gone on to work at U.K. organisations.

The recession is also pushing companies to increase the amount of offshoring and outsourcing they do, and Frost said this was often done with little regard for security. "Outsourcing is quite mature now, and companies are looking to outsource more critical business processes. But information security is often only considered at the last moment when these decisions are made," he said.

ISF members also noted a tendency for user-developed applications and files, such as Excel spreadsheets, to be implemented without consulting security people. "They don't really want it to go on security's radar for fear they will try to delay it," he said. Frost added that even with quite large application developments, security would often be brought in near the implementation stage to "try to bolt on some security controls."

ISF members also predicted that mobile malware will become more prevalent as more applications go on to smartphones and the devices' processing power and storage capacity increase.

Respondents also noted their struggles with an increasing number of regulatory requirements, as well as with an IT infrastructure that is becoming more and more integrated and reliant on third parties.

William Beer, director of assurance at PriceWaterhouseCoopers (PWC), said many of the mentioned threats could be turned into an advantage, but security people need to adopt the language of business to get their voices heard. "There is an opportunity to get across our key messages. For instance, Sarbanes Oxley was once viewed as a big cost, but it is now seen as having reduced costs and improved the way companies operate," he said. "If by increasing security, we can leverage confidence and trust during a recession, then we can turn a negative into a positive."

Read more on Hackers and cybercrime prevention