If the events of 2011 are any guide, information security professionals are in for an interesting – and challenging – time over the next 12 months.
In addition to maintaining good standard security practices, they will be required to turn their attention and skills to the challenges posed by new technology, new threats and new legislation, several of which will demand they implement critical information security policy changes. With likely 2012 security trends in mind, here are four steps to consider when making your IT security plans for the New Year.
Start asking permission to use website cookies
Companies need to complete a cookie audit. They need to look at what cookies they drop and how persistent and intrusive
However, in December the ICO issued a sharp reminder to companies about the requirements, and announced that from May 26, 2012, it will enforce the rules more vigorously. This means companies now have less than five months to make changes to their websites.
"If they’ve not already done so, companies need to complete a cookie audit. They need to look at what cookies they drop and how persistent and intrusive they are, and also revisit their cookie/privacy language,” said Martin Fanning a technology specialist for London-based law firm SNR Denton. “Then, using the new ICO guidance, they need to work out how they are going to get consent from online users. Helpfully, there are some examples in the latest ICO guidance."
Prepare for a new data protection regulation
Early in 2012, the European Commission will publish a new data protection regulation intended to harmonise regulations across the whole of the EU and to tighten up the handling of personal information.
Though the full details aren’t known, much of the content has been leaked, including the following:
- Fines for serious breaches could cost organisations up to 5% of their annual global turnover (the current upper limit is £500,000).
- The law will enshrine the “right to be forgotten” for individuals. In other words, individuals who put personal information on a site such as Facebook that they later want to remove will have the right to do so.
- Individuals will have the right to move their information easily from one service provider to another.
- Service companies processing personal data on behalf of other organisations will be liable for any breaches that occur. (Current data protection law places responsibility on the data owner.)
The new regulation will have to go through the EU legislative process before becoming law. In the meantime, according to Fanning, organisations should pay close attention to developments in data protection regulation.
“There’s a long way to go before this becomes law, and the proposals may change, but some companies will want to start medium- and long-term strategic planning,” Fanning said. “For example, data processors may want to start thinking about how it could affect their terms and conditions and their approach to risk. They will need to find out whether these additional risks are covered by their existing insurance programme.”
Take a different approach with smartphone and tablet users
The rapid rise of the Apple iPhone and iPad, and the problems endured by BlackBerry owners when their service stopped working for several days in October 2011, have changed the mobile landscape for good.
With both IOS and Android, you don’t have the concept of an administrator any more. The end-user administers everything.
According to Matthias Pankert, head of data protection product management at Oxford-based security company Sophos, mobile devices require a new contract of trust and responsibility between organisations and their users.
“With both IOS and Android, you don’t have the concept of an administrator anymore,” Pankert said. “The end user administers everything, and it is hard to impose things on the user or even prevent malware from coming on to the devices easily.”
This means organisations need to take a different approach with their users, allowing them the flexibility to run work and personal data on the same device, but also requiring them to adopt a responsible attitude to security. The approach will take lots of communication and a little finesse for the security staff working with users.
Be wary of APTs, even if your organisation is small
Some big organisations, such as RSA and Sony, were hit by targeted attacks during 2011, and it is reasonable to assume large organisations will continue to attract the attentions of criminals or politically motivated attackers. They will certainly have to raise their game to remain secure against advanced persistent threats (APTs), but what about smaller companies? Can they relax?
Probably not, because history tells us specialist attack techniques swiftly become commoditised. Criminals write toolkits, and start making money by selling the toolkits to other less sophisticated people so they can get in on the act. Hackers also share information between each other on the Internet, so a technique that was successful in one attack quickly gets taken up by other criminals and used more widely.
“Expect the APT trend to continue in 2012, but with a slightly new twist. APTs will trickle down to everyday people,” said Eric Aarrestad, VP of marketing for firewall vendor Watchguard. “APTs of 2011 primarily affected big organisations, such as governments, industrial control providers, and large enterprises. In 2012, less sophisticated criminals will start to leverage the advanced techniques they’ve learned about APTs, to create more advanced malware targeting smaller businesses and even consumers.”
To deal with the expected 2012 security trends, stay informed of upcoming changes to security regulations. Establish a clear yet flexible security policy for the myriad of mobile devices carried by users. Prioritise your security budget to ensure appropriate defences are put in place to protect your organisation from APTs. With these tasks on your 2012 IT security checklist, your organisation will be well prepared to remain secure in the coming year.