Security Think Tank: ISF’s top security threats for 2014

What are the top security issues businesses need to address going into 2014?

The top security threats global businesses will face in 2014 include bring your own device (BYOD) trends in the workplace, data privacy in the cloud, brand reputational damage, privacy and regulation, cyber crime and the continued expansion of ever-present technology.

As we move into 2014, attacks will continue to become more innovative and sophisticated. Unfortunately, while organisations are developing new security mechanisms, cyber criminals are cultivating new techniques to circumvent them.

Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected, high-impact security events.

The top six threats identified by the Information Security Forum (ISF) are not the only threats that will emerge in 2014. Nor are they mutually exclusive and can combine to create even greater threat profiles.

1. BYOD trends in the workplace

As the trend of employees bringing mobile devices into the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

If the BYOD risks are too high for your organisation today, stay abreast of developments. If the risks are acceptable, ensure your BYOD programme is in place and well structured. Keep in mind that a poorly implemented personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held in unprotected manner on consumer devices.

2. Data privacy in the cloud

While the cost and efficiency benefits of cloud computing services are clear, organisations cannot afford to delay getting to grips with their information security implications. In moving their sensitive data to the cloud, all organisations must know whether the information they are holding about an individual is personally identifiable information (PII) and therefore needs adequate protection.

Most governments have already created, or are in the process of developing, regulations that impose conditions on the protection and use of PII, with penalties for businesses that fail to adequately protect it. As a result, organisations need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts.

3. Reputational damage

Attackers have become more organised, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organisation's reputation. 

With the speed and complexity of the threat landscape changing on a daily basis, all too often businesses are being left behind, sometimes in the wake of reputational and financial damage. Organisations need to ensure they are fully prepared and engaged to deal with these ever-emerging challenges.

4. Privacy and regulation

Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of PII, with penalties for organisations that fail to sufficiently protect it. As a result, organisations need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to privacy breaches.

Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. To determine what cross-border transfers will occur with a particular cloud-based system, an organisation needs to work with its cloud provider to determine where the information will be stored and processed.

5. Cyber crime

Cyber space is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks.

Organisations must be prepared for the unpredictable, so they have the resilience to withstand unforeseen, high-impact events. Cyber crime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements, coupled with the relentless advances in technology against a backdrop of under-investment in security departments, can all combine to cause the perfect threat. 

Organisations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimising the impact of the unforeseen.

6. The internet of things

Organisations’ dependence on the internet and technology has continued to grow over the years. The rise of objects that connect themselves to the internet is releasing a surge of new opportunities for data gathering, predictive analytics and IT automation.

As increased interest in setting security standards for the internet of things (IoT) escalates, it should be up to the companies themselves to continue to build security through communication and interoperability. The security threats of the IoT are broad and potentially devastating, so organisations must ensure that technology for both consumers and companies adheres to high standards of safety and security.

You cannot avoid every serious incident, and while many businesses are good at incident management, few have a mature, structured approach for analysing what went wrong. As a result, they are incurring unnecessary costs and accepting inappropriate risks.

By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.

Steve Durbin is global vice-president of the Information Security Forum (ISF).

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I agree that "Different countries’ regulations impose different requirements on whether PII can be transferred across borders" and international privacy laws are now escalating and organizations are desperately looking for effective ways to comply to these new stringent regulations.

I studied one interesting project that addressed challenge to protect sensitive information about individuals in a way that will satisfy European Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated in one European country. The project achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz
2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany by using a data tokenization approach, protecting the data before sending and storing it in the cloud.

I recently read an interesting report from the AberdeenGroup that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data. The name of the study is "Tokenization Gets Traction".

Aberdeen has also seen "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data".

Ulf Mattsson, CTO Protegrity


Wright, J., Dawson Jr, M. E., & Omar, M. (2003). Cyber Security And Mobile Threats: The Need For Antivirus Applications For Smart Phones. Yi, L., et al, 2922-2930. at


i like your article .
It is effective security system and able to caught a criminal.